Canton of Zurich: Consultation on the law on basic digital services; legal basis for the use of the cloud

EN DE FR

from

David Vasella

24.02.2024

Industries

Cloud and IT providers

Authority

Government Council ZH

Laws

CLOUD Act

Topics

Digitization, Digital strategy, Microsoft

Take-Aways (AI)

The law creates a legal basis for basic digital services such as electronic identification, central web access and the digital workplace (DAP).
§17 regulates cloud use: server in CH/EU, strict encryption and key sovereignty for sensitive data; risk-based measures for other data.

The canton of Zurich is submitting a new “Law on basic digital services” for consultation. Documents (Website Canton ZHSearch for “Basic services”):

The new law is intended to regulate the following points, among others:

the Electronic identification using the authentication service of the federal government (AGOV Having regard to the EMBAG(the Canton of Zurich was a pilot partner), partly because the canton only had limited powers to create a cantonal E‑ID, which was being considered at the time, and
a central Web access to electronically offered services of public bodies (“Zürikonto”);
Use of the digital workplace (DAP) as an internal administration basic service, including cloud-based applications such as Microsoft 365;
Interoperability basic services, i.e. the interaction of the systems of various bodies within the canton and in cooperation with bodies of other cantons and the Confederation;
the Further development basic digital services.

The law will be supplemented by ordinances issued by the Government Council. – The Act does not cover topics such as e‑participation or e‑voting, nor does it cover egovpartnera cooperative organization of the canton and the municipalities (see here). Specialist laws are also not adapted within this framework.

Use of cloud-based services

§ Section 17 of the Act

Interesting is the Dealing with the topic of the cloud in the draft law. To this end, a provision is to be created that generally requires storage in Switzerland or the EU and differentiates between special personal data and confidential or secret data on the one hand and between other personal data and information on the other with regard to encryption requirements:

17. 1 The public body may delegate the processing of information in digital workplace applications to providers of cloud-based IT services if their Data centers in Switzerland or the European Union and if:

a. the public body effectively discloses special personal data and confidential information or information subject to secrecy to the cloud provider as well encrypted, so that the cloud provider cannot access it without the involvement of the public body can and

b. the public body provides the other information by protects all reasonable organizational, technical and contractual measures and the remaining Risk disclosure, in particular in view of the importance of the information, the purpose and manner of its processing and the fundamental rights of the data subjects justifiable is.

2 In all other respects, the provisions of the Information and Data Protection Act apply

General explanations

The general explanations (“Preliminary remarks”) contain nothing new per se (emphasis added):

As part of its strategy on information and communication technologies (ICT strategy, cf. RRB no. 383/2018), the cantonal government has decided to equip the cantonal administration with a new digital workplace (DAP). […]
In order to fulfill their tasks and provide services, the employees of public bodies are dependent on modern digital work tools. […] Software applications such as the Applications from Microsoft 365 (Word, Excel, PowerPoint, Outlook, Teams, OneDrive, etc.; hereinafter M365). The DAP does not include specialist applications (e.g. software for business administration). […]
Today, the use of cloud-based applications is regulated by the IDG, the IDV, the IVSV and, for cantonal bodies, also by the Act on the Outsourcing of IT Services of August 23, 1991 (LS 172.71) is covered. […] In this constellation, the public body may only disclose personal data in accordance with the provisions of the E‑IDG pursuant to bill 5923 if (a) a legal basis permits this and this serves to protect the interests of the data subject or overriding public interests, (b) adequate protection for data processing is guaranteed in the recipient state or (c) the public body has agreed appropriate security precautions with the recipients.

The extensive outsourcing of state data to a cloud infrastructure operated and controlled by a foreign cloud provider raises various legal issues, many of which are still unresolved:

On the one hand, outsourcing Questions of the protection of fundamental rights because outsourcing to the cloud can represent a serious encroachment on the constitutional protection of privacy (Art. 13 para. 2 BV). Outsourcing is associated with a loss of control over the cloud provider because the traceability of data processing and the enforcement of control rights of the data subjects are made more difficult. It also results in a Loss of control vis-à-vis foreign authorities if they can oblige the cloud provider to hand over data stored in the cloud due to the foreign legal situation (see e.g. the US CLOUD Act or the Stored Communications Act [so-called lawful access]). This problem exists regardless of the probability of data access by foreign authorities and the location of the servers.

On the other hand, it is important to comply with data protection regulations, the requirements for protecting the information security of the respective organizational unit and the Official secrecy (Art. 320 Swiss Criminal Code, SR 311.0) and to protect sensitive information by means of special measures (Art. 7 IDA).

In the canton of Zurich, the Use of M365 for the DAP in the cantonal administration planned in principle (RRB No. 542/2022Dispositiv I). The decision applies to all organizational units1 subject to the ICT strategy as well as to the cantonal police. The directorates and the State Chancellery are instructed to assess whether organization-specific regulations are necessary and to issue such regulations if required (RRB No. 542/2022, Dispositiv III). On January 27, 2023, the Directorate of Finance issued the following for the cantonal administration General usage policy Microsoft 365. This specifies the principles and rules of data processing in the DAP.

For the Municipalities there are no corresponding cantonal regulations yet. The Confederation and other cantons and non-cantonal municipalities handle the use of cloud services, in particular M365, differently. No uniform opinion has yet emerged in the doctrine. An expert opinion commissioned by the cooperation organization egovpartner and issued on 6 July 2023 confirms the approach taken by the cantonal administration in the Microsoft 365 General Usage Guidelines for the municipalities of Zurich as well. At the same time, the report recommends that the provisions on the Anchoring data processing using M365 in legal form (Markus Schefer/Philipp Glass, Expert opinion on the use of M365 by the municipalities in the Canton of Zurich in conformity with fundamental rights, July 6, 2023
for the attention of egovpartner).

Based on the above legal considerations and the feedback received on this legislative proposal Section 17 of the Digital Basic Services Act is intended to provide a legal basis for cloud-based applications. are created within the framework of the DAP. The provision does not cover cloud-based services that are used outside the DAP (e.g. as part of specialist applications) or local applications (e.g. Office 365 apps such as Word, provided they are used locally). The provision of Section 17 of the DPA on basic digital services also includes the processing of personal data and information originating from a specialist application within the framework of the cloud-based applications of the DAP. For example, employees of public bodies may use a cloud-based email service to communicate with each other and process personal data and information from specialist applications such as the business administration software. § Section 17 of the Digital Basic Services Act imposes different encryption requirements for different categories of personal data and information.

The provision on the DAP is aimed at public bodies that wish to use cloud-based applications as part of the DAP. Whether and to what extent they wish to use cloud services lies within their organizational autonomy; it is perfectly permissible for a public body to refrain from processing specific personal data in the cloud, for example.

Individual explanations

In addition to these general explanations, the draft contains the following individual explanations on the proposed Section 17:

Re para. 1 in general:

§ Section 17 para. 1 of the DAP Act on Basic Digital Services forms the legal basis for the public body that wishes to use cloud-based applications as part of the DAP to transfer the processing of information to the cloud provider for cloud-based processing. The provision specifies and supplements the requirements in Section 6 IDG and Section 9 E‑IDG with regard to cloud-based applications of the DAP.

First of all, Section 17 (1) of the Digital Basic Services Act generally states that the Location of the servers on the territory of Switzerland or the European Union must be located. Access to the data by a third country is therefore not excluded. However, at least a physical seizure of the servers can be prevented by circumventing mutual legal assistance.

The provision then makes a distinction between (1) special personal data and confidential information and information subject to secrecy (Art. 17 para. 1 lit. a of the Digital Basic Services Act) and (2) information that is classified as “public” or “internal” for business purposes, as well as “normal” (i.e. not “public” or “internal”) information.
special) personal and factual data (Art. 17 para. 1 lit. b VE Act on Basic Digital Services):

Category 1 (lit. a)For category 1 information and personal data legal provisions prevent the transfer of information processing to a cloud provider per se (Section 6 para. 1 IDG and Section 9 para. 1 E‑IDG; see the explanations on Section 17 para. 1 lit. a VE Act on Basic Digital Services). The transmission of such information is only permitted if it is also effectively encrypted vis-à-vis the cloud provider; is the key management the cloud provider or if the cloud provider has access to the keys in any other way, there is no Effective encryption. Because such encryption prevents the cloud provider or a foreign state from gaining knowledge of the data, the transfer to a cloud provider is nevertheless permissible (see also Dominika Blonski, Cloud – alles Risiko? Legal requirements for outsourcing data processing to the cloud, SJZ 2023, p. 993 ff., 997).

Category 2 (lit. b)Category 2 information and personal data, on the other hand, should in principle be permitted to be transferred to a cloud provider. Such information should also be encrypted; however, less stringent requirements are sufficient insofar as the Encryption not also effective vis-à-vis the cloud provider or key management by the cloud provider (and thus also unilateral access by the cloud provider) must remain possible. However, in accordance with Section 17 para. 1 lit. b of the Digital Basic Services Act, the public body must take all reasonable organizational, technical and contractual
take measures to minimize the risk of disclosure and the remaining residual risk must appear to be acceptable (cf. the explanations on Section 17 para. 1 lit. b of the Digital Basic Services Act). If foreign authorities – e.g. in the USA on the basis of the US CLOUD Act – access these data, a cross-border disclosure takes place within the meaning of Section 19 IDG and Section 36 E‑IDG. Section 17 para. 1 of the Draft Act on Basic Digital Services creates the legal basis for such disclosure, which is required pursuant to Section 19 lit. b IDG or Section 36 lit. a E‑IDG if the Convention of January 28, 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data does not apply.

By means of a differentiated regulation, it should be possible to use the aforementioned cloud-based applications in a manner that is as compliant with fundamental rights as possible. The regulation incorporates the existing regulation of the General Usage Directive at cantonal level at a formal legal level.

Re para. 1 lit. a:

The processing of special personal data and of information that is confidential or subject to
The data, which is subject to confidentiality, should always be collected using local applications. The following information is recorded:

Special personal dataThe term “special personal data” is to be interpreted in the same way as in section 3 para. 4 IDA and section 5 para. 4 E‑IDG. This includes in particular personal data that is protected by special official secrecy. Special personal data includes, for example, information on the use of social welfare benefits (Art. 3 para. 4 lit. a no. 3 E‑IDG). This information is protected by social welfare secrecy (Section 47 of the Social Welfare Act, LS 851.1).

Confidential information and information subject to confidentialityThe definition includes information that is classified as “confidential” or “secret” for business purposes. On the other hand, it includes information that is subject to confidentiality on the basis of special (i.e. not merely general) official secrecy or professional secrecy. In some cases, this involves special personal data (e.g. personal data protected by social welfare secrecy [see Art. 3 para. 4 lit. a no. 3 IDA]).

The proposed regulation does not exclude the processing of special personal data and confidential information subject to secrecy using cloud-based applications. However, the public bodies must effectively encrypt this information in accordance with the proposed solution. Encryption is effective if it also applies to the cloud providerwhich is the case with the so-called Double Key Encription (DKE) is the case. Encryption must prevent the cloud provider from gaining knowledge of the information without the involvement of the public body. This should make it impossible to obtain knowledge by circumventing the rules of international mutual legal assistance and without guaranteeing control and procedural rights. It is therefore necessary that the key sovereignty remains with the public body and therefore only unilateral access by the public body is possible; the public body may commission a contractor to manage the keys (so-called Cloud Access Security Broker [CASB]), provided that this is not the cloud provider and it is impossible for the cloud provider or third parties with possible access to the data (in particular a foreign authority) to demand the keys from the Contractor. If a cloud provider encrypts the data itself and/or has access to the keys (in the case of Microsoft, for example, the Microsoft ManagedKey [MMK]), this is not sufficient for the information specified in Section 17 para. 1 lit. a of the Digital Basic Services Act.

Re para. 1 lit. b:

Without encryption The processing of information in accordance with Section 17 para. 1 lit. b of the Digital Basic Services Act remains permissible vis-à-vis the cloud provider. This provision applies to all information not covered by Section 17 para. 1 lit. a of the DDA Act on Basic Digital Services, i.e. “normal” personal data and information that is classified as “public” or “internal” for business purposes and is not subject to special official secrecy or professional secrecy. A risk-based approach applies to this information insofar as the public body, in accordance with Section 17 para. 1 lit. b of the Digital Basic Services Act, must disclose all reasonable organizational, technical and contractual measures to minimize the risk of disclosure must meet and the remaining Residual risk as acceptable appears.

As far as the technical, organizational and contractual measures to be taken are concerned, the requirements arise from data protection legislation (in particular § 7 IDG) and internal implementation specifications, which can vary in strictness in individual cases – depending on the sensitivity of the information concerned. From a technical point of view, encryption is sufficient. The common purpose of the corresponding measures is ultimately to ensure that the public body can actually fulfill its responsibility (Section 6 para. 2 IDG and Section 9 para. 2 E‑IDG).

The provision then mentions the residual risk, which must be assessed as part of a risk analysis. In a first step, its Probability of occurrence to be estimated. In a second step, the residual risk is justifiable or not justifiableThe provision lists a non-exhaustive list of aspects that must be taken into account:

The provision refers to the importance of the information and thus specifies that the consideration must always be with a view to the specific information must be made. It can be different for different information, e.g. depending on how sensitive the corresponding information is. It should also be taken into account that the same information can have different sensitivities in different contexts and depending on how it is linked to other information.

The following must also be taken into account Processing purposei.e. the public task for the fulfillment of which the information is processed and the way in which it is processed. In the Type and method of processing relevant are, for example, the intensity (number of data records, number of data subjects) and the duration of processing, the storage of data, the use of artificial intelligence technologies, etc.

The use of cloud services has an impact on the fundamental rights of those persons who are affected by the transferred information or personal data because it is associated with a legal and de facto loss of control. This Loss of control is increased if the cloud provider is not only subject to Swiss law. If the cloud provider is subject to foreign regulations (e.g. the US CLOUD Act), there is a risk that a third country may access the information and, under foreign law, there are no or only limited legal remedies against this access compared to Swiss law. It is also more difficult to carry out checks. Transferring the processing of information to a cloud provider therefore leads to legal and de facto restrictions on the right to control the processing and to the risk of data being disclosed abroad.

The use of cloud services, on the other hand, is regularly supported by the aspect of Efficiency of task fulfillment. The introduction of cloud-based applications enables a flexible and scalable state-of-the-art work infrastructure. This is also expected to optimize administrative processes and increase cost efficiency. It is also assumed that the use of external cloud services will improve the Increased securityThis is because cloud providers take security precautions that exceed the security measures taken by users when using applications locally. Conversely, there is always a risk to information security associated with every transfer. This applies, for example, to the risk of incorrect handling of cloud services by users
The same risk also exists for local use or the use of IT applications as a whole.

Re para. 2:

The DD Act on Basic Digital Services specifies and supplements the provisions on information processing by order (Art. 6 IDG and Art. 9 E‑IDG), on information security (Art. 7 IDG and Art. 10 E‑IDG) and on data protection impact assessments (Art. 10 IDG and Art. 32 E‑IDG). It also forms a legal basis within the meaning of Section 19(b) IDG and Section 36(a) E‑IDG in the case of information pursuant to Section 17(1)(b) of the VE Act on Basic Digital Services. The provisions of the IDG or E‑IDG and the DDA Act on Basic Digital Services apply cumulatively, which is clarified by the declaratory reference in Section 17 para. 2 of the DDA Act on Basic Digital Services.

Can­ton of Zurich: Con­sul­ta­ti­on on the law on basic digi­tal ser­vices; legal basis for the use of the cloud