Laux Lawyers: Expert opinion on cloud usage by the city of Zurich

The service department “Organization and Information Technology of the City of Zurich” (OIZ) is the IT provider for the organizational units of the City of Zurich. As such, the OIZ has commissioned an expert opinion on the “Legality of Public Cloud Services” from Laux Lawyers. The expert opinion is dated September 16, 2021 and was published on August 28, 2022 (cf. here).

General

The comprehensive report is divided into

conceptual and legal foundations;
Apply the fundamentals to selected access scenarios;
Respond to reviewer questions and recommendations;
Attachments.

It also contains “fact sheets” with elaborations of some points following the actual report.

The Expert opinion questions were the following:

1. May an organizational unit of the City of Zurich use public cloud services?
2. does this also apply to information requiring special protection (confidential or strictly confidential information)?
3. does the analysis change depending on the jurisdiction to which the cloud provider or one of its group companies is subject (based abroad, namely in the USA)?
4. does the analysis change depending on where the data stored in the public cloud services is held (data at rest) (data location in Switzerland or abroad, namely in the USA?
5. does the analysis change depending on whether people from abroad (namely from the USA) can access the data stored in the public cloud services?

The questions are to be assessed in each case under the aspects of official secrecy as well as personal data; the analysis is based on the Criminal Code, general considerations of municipal or cantonal administrative law as well as on the applicable data protection law.

From Expert opinion excluded is

the examination of the factual situation of individual cloud offers of the various commercial cloud providers, i.e. an examination of the concrete design and appropriateness of contractual, organizational and technical protection measures in the light of the requirements for data security and information protection.

Also excluded is the question of how to deal with the Schrems II issue and thus also the question of what significance FISA has. In the case of U.S. law, the expert opinion is accordingly limited to the examination under the CLOUD Act or the Stored Communications Act.

As a result, the expert opinion confirms that outsourcing is not inadmissible if it is done correctly.

We provide an overview of the main statements below, although the following comments do not follow the structure of the report.

Permissibility of cloud use as such

Why may a cloud – also in Switzerland – be used at all? The authors recall general principles of constitutional law (Art. 5 BV – principle of legality, principle of proportionality, acting in the public interest) and then state that from the principle of proportionality derives

the obligation of the authority to select mature and secure cloud solutions from

and

Secondly, it is derived from a technically mature solution directly the administrative law legality of the cloud use. If the authority complies with proportionality, then the authority activity is permitted – this is the direct derivation from Art. 5 para. 2

As a result, we agree, even if proportionality is not a legal basis but a barrier.

The starting point for further analysis is the concept of disclosure. Before going into this, it is prefaced that protection of secrets “Perimeter protection“is called. The cloud infrastructure could also be part of the user’s perimeter, provided it protects the information stored there. Both are correct and in principle not disputed.

“Involvement” of the provider as an auxiliary person

A first question is whether the Official Secrets in the sense of Art. 320 StGB permits disclosure to an auxiliary person at all. This is factually undisputed, even if Art. 320 StGB does not yet name the auxiliary person (to the Revision here) and, among others, the Federal Council has or had a different opinion. However, the expert opinion requires that the auxiliary person must be included as such, i.e. subordinated has to be. This is to be agreed with. The comment is also correct that a confirmation by the provider that it has been informed by the Secret nature of the data Knowledge, is only recommended and not legally required.

However:

If, on the other hand, the city of Zurich wants to use cloud solutions, for whose operation even in normal operation usually a plain text access by employees of the cloud provider is necessary, then the city of Zurich must inform the cloud provider and (by overriding the confidentiality obligations of the cloud provider and pointing out the criminal liability). their employees involve as auxiliaries in their perimeter.

It is not entirely clear here whether and, if so, how the employees of the cloud provider itself would also have to be involved as auxiliary persons, but the authors are probably to be understood as meaning that the involvement of the employees – if necessary – takes place by binding the cloud provider to secrecy obligations and pointing out to the latter that certain disclosures are punishable. This would also be the correct conclusion, apart from the fact that the reference to the punishability is hardly legally binding. There would also be no legal basis for a “data protection lapel” of the employees, except perhaps in § 3 of the Zurich law on the outsourcing of IT services, as far as this law applies to the city of Zurich at all – but this part of § 3 is a historical accident from the time of privatization of IT funds of the canton.

“Disclosure” to the cloud provider itself.

Back to the concept of revelation, which, after all, according to the Federal Court is only completed by taking note of it and not enabling it (cf. but here). Here, the authors represent the following with regard to the transmission to the cloud provider:

[…] the Federal Court specified that the knowledge by the unauthorized third party […] was required for the completion of the act. Experience shows that technical-organizational strategies to protect against plaintext access are possible when using mature cloud offerings […]. With such there are no plain-text accesses during normal operation. So there is no disclosure. […] Criminal liability under Art. 320 item 1 StGB is thus excluded.

The expert opinion defines normal operation as follows:

Normal operation means that the cloud offering is operated by the provider as planned. This is in contrast to extraordinary situations which cannot be attributed to normal operation (e.g. bankruptcy of the provider, access to the cloud offering by authorities, access to the cloud offering by criminals).

However, there is no justification as to what extent this “normal operation” is relevant. The objective element of a breach of official secrecy is in any case completed when an unauthorized person obtains knowledge. Whether this occurs in normal operation or outside is irrelevant to the concept of disclosure as such. The Normal operation but may have the following meaning:

one can represent that the Secret will generally only refers to a disclosure that can reasonably be expected. From this point of view, a disclosure outside the normal course of business would therefore not be objectively punishable, because the intent to keep a secret does not extend that far and consequently no secret can be violated. However, this would only be convincing for private secrets, i.e. in the case of official secrets, for secrets in which ultimately only the private person communicating with the state has an interest. This would not apply to state secrets, or at least not without an analysis of the need for protection;
one can represent that the (contingent) intent can only refer to normal operationbecause an authority may assume that knowledge by an unauthorized person outside normal operation is so unlikely that it no longer has to expect it (this is where the boundary between contingent intent and deliberate negligence runs). Then normal operation would be a different terminology for foreseeable operation;
at US CLOUD Act The question is, among other things, whether an entity subject to U.S. jurisdiction has “custody, possession or control” of the data to be disclosed, and here “normal operations” – depending on what is understood by this – may play a role.

In the chapter on the concept of revelation, the authors then go on to discuss the Causality because storage in a cloud could constitute a punishable attempt at disclosure to employees of the cloud provider. In the case of knowledge of plaintext data by such employees, there could be disclosure, but storage in the cloud is not yet an attempt because this storage would not be adequately causal for subsequent proscribed knowledge. However, this could also be regarded as a question of the subjective elements of the offense, since the adequacy is linked to the – albeit abstracted – foreseeability. As a result, however, it is correct either way that punishment on the grounds of attempt is fundamentally out of the question.

The authors then go on to examine whether, in the case of plaintext access by employees of the provider, a punishable Disclosure by omission could be present. They also deny this in the case that the provider’s customer, the city of Zurich, has taken sufficient security measures against such access. This is correct, although hardly a question of omission (if security measures were missing, disclosure would be committed by the active action of outsourcing).

In any case, we agree with the result. It is now well recognized that the storage of official secrets in a cloud does not in principle constitute a criminal disclosure to the provider.

Access by (especially foreign) authorities

The most interesting point is the access by foreign authorities and here the handling of the notorious US CLOUD Act. The report first discusses access by Swiss authorities and then by foreign authorities. In the case of Switzerland, the discussion is brief: If Swiss authorities access data within the framework of Swiss law, they may do so. Whether they do this with the city itself or with an auxiliary person is irrelevant. If authorities abroad access data, it is a different matter, because the foreign law is foreign and therefore does not permit disclosure, subject to administrative and legal assistance.

“Guarantee responsibility” (only) of the Confederation?

In this context, the expert opinion discusses the US CLOUD Act with interesting considerations. The starting point of these considerations is the “guarantee responsibility” that the Confederation has, according to Art. 29a BV (legal process guarantee). This guarantee is not violated if

in the event of any plain-text access to information abroad, a level of protection applies in the procedure there that is equivalent to that in Switzerland.

In addition, it could

must also be properly implemented if the release of evidence located abroad is delegated to private parties – namely cloud providers with their registered office or headquarters in the USA.

This is probably to be understood as meaning that Switzerland – in addition to the question of official secrecy – must also ensure that its citizens are not handed over to foreign law that does not trample on their fundamental rights. If this were the case due to the CLOUD Act, not only would official secrecy be violated, but also the federal constitution. However, the U.S. has a “judicial system with a centuries-old tradition”, “which historically has also served as a model for Switzerland”. Therefore, it could hardly be assumed that the CLOUD Act precludes disclosure under the title of legal process guarantee (this is plausible in the result, especially since the CLOUD Act or the Stored Communication Act is not one of the legal bases to which the ECJ in Schrems II has certified that the rule of law is flawed).

The decisive argument, however, was more of a formal one: the decisive factor was indeed the Guarantee of legal recourse, but this was the problem of the federal government and not of the city of Zurich.

The issue […] is therefore whether the city of Zurich thwarts the guarantee responsibility of the Confederation […] when it uses a cloud offering with such a foreign connection. The indication that this is an issue facing the Confederation again suggests the following question: Is it up to the city of Zurich to solve the problem of the Confederation? To ask the question is to answer it: No. It is only a question of whether the city of Zurich is thwarting the guarantee responsibility of the Confederation in a way that violates the law. This can be answered in the negative […]; because the result will always be a direct involvement of the City of Zurich authorities if a case of application under the CLOUD Act should arise. In such a case, the City of Zurich can ensure that the Swiss Confederation can exercise its guarantee responsibility. In any case, the City of Zurich will ensure through appropriate action that it can avert criminal liability under Art. 271 StGB in the event of a request directed to it. A violation of the law can thus be systematically excluded.

It remains unclear here, for example, whether Art. 29a BV as an institutional guarantee of effective access to the courts can stand in the way of a public body disclosing data abroad if there are deficits in legal protection there. If this is the case, however, this would also have to apply to cantonal authorities (apart from the fact that the Cantonal Constitution of Zurich also contains a guarantee of legal recourse). However, the expert opinion deliberately does not go into these questions in depth, but they might have to be included in the case of legal systems other than the US.

Derived sovereignty of the provider?

In the context of the risk of access by authorities, the question further arises, How and based on what the City of Zurich would be included in a CLOUD Act use case.. In any event, the CLOUD Act, or rather the Stored Communications Act, does not expressly provide for this (§ 2703(b)(1) of the Stored Communications Act).

The authors first point to a Manual of the US authorities which deals with the search and seizure of electronic data in criminal investigations. They place a great deal of trust in the manual. For example, the manual says, “special procedures designed to uphold those users’ privacy interests may be appropriate,” and “agents might inform the magistrate judge in the search warrant affidavit that they will take steps to ensure the confidentiality of the accounts” – from which the opinion concludes, an officer who asked the court for a warrant must” indicate how it would handle secrets of a third party, or the manual “instructs officials accordingly. This is a sympathetic reading. However, it is also interesting to note the following references to the Dealing with US law with the fact that The data to be released by a provider subject to US jurisdiction is subject to official secrecy. are subject to.

The authors reach the following conclusions here:

Although the challenged cloud providers themselves do not enjoy their own claim to sovereign immunity, it is reasonable to assume that cloud providers, in response to requests for information from U.S. law enforcement agencies under the CLOUD Act, will in fact receive (from their cloud customer, which is an agency of a foreign sovereign state) a assert derived sovereign immunity can. In the past, U.S. courts have recognized the protection of such derived sovereign immunity for private U.S. companies acting on the instructions of foreign governments. Such derived sovereign immunity is to be assumed from the point of view of the cloud provider where the use of the cloud services by the foreign government or its authority occurs in the context of the execution of sovereign or administrative tasks, i.e. also in the context of the use of the cloud services by the foreign government or its authority. wherever information covered by official secrecy is processed or stored in the cloud services be

These conclusions are based on several sources and judgments of U.S. courts.

Back to Art. 320 StGB

The starting point, however, remains Art. 320 StGB (general official secrecy; and also Art. 273 StGB, which the authors – rightly – treat in the same way). The question is therefore whether official secrecy can be violated if a U.S. authority accesses customer data without administrative or legal assistance under its own law.

If one assumes that official secrecy protects both private secrets and genuine state secrets, one would have to ask how far the protection of secrets extends in each case. In the case of private secrets, the legitimate expectation of secrecy on the part of private individuals must be taken as a basis. Here, the obvious question is whether persons in Switzerland, in their dealings with authorities should not expect that their data will not fall into foreign hands. If one answers this question in the affirmative, one must ask further, What protection is justifiably expected. The obvious and, in my opinion, correct answer is: a reasonable, not an absolute. Then you’re back to the risk assessment, which the expert opinion also requires.

The comments on the provider’s defense that the data is subject to foreign official secrecy are noteworthy here, as they actually reduce the risk of disclosure to foreign authorities. We also agree with the expert opinion’s statement that it is very unlikely that US authorities will access data from the City of Zurich.

On the effect of the consent of the superior authority

The city of Zurich apparently feels the need, for safety’s sake, to use the in Art. 320 item 2 StGB provided for “written consent of the superior authority”. into the disclosure. In this context, the expert opinion discusses the Effect of this consent or authorization (with respect to a real state secret it is a consent, with respect to the co-protected private secrets it is rather a permission), especially how such a consent can be given in advance and what is its relation to a cantonal data protection law permission requirement.