Laux Lawy­ers: Expert opi­ni­on on cloud usa­ge by the city of Zurich

The ser­vice depart­ment “Orga­nizati­on and Infor­ma­ti­on Tech­no­lo­gy of the City of Zurich” (OIZ) is the IT pro­vi­der for the orga­nizatio­nal units of the City of Zurich. As such, the OIZ has com­mis­sio­ned an expert opi­ni­on on the “Lega­li­ty of Public Cloud Ser­vices” from Laux Lawy­ers. The expert opi­ni­on is dated Sep­tem­ber 16, 2021 and was published on August 28, 2022 (cf. here).


The com­pre­hen­si­ve report is divi­ded into

  • con­cep­tu­al and legal foundations;
  • App­ly the fun­da­men­tals to sel­ec­ted access scenarios;
  • Respond to review­er que­sti­ons and recommendations;
  • Attach­ments.

It also con­ta­ins “fact sheets” with ela­bo­ra­ti­ons of some points fol­lo­wing the actu­al report.

The Expert opi­ni­on que­sti­ons were the following:

1. May an orga­nizatio­nal unit of the City of Zurich use public cloud services?
2. does this also app­ly to infor­ma­ti­on requi­ring spe­cial pro­tec­tion (con­fi­den­ti­al or strict­ly con­fi­den­ti­al information)?
3. does the ana­ly­sis chan­ge depen­ding on the juris­dic­tion to which the cloud pro­vi­der or one of its group com­pa­nies is sub­ject (based abroad, name­ly in the USA)?
4. does the ana­ly­sis chan­ge depen­ding on whe­re the data stored in the public cloud ser­vices is held (data at rest) (data loca­ti­on in Switz­er­land or abroad, name­ly in the USA?
5. does the ana­ly­sis chan­ge depen­ding on whe­ther peo­p­le from abroad (name­ly from the USA) can access the data stored in the public cloud services?

The que­sti­ons are to be asses­sed in each case under the aspects of offi­ci­al sec­re­cy as well as per­so­nal data; the ana­ly­sis is based on the Cri­mi­nal Code, gene­ral con­side­ra­ti­ons of muni­ci­pal or can­to­nal admi­ni­stra­ti­ve law as well as on the appli­ca­ble data pro­tec­tion law.

From Expert opi­ni­on exclu­ded is

the exami­na­ti­on of the fac­tu­al situa­ti­on of indi­vi­du­al cloud offers of the various com­mer­cial cloud pro­vi­ders, i.e. an exami­na­ti­on of the con­cre­te design and appro­pria­ten­ess of con­trac­tu­al, orga­nizatio­nal and tech­ni­cal pro­tec­tion mea­su­res in the light of the requi­re­ments for data secu­ri­ty and infor­ma­ti­on protection.

Also exclu­ded is the que­sti­on of how to deal with the Schrems II issue and thus also the que­sti­on of what signi­fi­can­ce FISA has. In the case of U.S. law, the expert opi­ni­on is accor­din­gly limi­t­ed to the exami­na­ti­on under the CLOUD Act or the Stored Com­mu­ni­ca­ti­ons Act.

As a result, the expert opi­ni­on con­firms that out­sour­cing is not inad­mis­si­ble if it is done correctly.

We pro­vi­de an over­view of the main state­ments below, alt­hough the fol­lo­wing comm­ents do not fol­low the struc­tu­re of the report.

Per­mis­si­bi­li­ty of cloud use as such

Why may a cloud – also in Switz­er­land – be used at all? The aut­hors recall gene­ral prin­ci­ples of con­sti­tu­tio­nal law (Art. 5 BV – prin­ci­ple of lega­li­ty, prin­ci­ple of pro­por­tio­na­li­ty, acting in the public inte­rest) and then sta­te that from the prin­ci­ple of pro­por­tio­na­li­ty derives

the obli­ga­ti­on of the aut­ho­ri­ty to sel­ect matu­re and secu­re cloud solu­ti­ons from


Second­ly, it is deri­ved from a tech­ni­cal­ly matu­re solu­ti­on direct­ly the admi­ni­stra­ti­ve law lega­li­ty of the cloud use. If the aut­ho­ri­ty com­plies with pro­por­tio­na­li­ty, then the aut­ho­ri­ty acti­vi­ty is per­mit­ted – this is the direct deri­va­ti­on from Art. 5 para. 2

As a result, we agree, even if pro­por­tio­na­li­ty is not a legal basis but a barrier.

The start­ing point for fur­ther ana­ly­sis is the con­cept of dis­clo­sure. Befo­re going into this, it is pre­faced that pro­tec­tion of secrets “Peri­me­ter pro­tec­tion“is cal­led. The cloud infras­truc­tu­re could also be part of the user’s peri­me­ter, pro­vi­ded it pro­tects the infor­ma­ti­on stored the­re. Both are cor­rect and in prin­ci­ple not disputed.

Invol­vement” of the pro­vi­der as an auxi­lia­ry person

A first que­sti­on is whe­ther the Offi­ci­al Secrets in the sen­se of Art. 320 StGB per­mits dis­clo­sure to an auxi­lia­ry per­son at all. This is fac­tual­ly undis­pu­ted, even if Art. 320 StGB does not yet name the auxi­lia­ry per­son (to the Revi­si­on here) and, among others, the Fede­ral Coun­cil has or had a dif­fe­rent opi­ni­on. Howe­ver, the expert opi­ni­on requi­res that the auxi­lia­ry per­son must be inclu­ded as such, i.e. sub­or­di­na­ted has to be. This is to be agreed with. The com­ment is also cor­rect that a con­fir­ma­ti­on by the pro­vi­der that it has been infor­med by the Secret natu­re of the data Know­ledge, is only recom­men­ded and not legal­ly required.


If, on the other hand, the city of Zurich wants to use cloud solu­ti­ons, for who­se ope­ra­ti­on even in nor­mal ope­ra­ti­on usual­ly a plain text access by employees of the cloud pro­vi­der is neces­sa­ry, then the city of Zurich must inform the cloud pro­vi­der and (by over­ri­ding the con­fi­den­tia­li­ty obli­ga­ti­ons of the cloud pro­vi­der and poin­ting out the cri­mi­nal lia­bi­li­ty). their employees invol­ve as auxi­lia­ries in their perimeter.

It is not enti­re­ly clear here whe­ther and, if so, how the employees of the cloud pro­vi­der its­elf would also have to be invol­ved as auxi­lia­ry per­sons, but the aut­hors are pro­ba­b­ly to be under­s­tood as mea­ning that the invol­vement of the employees – if neces­sa­ry – takes place by bin­ding the cloud pro­vi­der to sec­re­cy obli­ga­ti­ons and poin­ting out to the lat­ter that cer­tain dis­clo­sures are punis­ha­ble. This would also be the cor­rect con­clu­si­on, apart from the fact that the refe­rence to the punis­ha­bi­li­ty is hard­ly legal­ly bin­ding. The­re would also be no legal basis for a “data pro­tec­tion lapel” of the employees, except per­haps in § 3 of the Zurich law on the out­sour­cing of IT ser­vices, as far as this law applies to the city of Zurich at all – but this part of § 3 is a histo­ri­cal acci­dent from the time of pri­va­tizati­on of IT funds of the canton.

Dis­clo­sure” to the cloud pro­vi­der itself.

Back to the con­cept of reve­la­ti­on, which, after all, accor­ding to the Fede­ral Court is only com­ple­ted by taking note of it and not enab­ling it (cf. but here). Here, the aut­hors repre­sent the fol­lo­wing with regard to the trans­mis­si­on to the cloud provider:

[…] the Fede­ral Court spe­ci­fi­ed that the know­ledge by the unaut­ho­ri­zed third par­ty […] was requi­red for the com­ple­ti­on of the act. Expe­ri­ence shows that tech­ni­cal-orga­nizatio­nal stra­te­gies to pro­tect against plain­text access are pos­si­ble when using matu­re cloud offe­rings […]. With such the­re are no plain-text acce­s­ses during nor­mal ope­ra­ti­on. So the­re is no dis­clo­sure. […] Cri­mi­nal lia­bi­li­ty under Art. 320 item 1 StGB is thus excluded.

The expert opi­ni­on defi­nes nor­mal ope­ra­ti­on as follows:

Nor­mal ope­ra­ti­on means that the cloud offe­ring is ope­ra­ted by the pro­vi­der as plan­ned. This is in con­trast to extra­or­di­na­ry situa­tions which can­not be attri­bu­ted to nor­mal ope­ra­ti­on (e.g. bank­rupt­cy of the pro­vi­der, access to the cloud offe­ring by aut­ho­ri­ties, access to the cloud offe­ring by criminals).

Howe­ver, the­re is no justi­fi­ca­ti­on as to what ext­ent this “nor­mal ope­ra­ti­on” is rele­vant. The objec­ti­ve ele­ment of a breach of offi­ci­al sec­re­cy is in any case com­ple­ted when an unaut­ho­ri­zed per­son obta­ins know­ledge. Whe­ther this occurs in nor­mal ope­ra­ti­on or out­side is irrele­vant to the con­cept of dis­clo­sure as such. The Nor­mal ope­ra­ti­on but may have the fol­lo­wing meaning:

  • one can repre­sent that the Secret will gene­ral­ly only refers to a dis­clo­sure that can rea­son­ab­ly be expec­ted. From this point of view, a dis­clo­sure out­side the nor­mal cour­se of busi­ness would the­r­e­fo­re not be objec­tively punis­ha­ble, becau­se the intent to keep a secret does not extend that far and con­se­quent­ly no secret can be vio­la­ted. Howe­ver, this would only be con­vin­cing for pri­va­te secrets, i.e. in the case of offi­ci­al secrets, for secrets in which ulti­m­ate­ly only the pri­va­te per­son com­mu­ni­ca­ting with the sta­te has an inte­rest. This would not app­ly to sta­te secrets, or at least not wit­hout an ana­ly­sis of the need for protection;
  • one can repre­sent that the (con­tin­gent) intent can only refer to nor­mal ope­ra­ti­onbecau­se an aut­ho­ri­ty may assu­me that know­ledge by an unaut­ho­ri­zed per­son out­side nor­mal ope­ra­ti­on is so unli­kely that it no lon­ger has to expect it (this is whe­re the boun­da­ry bet­ween con­tin­gent intent and deli­be­ra­te negli­gence runs). Then nor­mal ope­ra­ti­on would be a dif­fe­rent ter­mi­no­lo­gy for fore­seeable operation;
  • at US CLOUD Act The que­sti­on is, among other things, whe­ther an enti­ty sub­ject to U.S. juris­dic­tion has “cus­t­ody, pos­ses­si­on or con­trol” of the data to be dis­c­lo­sed, and here “nor­mal ope­ra­ti­ons” – depen­ding on what is under­s­tood by this – may play a role.

In the chap­ter on the con­cept of reve­la­ti­on, the aut­hors then go on to dis­cuss the Cau­sa­li­ty becau­se sto­rage in a cloud could con­sti­tu­te a punis­ha­ble attempt at dis­clo­sure to employees of the cloud pro­vi­der. In the case of know­ledge of plain­text data by such employees, the­re could be dis­clo­sure, but sto­rage in the cloud is not yet an attempt becau­se this sto­rage would not be ade­qua­te­ly cau­sal for sub­se­quent pro­scri­bed know­ledge. Howe­ver, this could also be regard­ed as a que­sti­on of the sub­jec­ti­ve ele­ments of the offen­se, sin­ce the ade­qua­cy is lin­ked to the – albeit abstrac­ted – fore­seea­bi­li­ty. As a result, howe­ver, it is cor­rect eit­her way that punish­ment on the grounds of attempt is fun­da­men­tal­ly out of the question.

The aut­hors then go on to exami­ne whe­ther, in the case of plain­text access by employees of the pro­vi­der, a punis­ha­ble Dis­clo­sure by omis­si­on could be pre­sent. They also deny this in the case that the provider’s cus­to­mer, the city of Zurich, has taken suf­fi­ci­ent secu­ri­ty mea­su­res against such access. This is cor­rect, alt­hough hard­ly a que­sti­on of omis­si­on (if secu­ri­ty mea­su­res were miss­ing, dis­clo­sure would be com­mit­ted by the acti­ve action of outsourcing).

In any case, we agree with the result. It is now well reco­gnized that the sto­rage of offi­ci­al secrets in a cloud does not in prin­ci­ple con­sti­tu­te a cri­mi­nal dis­clo­sure to the provider.

Access by (espe­ci­al­ly for­eign) authorities

The most inte­re­st­ing point is the access by for­eign aut­ho­ri­ties and here the hand­ling of the noto­rious US CLOUD Act. The report first dis­cus­ses access by Swiss aut­ho­ri­ties and then by for­eign aut­ho­ri­ties. In the case of Switz­er­land, the dis­cus­sion is brief: If Swiss aut­ho­ri­ties access data within the frame­work of Swiss law, they may do so. Whe­ther they do this with the city its­elf or with an auxi­lia­ry per­son is irrele­vant. If aut­ho­ri­ties abroad access data, it is a dif­fe­rent mat­ter, becau­se the for­eign law is for­eign and the­r­e­fo­re does not per­mit dis­clo­sure, sub­ject to admi­ni­stra­ti­ve and legal assistance.

Gua­ran­tee respon­si­bi­li­ty” (only) of the Confederation?

In this con­text, the expert opi­ni­on dis­cus­ses the US CLOUD Act with inte­re­st­ing con­side­ra­ti­ons. The start­ing point of the­se con­side­ra­ti­ons is the “gua­ran­tee respon­si­bi­li­ty” that the Con­fe­de­ra­ti­on has, accor­ding to Art. 29a BV (legal pro­cess gua­ran­tee). This gua­ran­tee is not vio­la­ted if

in the event of any plain-text access to infor­ma­ti­on abroad, a level of pro­tec­tion applies in the pro­ce­du­re the­re that is equi­va­lent to that in Switzerland.

In addi­ti­on, it could

must also be pro­per­ly imple­men­ted if the release of evi­dence loca­ted abroad is dele­ga­ted to pri­va­te par­ties – name­ly cloud pro­vi­ders with their regi­stered office or head­quar­ters in the USA.

This is pro­ba­b­ly to be under­s­tood as mea­ning that Switz­er­land – in addi­ti­on to the que­sti­on of offi­ci­al sec­re­cy – must also ensu­re that its citi­zens are not han­ded over to for­eign law that does not tramp­le on their fun­da­men­tal rights. If this were the case due to the CLOUD Act, not only would offi­ci­al sec­re­cy be vio­la­ted, but also the fede­ral con­sti­tu­ti­on. Howe­ver, the U.S. has a “judi­cial system with a cen­tu­ries-old tra­di­ti­on”, “which histo­ri­cal­ly has also ser­ved as a model for Switz­er­land”. The­r­e­fo­re, it could hard­ly be assu­med that the CLOUD Act pre­clu­des dis­clo­sure under the tit­le of legal pro­cess gua­ran­tee (this is plau­si­ble in the result, espe­ci­al­ly sin­ce the CLOUD Act or the Stored Com­mu­ni­ca­ti­on Act is not one of the legal bases to which the ECJ in Schrems II has cer­ti­fi­ed that the rule of law is flawed).

The decisi­ve argu­ment, howe­ver, was more of a for­mal one: the decisi­ve fac­tor was inde­ed the Gua­ran­tee of legal recour­se, but this was the pro­blem of the fede­ral govern­ment and not of the city of Zurich.

The issue […] is the­r­e­fo­re whe­ther the city of Zurich thwarts the gua­ran­tee respon­si­bi­li­ty of the Con­fe­de­ra­ti­on […] when it uses a cloud offe­ring with such a for­eign con­nec­tion. The indi­ca­ti­on that this is an issue facing the Con­fe­de­ra­ti­on again sug­gests the fol­lo­wing que­sti­on: Is it up to the city of Zurich to sol­ve the pro­blem of the Con­fe­de­ra­ti­on? To ask the que­sti­on is to ans­wer it: No. It is only a que­sti­on of whe­ther the city of Zurich is thwar­ting the gua­ran­tee respon­si­bi­li­ty of the Con­fe­de­ra­ti­on in a way that vio­la­tes the law. This can be ans­we­red in the nega­ti­ve […]; becau­se the result will always be a direct invol­vement of the City of Zurich aut­ho­ri­ties if a case of appli­ca­ti­on under the CLOUD Act should ari­se. In such a case, the City of Zurich can ensu­re that the Swiss Con­fe­de­ra­ti­on can exer­cise its gua­ran­tee respon­si­bi­li­ty. In any case, the City of Zurich will ensu­re through appro­pria­te action that it can avert cri­mi­nal lia­bi­li­ty under Art. 271 StGB in the event of a request direc­ted to it. A vio­la­ti­on of the law can thus be syste­ma­ti­cal­ly excluded.

It remains unclear here, for exam­p­le, whe­ther Art. 29a BV as an insti­tu­tio­nal gua­ran­tee of effec­ti­ve access to the courts can stand in the way of a public body dis­clo­sing data abroad if the­re are defi­ci­ts in legal pro­tec­tion the­re. If this is the case, howe­ver, this would also have to app­ly to can­to­nal aut­ho­ri­ties (apart from the fact that the Can­to­nal Con­sti­tu­ti­on of Zurich also con­ta­ins a gua­ran­tee of legal recour­se). Howe­ver, the expert opi­ni­on deli­bera­te­ly does not go into the­se que­sti­ons in depth, but they might have to be inclu­ded in the case of legal systems other than the US.

Deri­ved sove­reig­n­ty of the provider?

In the con­text of the risk of access by aut­ho­ri­ties, the que­sti­on fur­ther ari­ses, How and based on what the City of Zurich would be inclu­ded in a CLOUD Act use case.. In any event, the CLOUD Act, or rather the Stored Com­mu­ni­ca­ti­ons Act, does not express­ly pro­vi­de for this (§ 2703(b)(1) of the Stored Com­mu­ni­ca­ti­ons Act).

The aut­hors first point to a Manu­al of the US aut­ho­ri­ties which deals with the search and sei­zu­re of elec­tro­nic data in cri­mi­nal inve­sti­ga­ti­ons. They place a gre­at deal of trust in the manu­al. For exam­p­le, the manu­al says, “spe­cial pro­ce­du­res desi­gned to uphold tho­se users’ pri­va­cy inte­rests may be appro­pria­te,” and “agents might inform the magi­stra­te judge in the search war­rant affi­da­vit that they will take steps to ensu­re the con­fi­den­tia­li­ty of the accounts” – from which the opi­ni­on con­clu­des, an offi­cer who asked the court for a war­rant must” indi­ca­te how it would hand­le secrets of a third par­ty, or the manu­al “ins­tructs offi­ci­als accor­din­gly. This is a sym­pa­the­tic rea­ding. Howe­ver, it is also inte­re­st­ing to note the fol­lo­wing refe­ren­ces to the Deal­ing with US law with the fact that The data to be released by a pro­vi­der sub­ject to US juris­dic­tion is sub­ject to offi­ci­al sec­re­cy. are sub­ject to.

The aut­hors reach the fol­lo­wing con­clu­si­ons here:

Alt­hough the chal­len­ged cloud pro­vi­ders them­sel­ves do not enjoy their own cla­im to sove­reign immu­ni­ty, it is rea­sonable to assu­me that cloud pro­vi­ders, in respon­se to requests for infor­ma­ti­on from U.S. law enforce­ment agen­ci­es under the CLOUD Act, will in fact recei­ve (from their cloud cus­to­mer, which is an agen­cy of a for­eign sove­reign sta­te) a assert deri­ved sove­reign immu­ni­ty can. In the past, U.S. courts have reco­gnized the pro­tec­tion of such deri­ved sove­reign immu­ni­ty for pri­va­te U.S. com­pa­nies acting on the ins­truc­tions of for­eign govern­ments. Such deri­ved sove­reign immu­ni­ty is to be assu­med from the point of view of the cloud pro­vi­der whe­re the use of the cloud ser­vices by the for­eign govern­ment or its aut­ho­ri­ty occurs in the con­text of the exe­cu­ti­on of sove­reign or admi­ni­stra­ti­ve tasks, i.e. also in the con­text of the use of the cloud ser­vices by the for­eign govern­ment or its aut­ho­ri­ty. whe­re­ver infor­ma­ti­on cover­ed by offi­ci­al sec­re­cy is pro­ce­s­sed or stored in the cloud ser­vices be

The­se con­clu­si­ons are based on seve­ral sources and judgments of U.S. courts.

Back to Art. 320 StGB

The start­ing point, howe­ver, remains Art. 320 StGB (gene­ral offi­ci­al sec­re­cy; and also Art. 273 StGB, which the aut­hors – right­ly – tre­at in the same way). The que­sti­on is the­r­e­fo­re whe­ther offi­ci­al sec­re­cy can be vio­la­ted if a U.S. aut­ho­ri­ty acce­s­ses cus­to­mer data wit­hout admi­ni­stra­ti­ve or legal assi­stance under its own law.

If one assu­mes that offi­ci­al sec­re­cy pro­tects both pri­va­te secrets and genui­ne sta­te secrets, one would have to ask how far the pro­tec­tion of secrets extends in each case. In the case of pri­va­te secrets, the legi­ti­ma­te expec­ta­ti­on of sec­re­cy on the part of pri­va­te indi­vi­du­als must be taken as a basis. Here, the obvious que­sti­on is whe­ther per­sons in Switz­er­land, in their dealings with aut­ho­ri­ties should not expect that their data will not fall into for­eign hands. If one ans­wers this que­sti­on in the affir­ma­ti­ve, one must ask fur­ther, What pro­tec­tion is justi­fi­a­bly expec­ted. The obvious and, in my opi­ni­on, cor­rect ans­wer is: a rea­sonable, not an abso­lu­te. Then you’­re back to the risk assess­ment, which the expert opi­ni­on also requires.

The comm­ents on the provider’s defen­se that the data is sub­ject to for­eign offi­ci­al sec­re­cy are note­wor­t­hy here, as they actual­ly redu­ce the risk of dis­clo­sure to for­eign aut­ho­ri­ties. We also agree with the expert opinion’s state­ment that it is very unli­kely that US aut­ho­ri­ties will access data from the City of Zurich.

On the effect of the con­sent of the supe­ri­or authority

The city of Zurich appar­ent­ly feels the need, for safety’s sake, to use the in Art. 320 item 2 StGB pro­vi­ded for “writ­ten con­sent of the supe­ri­or aut­ho­ri­ty”. into the dis­clo­sure. In this con­text, the expert opi­ni­on dis­cus­ses the Effect of this con­sent or aut­ho­rizati­on (with respect to a real sta­te secret it is a con­sent, with respect to the co-pro­tec­ted pri­va­te secrets it is rather a per­mis­si­on), espe­ci­al­ly how such a con­sent can be given in advan­ce and what is its rela­ti­on to a can­to­nal data pro­tec­tion law per­mis­si­on requirement.




Rela­ted articles