On 24.11.2025, privatim, the conference of Swiss data protection officers, published a “Resolution on the outsourcing of data processing to the cloud” published. privatim has already been repeatedly commented on the topic of the cloud.
The motivation for this is probably to be found in the developments of recent months, particularly in the Cantons of Lucerne or Basel-Stadt or Zurich. The fact that the independent data protection officers are now expressing their views on the topic via privatim may therefore also be due to political pressure (and the recent US deal with Switzerland and its data-related content may also have played a role). It is noteworthy, however, that the canton of Glarus – for reasons as yet unknown – is not supporting the resolution.
In terms of content, privatim’s strict stance is probably influenced by Zurich (the Zurich data protection officer is also the contact person for queries). However, there are some comments to be made:
- Scope of application and de facto prohibition: The resolution apparently tries not to sound too apodictic, but seems very absolute on the matter and almost seems to want to establish a Lex Microsoft – in any case, only M365 is mentioned by name as a technology or offering. In fact, however, the resolution affects all SaaS offerings with potential knowledge by foreign providers. Nevertheless, the resolution does not explicitly state that the use of the cloud by cantonal bodies is prohibited. Conversely, it confirms that the use of the cloud is generally permitted by law. However, in the case of particularly sensitive personal data or special official secrets, it requires that the relevant data be encrypted by the institution and that the provider does not have access to the key. This corresponds to a ban on SaaS solutions for such data.
- Making the need for protection absolute: It cannot be said that particularly sensitive personal data is particularly at risk in the cloud. US intelligence services are more likely to be interested in payment or telecommunications data, for example, than in health data. The resolution also ignores the fact that the Federal Council deliberately recognizes the protection for US companies certified under the “Swiss-US Data Privacy Framework” as appropriate.
- Lack of legal justification: The resolution does not justify its statements. It works with a petitio principiiwhen it claims that the outsourcing body can only “mitigate the severity of potential infringements”. The question would be whether there is an infringement at all. In addition, the question would have to be answered as to whether control and data security with a hyperscaler, despite theoretically possible access by the authorities, should not be rated higher than with realistic alternatives with all the weaknesses that these may have. The result of such a realistic net assessment on both sides would have to be examined for its legal admissibility. This question cannot be brushed aside with a reference to possible access by US authorities. Fundamental rights have a core content that radiates into the application of the law. Outside the core area, compromises are unavoidable and permissible. This also applies in the context of administrative management. Interference outside the core content is only excluded in principle if an equivalent alternative is available without such interference.
- Involvement of auxiliary persons: The involvement of auxiliary persons is also for official secrets not prohibited in principle. The fact that not all questions are clear does not mean that there is “considerable legal uncertainty”. The position of the Zurich authority, which is reflected in the resolution that a large provider cannot be called in as an auxiliary person, is also poorly substantiated. This may be a remote effect of the misguided, historically conditioned provision of § 3 para. 1 of the Zurich law on the outsourcing of IT services. And it can hardly be claimed that the growing number of cantonal employees are so much better at keeping secrets than employees of hyperscalers.
A per se ban on solutions with a foreign connection for certain data would be a political decision. Such a ban would be the responsibility of the legislator and not the acceptance of certain risks, which are unavoidable even with domestic solutions and which are accepted to a certain extent as a matter of course.