In implementation of milestone 5 of the Cloud strategy of the Federal Council, the Federal Chancellery has Report on the legal framework for the use of public cloud services in the federal administration submitted. According to current federal “best practice”, non-critical, anonymous and/or public data is processed in public clouds (such as MeteoSwiss) or – with data storage location Switzerland – at most data classified as internal (cf. the Illustration of cloud use in the federal administration).
The report shall include administrative units that are subject to the procurement project “Public Clouds Federation” services, help with the clarifications that need to be made before using the use of cloud services. The Federal Chancellery provides templates for the retrieval itself: The template of a provider-neutral specification sheet (Download) and a sample catalog of criteria (Download).
1. risks identified in the cloud report
The Cloud Report states (correctly) first of all that the use of conventional “on-premise” models is not without risk. The risk of, for example, cyber attacks or the failure of technical infrastructure exists equally in the company’s own rights center. The decisive factor – irrespective of whether the selected model is “on premise” or “cloud” – is that within the legally permissible framework the risks are proportionate to the advantages (e.g. greater efficiency and scalability in the case of the cloud). The following risks of cloud use are identified in the cloud report
- Legal risks, in particular with regard to data protection, (official) secrecy protection, information protection and other special laws;
- Business continuity and disaster recovery risks;
- The Dependence on third partiesThe risk of vendor lock-ins and the use of additional subcontractors is a particular concern;
- Political risks, in particular with regard to changes in the legal environment (section 1.7.4); and
- Reputational risks.
These risks are described in Appendix C of the report described in more detail in some cases and are combined with suggestions for risk reduction. In Appendix D of the report then contains questions that arise in connection with “going to the cloud” for administrative units. However, the focus of the report is on the legal risks – specifically an overview of the (general) legal foundations and barriers in the area of data protection, official secrecy protection and information protection. Depending on the administrative unit and the type of data or applications to be outsourced, further special legal requirements may be relevant.
2. legal risks when “going to the cloud
2.1 Data protection
The cloud report emphasizes (correctly) that data protection does not prevent the processing of personal data by third parties on behalf of the administration. However, it must be ensured in particular that
- the cloud provider – and any other subcontracted processors – only process the data as the outsourcing administrative unit is permitted to do;
- an appropriate level of data protection is ensured when personal data is disclosed abroad and, if necessary, the risk of access by foreign authorities is examined in greater detail in this context;
- technical and organizational measures for data security must be taken and these must be regulated in detail in a set of processing regulations;
- a data protection impact assessment (as required by the revised data protection law) is carried out prior to cloud use;
- Data security breaches would be reported by the cloud provider to the management entity; and
- the data subjects could enforce their (data protection) rights.
Disclosure of personal data abroad
With regard to the disclosure of personal data in countries without an adequate level of data protection, it is pointed out that “consent solutions for systematic data processing are not a suitable solution due to the high corresponding requirements […]” (section 1.6.1). Instead, according to the report, standard contractual clauses or specific guarantees should be used and these should be supplemented by technical and organizational measures. In practice, the EU standard contractual clauses (adapted to the specifics of Swiss data protection law), which are often provided for as standard in the contracts of large hyperscalers (cf. e.g. Microsoft, AWS or Google).
It is to be welcomed that the Federal Chancellery Adopts a risk-based approach with regard to data disclosure abroad (para. 1.7). The risk of access by foreign authorities could hardly be completely ruled out. It is therefore sufficient if residual risks are reduced to an acceptable level. At the same point, however, it is explicitly pointed out that the FDPIC takes a different view (cf. also our blog post here).
Technical and organizational measures
The cloud report proposes anonymization and pseudonymization, tokenization and data encryption as technical measures to protect personal data. The key management is critical for the latter. It must be clarified who manages the key, whether the key is split (double key encryption) and how a loss of the key is prevented or can be restored (key recovery). Basically Solutions should be sought in which the cloud provider has no or only very limited access to the keys. (e.g., “Bring Your Own Key” using a dedicated hardware security module in the cloud or “Keep Your Own Key”). Encryption is also an option when transferring data (data in transit) (e.g., via SFTP, TLS, or VPN). When data is used, it can be protected against unauthorized access by identity management tools and the restriction of editing rights (information rights management). It is also important to Use of physically (instead of only logically) separated infrastructuresto prevent the risk of logical data isolation failure.
From an organizational point of view, in the event of unclear organizational arrangements in the case of shared responsibility, the following should be taken into consideration clear tasks, competencies and responsibilities to agree. Shared responsibility” means that with cloud solutions, the customer can usually choose which (additional) security services or tools he wants to use.
2.2 Official secrecy
The Cloud Report classifies the cloud provider as an auxiliary under the revised Art. 320 No. 1 StGB (para. 2.2.2.4). The However, access by the cloud provider to secret data must be appropriately restricted by contractual, organizational and technical measures. or excluded as far as possible become (para. 2.2.2.2). The statement that access must be appropriately restricted is correct – it already follows for secret data from the judgment BGE 145 II 229. In this judgment, the Federal Court required, among other things, that the circle of persons with access to secret information be reasonably limited and that sufficient measures be taken for data security. Furthermore, in Art. 11 par. 1 lit. a VDTI expressly stipulates that the external service provider may only be granted access to data of the administration that is not generally accessible to the extent that this is necessary for the provision of the service. Art. 11 (1) (c) VDTI also requires that appropriate contractual, organizational and technical precautions be taken to prevent further dissemination of the data. In this respect, reference is made to the technical measures described.
In addition, it should not be forgotten to check whether the data to be outsourced is subject to increased confidentiality requirements due to specific legal bases (protection needs and risk analysis).
2.3 Information protection
In the area of information protection, the cloud report significantly addresses the requirements arising from Cyber Risk Regulation (CyRV), Information Protection Ordinance (ISchV), the Ordinance on Federal Identity Management Systems and Directory Services (IAMV), the GEVER Ordinance, Art. 57i et seq. RVOG and other relevant directives and guidelines. However, the CyRV and ISchV will be repealed when the Information Security Act comes into force (probably on 1 July 2023). According to the Cloud Report, the following points in particular will have to be examined once the ISG comes into force (section 4.2.3):
- Information classified under the IschV and classified IT resources (which would also include a cloud application) would have to be adapted to the new classification provisions;
- Personnel security clearances would need to be conducted in accordance with the provisions of the ISG; and
- In the case of safety-sensitive contracts, it must be ensured that the supplier has an issued operational safety declaration – it is now also the responsibility of the contracting authorities to initiate this.
In addition, Art. 57i et seq. RVOG on the Editing of personal boundary datathat arise when using the electronic federal infrastructure (Section 5.2). These are described in the “Marginal Data Ordinance”(SR 172.010.442) is specified in more detail. Art. 57j para. 1 RVOG regulates the principle that administrative units may not, in principle, record or evaluate personal data that arise during the use of the electronic infrastructure. This is only permissible by way of exception for the purposes of data backup, maintenance, monitoring compliance with usage regulations and tracking access (Art. 57l – 57o RVOG). High demands are made on the personal evaluation of these data (Art. 57o RVOG). Since administrative units would also have to take technical and organizational measures to prevent misuse (Art. 57p RVOG), marginal data would have to be adequately protected in cloud projects and access to it would have to be clearly regulated and regularly reviewed.
3. operational and other risks
The cloud report also addresses operational, technical and other risks. Mentioned is for example
- the Risk of unforeseen service interruptions (No. 13 Appendix C). These could be mitigated contractually by information obligations, an exit option (probably meaning a right of termination) in the event of a change in conditions, or financial compensation for service interruptions (this would probably be service credits), organizationally by monitoring the provider’s activities, and technically by backups; or
- The dependency on the provider, which is, for example, contractually regulated through the regulation of data export and migration, organizationally through the Planning the change of provider or repatriation and technically by choosing an architecture that allows operation independent of the provider.
4. evaluation
Milestone 5, which the Cloud Report implements, aimed to create legal clarity. Accordingly, the focus is on the legal foundations and barriers. However, this should not obscure the fact that the identification and reduction of operational risks is just as important for the success of a cloud project. These follow above all from the lack of direct control over the person and infrastructure, from the possible foreign reference and the danger of dependence on the cloud provider. The cloud report therefore correctly addresses these risks.
For administrative units, however, a successful move to the cloud starts much earlier than the negotiation of contracts or the correct management of security controls, since authorities may have to take over the management of the cloud. Restrictions on procurement law are subject to. This requires, for example, that the subject matter of the service be described sufficiently clearly. Changes to the invitation to tender after submission of the bids are only permitted under certain conditions. Administrative authorities must therefore address how legal, operational, technical and other risks are to be integrated into the tender before it is issued. admissible suitability criteria, technical specifications and award criteria can be addressed (example: Proof of ISO or comparable certifications with regard to information security). After the contract has been awarded, compliance with the requirements of procurement law must also be reflected in the contract. Otherwise, there is a risk of violation of the prohibition on concluding contracts under procurement law. In addition, project planning must take into account the fact that the implementation of public Cloud projects may be delayed as a result of any complaints against the award by losing vendors.
Cloud projects in public administration therefore require a holistic view from the perspective of the procurement and management departments. and information law, without losing sight of the operational and technical risks.