datenrecht.ch

Public Cloud Report of the Fede­ral Administration

In imple­men­ta­ti­on of mile­stone 5 of the Cloud stra­tegy of the Fede­ral Coun­cil, the Fede­ral Chan­cel­lery has Report on the legal frame­work for the use of public cloud ser­vices in the fede­ral admi­ni­stra­ti­on sub­mit­ted. Accor­ding to cur­rent fede­ral “best prac­ti­ce”, non-cri­ti­cal, anony­mous and/or public data is pro­ce­s­sed in public clouds (such as MeteoSwiss) or – with data sto­rage loca­ti­on Switz­er­land – at most data clas­si­fi­ed as inter­nal (cf. the Illu­stra­ti­on of cloud use in the fede­ral admi­ni­stra­ti­on).

The report shall include admi­ni­stra­ti­ve units that are sub­ject to the pro­cu­re­ment pro­ject “Public Clouds Fede­ra­ti­on” ser­vices, help with the cla­ri­fi­ca­ti­ons that need to be made befo­re using the use of cloud ser­vices. The Fede­ral Chan­cel­lery pro­vi­des tem­pla­tes for the retrie­val its­elf: The tem­p­la­te of a pro­vi­der-neu­tral spe­ci­fi­ca­ti­on sheet (Down­load) and a sam­ple cata­log of cri­te­ria (Down­load).

1. risks iden­ti­fi­ed in the cloud report

The Cloud Report sta­tes (cor­rect­ly) first of all that the use of con­ven­tio­nal “on-pre­mi­se” models is not wit­hout risk. The risk of, for exam­p­le, cyber attacks or the fail­ure of tech­ni­cal infras­truc­tu­re exists equal­ly in the company’s own rights cen­ter. The decisi­ve fac­tor – irre­spec­ti­ve of whe­ther the sel­ec­ted model is “on pre­mi­se” or “cloud” – is that within the legal­ly per­mis­si­ble frame­work the risks are pro­por­tio­na­te to the advan­ta­ges (e.g. grea­ter effi­ci­en­cy and sca­la­bi­li­ty in the case of the cloud). The fol­lo­wing risks of cloud use are iden­ti­fi­ed in the cloud report

  • Legal risks, in par­ti­cu­lar with regard to data pro­tec­tion, (offi­ci­al) sec­re­cy pro­tec­tion, infor­ma­ti­on pro­tec­tion and other spe­cial laws;
  • Busi­ness con­ti­nui­ty and dis­aster reco­very risks;
  • The Depen­dence on third par­tiesThe risk of ven­dor lock-ins and the use of addi­tio­nal sub­con­trac­tors is a par­ti­cu­lar concern;
  • Poli­ti­cal risks, in par­ti­cu­lar with regard to chan­ges in the legal envi­ron­ment (sec­tion 1.7.4); and
  • Repu­ta­tio­nal risks.

The­se risks are descri­bed in Appen­dix C of the report descri­bed in more detail in some cases and are com­bi­ned with sug­ge­sti­ons for risk reduc­tion. In Appen­dix D of the report then con­ta­ins que­sti­ons that ari­se in con­nec­tion with “going to the cloud” for admi­ni­stra­ti­ve units. Howe­ver, the focus of the report is on the legal risks – spe­ci­fi­cal­ly an over­view of the (gene­ral) legal foun­da­ti­ons and bar­riers in the area of data pro­tec­tion, offi­ci­al sec­re­cy pro­tec­tion and infor­ma­ti­on pro­tec­tion. Depen­ding on the admi­ni­stra­ti­ve unit and the type of data or appli­ca­ti­ons to be out­sour­ced, fur­ther spe­cial legal requi­re­ments may be relevant.

2. legal risks when “going to the cloud

2.1 Data protection

The cloud report empha­si­zes (cor­rect­ly) that data pro­tec­tion does not pre­vent the pro­ce­s­sing of per­so­nal data by third par­ties on behalf of the admi­ni­stra­ti­on. Howe­ver, it must be ensu­red in par­ti­cu­lar that

  • the cloud pro­vi­der – and any other sub­con­trac­ted pro­ces­sors – only pro­cess the data as the out­sour­cing admi­ni­stra­ti­ve unit is per­mit­ted to do;
  • an appro­pria­te level of data pro­tec­tion is ensu­red when per­so­nal data is dis­c­lo­sed abroad and, if neces­sa­ry, the risk of access by for­eign aut­ho­ri­ties is exami­ned in grea­ter detail in this context;
  • tech­ni­cal and orga­nizatio­nal mea­su­res for data secu­ri­ty must be taken and the­se must be regu­la­ted in detail in a set of pro­ce­s­sing regulations;
  • a data pro­tec­tion impact assess­ment (as requi­red by the revi­sed data pro­tec­tion law) is car­ri­ed out pri­or to cloud use;
  • Data secu­ri­ty brea­ches would be repor­ted by the cloud pro­vi­der to the manage­ment enti­ty; and
  • the data sub­jects could enforce their (data pro­tec­tion) rights.

Dis­clo­sure of per­so­nal data abroad

With regard to the dis­clo­sure of per­so­nal data in count­ries wit­hout an ade­qua­te level of data pro­tec­tion, it is poin­ted out that “con­sent solu­ti­ons for syste­ma­tic data pro­ce­s­sing are not a sui­ta­ble solu­ti­on due to the high cor­re­spon­ding requi­re­ments […]” (sec­tion 1.6.1). Instead, accor­ding to the report, stan­dard con­trac­tu­al clau­ses or spe­ci­fic gua­ran­tees should be used and the­se should be sup­ple­men­ted by tech­ni­cal and orga­nizatio­nal mea­su­res. In prac­ti­ce, the EU stan­dard con­trac­tu­al clau­ses (adapt­ed to the spe­ci­fics of Swiss data pro­tec­tion law), which are often pro­vi­ded for as stan­dard in the con­tracts of lar­ge hyper­s­ca­lers (cf. e.g. Micro­soft, AWS or Goog­le).

It is to be wel­co­med that the Fede­ral Chan­cel­lery Adopts a risk-based approach with regard to data dis­clo­sure abroad (para. 1.7). The risk of access by for­eign aut­ho­ri­ties could hard­ly be com­ple­te­ly ruled out. It is the­r­e­fo­re suf­fi­ci­ent if resi­du­al risks are redu­ced to an accep­ta­ble level. At the same point, howe­ver, it is expli­ci­t­ly poin­ted out that the FDPIC takes a dif­fe­rent view (cf. also our blog post here).

Tech­ni­cal and orga­nizatio­nal measures

The cloud report pro­po­ses anony­mizati­on and pseud­ony­mizati­on, toke­nizati­on and data encryp­ti­on as tech­ni­cal mea­su­res to pro­tect per­so­nal data. The key manage­ment is cri­ti­cal for the lat­ter. It must be cla­ri­fi­ed who mana­ges the key, whe­ther the key is split (dou­ble key encryp­ti­on) and how a loss of the key is pre­ven­ted or can be resto­red (key reco­very). Basi­cal­ly Solu­ti­ons should be sought in which the cloud pro­vi­der has no or only very limi­t­ed access to the keys. (e.g., “Bring Your Own Key” using a dedi­ca­ted hard­ware secu­ri­ty modu­le in the cloud or “Keep Your Own Key”). Encryp­ti­on is also an opti­on when trans­fer­ring data (data in tran­sit) (e.g., via SFTP, TLS, or VPN). When data is used, it can be pro­tec­ted against unaut­ho­ri­zed access by iden­ti­ty manage­ment tools and the rest­ric­tion of editing rights (infor­ma­ti­on rights manage­ment). It is also important to Use of phy­si­cal­ly (instead of only logi­cal­ly) sepa­ra­ted infras­truc­turesto pre­vent the risk of logi­cal data iso­la­ti­on failure.

From an orga­nizatio­nal point of view, in the event of unclear orga­nizatio­nal arran­ge­ments in the case of shared respon­si­bi­li­ty, the fol­lo­wing should be taken into con­side­ra­ti­on clear tasks, com­pe­ten­ci­es and respon­si­bi­li­ties to agree. Shared respon­si­bi­li­ty” means that with cloud solu­ti­ons, the cus­to­mer can usual­ly choo­se which (addi­tio­nal) secu­ri­ty ser­vices or tools he wants to use.

2.2 Offi­ci­al secrecy

The Cloud Report clas­si­fi­es the cloud pro­vi­der as an auxi­lia­ry under the revi­sed Art. 320 No. 1 StGB (para. 2.2.2.4). The Howe­ver, access by the cloud pro­vi­der to secret data must be appro­pria­te­ly rest­ric­ted by con­trac­tu­al, orga­nizatio­nal and tech­ni­cal mea­su­res. or exclu­ded as far as pos­si­ble beco­me (para. 2.2.2.2). The state­ment that access must be appro­pria­te­ly rest­ric­ted is cor­rect – it alre­a­dy fol­lows for secret data from the judgment BGE 145 II 229. In this judgment, the Fede­ral Court requi­red, among other things, that the cir­cle of per­sons with access to secret infor­ma­ti­on be rea­son­ab­ly limi­t­ed and that suf­fi­ci­ent mea­su­res be taken for data secu­ri­ty. Fur­ther­mo­re, in Art. 11 par. 1 lit. a VDTI express­ly sti­pu­la­tes that the exter­nal ser­vice pro­vi­der may only be gran­ted access to data of the admi­ni­stra­ti­on that is not gene­ral­ly acce­s­si­ble to the ext­ent that this is neces­sa­ry for the pro­vi­si­on of the ser­vice. Art. 11 (1) (c) VDTI also requi­res that appro­pria­te con­trac­tu­al, orga­nizatio­nal and tech­ni­cal pre­cau­ti­ons be taken to pre­vent fur­ther dis­se­mi­na­ti­on of the data. In this respect, refe­rence is made to the tech­ni­cal mea­su­res described.

In addi­ti­on, it should not be for­got­ten to check whe­ther the data to be out­sour­ced is sub­ject to increa­sed con­fi­den­tia­li­ty requi­re­ments due to spe­ci­fic legal bases (pro­tec­tion needs and risk analysis).

2.3 Infor­ma­ti­on protection

In the area of infor­ma­ti­on pro­tec­tion, the cloud report signi­fi­cant­ly addres­ses the requi­re­ments ari­sing from Cyber Risk Regu­la­ti­on (CyRV), Infor­ma­ti­on Pro­tec­tion Ordi­nan­ce (ISchV), the Ordi­nan­ce on Fede­ral Iden­ti­ty Manage­ment Systems and Direc­to­ry Ser­vices (IAMV), the GEVER Ordi­nan­ce, Art. 57i et seq. RVOG and other rele­vant direc­ti­ves and gui­de­lines. Howe­ver, the CyRV and ISchV will be repea­led when the Infor­ma­ti­on Secu­ri­ty Act comes into force (pro­ba­b­ly on 1 July 2023). Accor­ding to the Cloud Report, the fol­lo­wing points in par­ti­cu­lar will have to be exami­ned once the ISG comes into force (sec­tion 4.2.3):

  • Infor­ma­ti­on clas­si­fi­ed under the IschV and clas­si­fi­ed IT resour­ces (which would also include a cloud appli­ca­ti­on) would have to be adapt­ed to the new clas­si­fi­ca­ti­on provisions;
  • Per­son­nel secu­ri­ty cle­ar­an­ces would need to be con­duc­ted in accordance with the pro­vi­si­ons of the ISG; and
  • In the case of safe­ty-sen­si­ti­ve con­tracts, it must be ensu­red that the sup­plier has an issued ope­ra­tio­nal safe­ty decla­ra­ti­on – it is now also the respon­si­bi­li­ty of the con­trac­ting aut­ho­ri­ties to initia­te this.

In addi­ti­on, Art. 57i et seq. RVOG on the Editing of per­so­nal boun­da­ry datathat ari­se when using the elec­tro­nic fede­ral infras­truc­tu­re (Sec­tion 5.2). The­se are descri­bed in the “Mar­gi­nal Data Ordi­nan­ce”(SR 172.010.442) is spe­ci­fi­ed in more detail. Art. 57j para. 1 RVOG regu­la­tes the prin­ci­ple that admi­ni­stra­ti­ve units may not, in prin­ci­ple, record or eva­lua­te per­so­nal data that ari­se during the use of the elec­tro­nic infras­truc­tu­re. This is only per­mis­si­ble by way of excep­ti­on for the pur­po­ses of data back­up, main­ten­an­ce, moni­to­ring com­pli­ance with usa­ge regu­la­ti­ons and track­ing access (Art. 57l – 57o RVOG). High demands are made on the per­so­nal eva­lua­ti­on of the­se data (Art. 57o RVOG). Sin­ce admi­ni­stra­ti­ve units would also have to take tech­ni­cal and orga­nizatio­nal mea­su­res to pre­vent misu­se (Art. 57p RVOG), mar­gi­nal data would have to be ade­qua­te­ly pro­tec­ted in cloud pro­jects and access to it would have to be cle­ar­ly regu­la­ted and regu­lar­ly reviewed.

3. ope­ra­tio­nal and other risks

The cloud report also addres­ses ope­ra­tio­nal, tech­ni­cal and other risks. Men­tio­ned is for example

  • the Risk of unfo­re­seen ser­vice inter­rup­ti­ons (No. 13 Appen­dix C). The­se could be miti­ga­ted con­trac­tual­ly by infor­ma­ti­on obli­ga­ti­ons, an exit opti­on (pro­ba­b­ly mea­ning a right of ter­mi­na­ti­on) in the event of a chan­ge in con­di­ti­ons, or finan­cial com­pen­sa­ti­on for ser­vice inter­rup­ti­ons (this would pro­ba­b­ly be ser­vice cre­dits), orga­nizatio­nal­ly by moni­to­ring the provider’s acti­vi­ties, and tech­ni­cal­ly by back­ups; or
  • The depen­den­cy on the pro­vi­der, which is, for exam­p­le, con­trac­tual­ly regu­la­ted through the regu­la­ti­on of data export and migra­ti­on, orga­nizatio­nal­ly through the Plan­ning the chan­ge of pro­vi­der or repa­tria­ti­on and tech­ni­cal­ly by choo­sing an archi­tec­tu­re that allo­ws ope­ra­ti­on inde­pen­dent of the provider.

4. eva­lua­ti­on

Mile­stone 5, which the Cloud Report imple­ments, aimed to crea­te legal cla­ri­ty. Accor­din­gly, the focus is on the legal foun­da­ti­ons and bar­riers. Howe­ver, this should not obscu­re the fact that the iden­ti­fi­ca­ti­on and reduc­tion of ope­ra­tio­nal risks is just as important for the suc­cess of a cloud pro­ject. The­se fol­low abo­ve all from the lack of direct con­trol over the per­son and infras­truc­tu­re, from the pos­si­ble for­eign refe­rence and the dan­ger of depen­dence on the cloud pro­vi­der. The cloud report the­r­e­fo­re cor­rect­ly addres­ses the­se risks.

For admi­ni­stra­ti­ve units, howe­ver, a suc­cessful move to the cloud starts much ear­lier than the nego­tia­ti­on of con­tracts or the cor­rect manage­ment of secu­ri­ty con­trols, sin­ce aut­ho­ri­ties may have to take over the manage­ment of the cloud. Rest­ric­tions on pro­cu­re­ment law are sub­ject to. This requi­res, for exam­p­le, that the sub­ject mat­ter of the ser­vice be descri­bed suf­fi­ci­ent­ly cle­ar­ly. Chan­ges to the invi­ta­ti­on to ten­der after sub­mis­si­on of the bids are only per­mit­ted under cer­tain con­di­ti­ons. Admi­ni­stra­ti­ve aut­ho­ri­ties must the­r­e­fo­re address how legal, ope­ra­tio­nal, tech­ni­cal and other risks are to be inte­gra­ted into the ten­der befo­re it is issued. admis­si­ble sui­ta­bi­li­ty cri­te­ria, tech­ni­cal spe­ci­fi­ca­ti­ons and award cri­te­ria can be addres­sed (exam­p­le: Pro­of of ISO or com­pa­ra­ble cer­ti­fi­ca­ti­ons with regard to infor­ma­ti­on secu­ri­ty). After the con­tract has been award­ed, com­pli­ance with the requi­re­ments of pro­cu­re­ment law must also be reflec­ted in the con­tract. Other­wi­se, the­re is a risk of vio­la­ti­on of the pro­hi­bi­ti­on on con­clu­ding con­tracts under pro­cu­re­ment law. In addi­ti­on, pro­ject plan­ning must take into account the fact that the imple­men­ta­ti­on of public Cloud pro­jects may be delay­ed as a result of any com­plaints against the award by losing ven­dors.

Cloud pro­jects in public admi­ni­stra­ti­on the­r­e­fo­re requi­re a holi­stic view from the per­spec­ti­ve of the pro­cu­re­ment and manage­ment depart­ments. and infor­ma­ti­on law, wit­hout losing sight of the ope­ra­tio­nal and tech­ni­cal risks.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be