M365 approval
The Zurich government council passed a resolution on March 30, 2022, published on April 14, 2022, entitled “Use of cloud solutions in the cantonal administration, (Microsoft 365), approval” (RRB 542/2022).
This involves the Use of M365 and in particular Exchange Online and Teams, which does not even exist as an on-premise solution and, as it becomes more widespread, is therefore forced to move to the cloud. The canton of Zurich sees no alternative to this move, which it describes quite strikingly: Without the cloud, the canton would be “on the technological sidelines” because it would be “closed to technological progress”. This is at the end of the text, but logically at the beginning of the resolution (and is reminiscent of the “sweat of the feet of progress” according to Karl Kraus).
Lawful Access: Rosenthal’s Model
As far as the risks are concerned, the government council is probably right in assuming that the general security risks are at least no higher than with an on-prem solution. These risks (e.g., the supplier risk) were examined separately (references to the legal basis can be found in the decision). In addition, however, there is the Specific Lawful Access Risk, i.e., the risk of foreign authorities gaining access to data.
The Government Council relates this risk to US authorities. The contract, which the canton in 2021 and on the basis of the SIK contract with Microsoft (with an addendum supported by the data protection commissioner) is concluded with Microsoft’s Irish company, but this does not mean that U.S. authorities cannot possibly access Canton’s data via the Stored Communications Act – with the amendments made by the U.S. CLOUD Act. The risk of such access was therefore examined (the analogous risk for Ireland is not mentioned in the decision; whether it was also examined is therefore not clear from the decision).
The canton has made a commitment to the Risk assessment on the Risk assessment model by David Rosenthal supported:
For the risk assessment of a foreign lawful access in the case of M365, the calculation method of David Rosenthal was used […]. The calculation method for the structured determination of the probability of occurrence of a successful lawful access by a foreign authority in a cloud project has been published under a free license since 2020 and has been adopted by the International Association of Privacy Professionals (IAPP). The calculation method has established itself as a tool in the Swiss financial sector and is also used, among others, by the Zürcher Kantonalbank in connection with the introduction of M365.
For this risk assessment, the canton has a Workshop performed:
The risk calculation for M365 for the cantonal administration was carried out in a workshop with legal and technical experts from the IT office, the public prosecutor’s office, the cantonal tax office, the state chancellery and the cantonal police. For the statistical calculations, figures from US legal assistance were also collected by the Federal Office of Justice, supplemented with empirical values from the specialists there in connection with rejected and unsubmitted requests from US authorities.
The risk of access by the authorities was estimated to be very low (below 1% within an observation period of five years).
Risk limit: 10% in 5 years
On this basis, the Government Council decided the following points:
- David Rosenthal’s risk assessment model will be in the cantonal administration as a standard model used to assess the lawful access risk of cloud solutions.
- If the Probability of occurrence of successful lawful access is so low that a probability of 90% is reached only when the observation period exceeds 100 years, the use of the cloud solution is approved from the perspective of the government council (which does not mean that the responsible authorities do not have to make their own risk decision). This formulation of the probability is perhaps not so intuitive, but this risk threshold is more than ten times the risk for M365. In an observation period of 5 years, it corresponds to an access risk of about 10%. The Government Council thus basically draws the line of its general approval at a risk that is “very low” or “low” in the terminology of Hillson, which Rosenthal has adopted, but not yet “medium”. It is a risk that is considerably higher than the values generally achieved in practice.
- Only if the risk is even higher does this result in the corresponding cloud solution having to be approved by the government council on a case-by-case basis.
Connection remarks
This risk assessment and acceptance by the government council is based on the Data protection law and the Official Secrets (even though this word is found only once in the resolution). Apparently, the government council assumes that a residual risk, which is ex ante and lege artis to 10% or less within a 5‑year period may be accepted. This also means, among other things, that a lawful access that actually occurred would possibly mean a violation of official secrets, but that this violation would not be intentional, not contingent intentional, and not negligent if such a risk assessment were made. Against this background, it is quite significant that the risk assessment was carried out in the context of workshops attended by, among others. Representative of the public prosecutor’s office have participated. Under the heading of data protection law, the same standard applies as a result – what matters here is that the exporter has “no reason to believe” that authorities access transmitted personal data on the basis of an inadequate legal basis (this could be expanded upon – but that is what the standard contractual clauses say).
As a result, the Government Council has given higher consecration to David Rosenthal’s risk assessment model, which has become widespread and proven in practice. It would be difficult for a public prosecutor’s office or a court to oppose this model, even though the question of the risk limit – i.e. the subjective element of the offense – is difficult to objectify and would ultimately have to be assessed by the courts in each individual case.
Another point is worth noting: in the risk assessment, the government council explicitly included the Interest of foreign authorities on the data in question considered. As far as privatim should have assumed a zero risk approach in the updated version of the leaflet “Cloud-specific risks and measures” for public bodies (which was not made clear, but there were indications to that effect in the leaflet; cf. our contribution), this should be off the table.
The government council is aware that a risk assessment is not a matter of “fire and forget”. Rather, what is required is “determined and continuous monitoring and constant assessment of the risks”. To this end, the government council is creating the position of a Cloud Security Officer of the Canton of Zurich.