The Association enterprise data protection (VUD) has, in view of the currently ongoing discussions “FAQ on the use of cloud technologies” published. The document is dated August 26, 2022, and is here on the website of the VUD retrievable.
The FAQ or the answers are available after following questions structured:
- Is the use of cloud solutions from US providers permissible under Swiss data protection law?
- Why is foreign authority access suddenly a problem – this risk has always existed?
- What does this have to do with Switzerland?
- Does the law require the exclusion of any theoretical risk?
- When we use the cloud solutions of the US hyperscalers, can we have access from the USA if we choose to store the data in Europe?
- The discussion seems to be all about the US CLOUD Act and other provisions of US law – why?
- What special requirements apply to professional and official secrecy holders?
- Do the contracts of the large cloud providers fit? Can they be negotiated at all?
- Does the location of the data storage and the location of the provider matter?
- What encryption does Swiss law require?
- How must a risk assessment concerning US law be carried out?
- What other risks should be considered when moving to the cloud?
The FAQs are as follows Take-Aways prefixed:
The risk-based approach is a principle of data protection law – since time immemorial and also after the revision of the Data Protection Act. It also applies to the disclosure of personal data abroad.
According to the Data Protection Act, “adequate” and in the future “appropriate” protection is sufficient for the disclosure of personal data abroad, which corresponds to the risk-based approach. Exclusion of every theoretical risk is not required.
The risk associated with cloud projects must be examined in each individual case. It often emerges that even in the case of cloud services with the involvement of US providers, the risk of access by foreign authorities is low and acceptable from a data protection perspective, provided suitable protective measures are in place.
Disclaimer: The author of this article is Deputy Secretary David Rosenthal at VUD.