A lot of negative publicity for the US CLOUD Act
Cloud-based solutions are already widely used today, but now also companies and government agencies with "sensitive" data want to move to the cloud and use offerings such as "Microsoft 365". Interestingly enough, when planning such a move, it is not traditional data security or "business continuity" issues that seem to cause the most worry but rather the possibility of access to data by foreign authorities, particularly under the US CLOUD Act. Recently, the Zurich data protection commissioner even publicly warned public authorities against using Microsoft cloud solutions and strongly recommended the use of encryption techniques that are often hard to implement in a reasonable manner. In response, Microsoft and its lawyers are countering with legal opinions and publications.
A reality check is necessary concerning the US CLOUD Act
The root cause of the problem manifested more than two years ago when the US CLOUD Act was enacted. Much of the media coverage in Switzerland, but also lawyers, portrayed it as a law that enables US authorities to easily access any data in the cloud at any time. For example, it was ignored that what the US CLOUD Act stipulates has actually been US court practice for some time, and that the US CLOUD Act was only created because an appellate court deviated from this practice in a single case. Likewise, that what the US CLOUD Act allows the authorities to do is in fact merely implementing what an international convention that also applies in Switzerland, set forth long ago (for those who do not believe it see Art. 18 para. 1 of the Cybercrime Convention).
Of course, it was also ignored that according to the US CLOUD Act and consistent legal practice, US authorities cannot simply access all data to which they could theoretically technically gain access, even if the cloud provider is in the USA. What is possible under the US CLOUD Act is neither spectacular nor unusual, nor does it play a major role in the day-to-day work of US authorities. Probably every country in Europe grants its authorities similar rights, and notably Switzerland itself goes even further. Nevertheless, all this went unnoticed and thus the myth of a very dangerous piece of US law was created, which is today supposed to be a much greater threat to Swiss data in the cloud than all the other dangers in the area of data security. It does not come as a surprise, thus, that all the data protection authorities in Switzerland issue warnings and recommendations, for example on the use of special forms of encryption or the requirement that Swiss law be applied to the contract with the cloud provider (which provides only for limited protection, but is currently causing a deadlock in a number of public sector cloud projects in Switzerland).
An Executive Agreement as the solution? Dream on!
The resulting uncertainty has now led to some even calling for an Executive Agreement for Switzerland because they believe that this would create legal certainty and ensure data protection. Executive Agreements are provided for by the US CLOUD Act in order to simplify (and not make more difficult, as some hope) access for US authorities to providers or data abroad without the need for legal and administrative assistance. Countries typically engage in such agreements because they receive reciprocal rights. Contrary to popular belief, the Executive Agreement with United Kingdom of October 2019 does not restrict the US CLOUD Act (see Art. 6 para. 3 and in this article "21 Thoughts and Questions about the UK-US CLOUD Act Agreement"), but allows the US to issue subpoenas directly to providers in the UK (and vice versa), with the domestic protection mechanisms kicking in only in these cases.
Anyone who believes that the US are prepared to grant Switzerland stronger protections than the UK is mistaken. The Swiss Banking Association's list of requirements, for example, will not stand a chance with the US. In the case of an international treaty such as the one concluded with the UK, Switzerland would not only have to allow US authorities to send production orders directly to Swiss cloud providers without considering administrative or legal assistance, they would also have to partially give up professional secrecy, banking secrecy, official secrecy and data protection safeguards. Moreover, data stored in Switzerland would still not really be protected against access via US providers under the US CLOUD Act.
On the contrary, Switzerland would probably also have to give up the current protection of Art. 271 Swiss Penal Code, with which Swiss companies have so far been able (and had to!) effectively ward off subpoenas from US authorities and courts with regard to data located on Swiss territory; the provision declares it a criminal offense to assist US authorities in accessing data on Swiss territory without authorization, if this can be considered a circumvention of Swiss official channels. Swiss employees who operate the data centers of Microsoft in Switzerland, for example, would be exposed to such a risk of criminal prosecution. This, in turn, provides customers with a certain degree degree of legal protection. An Executive Agreement may indeed provide for more clarity on the legal situation, but at the cost of softening the existing Swiss level of protection of data and providers. It is doubtful whether the prospect of a reciprocal right outweighs such a price.
Legal requirements for cloud projects
Given the above, how can cloud projects be implemented under Swiss law in case of sensitive data or data subject to professional secrecy? There are two answers to this question: The first comes from the “cantonal” data protection authorities, who demand that contracts be governed by Swiss law and that sensitive data is encrypted with a key that managed only by the customer. In my view, Swiss law is an advantage, but is not a key point and when it comes to data protection EU law covers data protection almost equally well. Furthermore, if indeed only the customer has access to the key used for encryption, many solutions, such as a cloud-based e-mail service are no longer feasible. Neither is the compromise of "bring-your-own key" really is a solution to the problem; in fact, it is expensive and results in relatively small gains in terms of data protection.
The second answer to the question is provided by the prevailing legal doctrine in Switzerland: Anyone who wants to implement a cloud solution with data protected by professional secrecy must, in addition to the classic measures for data security ensure business continuity and compliance with regulatory requirements, carry out a risk assessment, and take "appropriate" measures to reduce the residual risk of access by foreign authorities – also known as "lawful access" – to an acceptable level. This is easier said than done, given that many do not know how to implement this in practice. Even the scarce guidance available on the topic, such as the "Cloud Guide" of the Swiss Banking Association, has not really provided an answer to this question.
Probability of lawful access in percentage terms
To solve the problem for a client, I developed a risk assessment model that works very differently from what we lawyers normally deliver. It uses Excel and is based on the "calculation" of the probability of successful lawful access by a foreign authority. It takes into account both the technical possibilities of a provider as well as the legal framework of the US CLOUD Act and comparable provisions of law and foreign intelligence service laws such as Section 702 of the US Foreign Intelligence Surveillance Act (FISA). It is neutral with regard to products and vendors and can be applied to all types of cloud models (Swiss cloud solutions, Swiss cloud solutions with foreign remote access, foreign clouds, IaaS, PaaS, SaaS, etc.). To determine the probability, I have analyzed the cumulative or alternative conditions that have to be met in order for a foreign authority to successfully gain lawful access to data in a cloud. For each of these factors, a probability of occurrence is estimated and the overall probability is calculated on this basis. The model is designed in such a way that the estimates can be very rough and conservative, which facilitates the exercise.
The result is a percentage value based on the assumptions made indicating the statistical probability of successful lawful access during the relevant period of time. This can be used by the management of a company, for instance to compare project variants based on different technical and legal measures, to document the company’s risk assessment and to serve as a basis for its risk decisions. It is and remains a mere risk assessment, though. It is relatively simple and it has its weaknesses, but the use of the model so far shows that the numbers provide a clearer message than words. Above all, the model allows companies to better relate technical and legal factors to each other and visualize their interaction. The assessment should therefore be carried out in an interdisciplinary manner with the various experts of a company completing the Excel spreadsheet together. The fear of the US CLOUD Act is thus usually off the table after such an exercise, or is assessed much more objectively. This usually results in the focus shifting back to traditional risks such as data security and business continuity.
Risk assessment model to be published
In order to make the risk assessment model available for a wider audience, I have decided to publish it under a free licence (so that anyone can use it), along with a scientific paper that describes the conditions under which it is permissible to use cloud solutions for data that is subject to professional or even official secrecy. In it, I explain in more detail the Excel-based risk assessment model and I try to provide a fresh view on some strongly debated topics concerning outsourcing restrictions for companies subject to professional secrecy. The assessment model can be downloaded here; the scientific paper is available here and its annex can be downloaded here (both in German only).
Categories: Data & Privacy