Martin Steiger Attorney at Law
Martin Steiger is a lawyer and entrepreneur for law in the digital space (Steiger Legal, Datenschutzpartner). Martin Steiger’s legal practice focuses on data protection law, intellectual property law, IT law and media law.
When we talk about the cloud, there are still many who worry about protecting their data. Among other things, because cloud providers, such as Microsoft, are subject to the U.S. CLOUD Act, which requires U.S. companies to guarantee U.S. authorities access to data even if it is not stored in the United States. What is your opinion on this?
All companies that have data processed by third parties, for example with cloud providers, must ensure data security and assess the risks. In many cases, security is better and risks are lower when using an established cloud provider rather than trying to run IT infrastructure yourself. This is especially true for SMEs. The same applies to the processing of data abroad. Depending on the risks involved, data may be stored more securely abroad than in Switzerland. This is because data in Switzerland is less effectively protected by law than in Europe in particular. But that’s also because Switzerland is an expanded and growing surveillance state.
With the CLOUD Act, American Internet providers are required to hand over data to American authorities, regardless of location. For example, if Microsoft stores data in Switzerland, U.S. authorities may be able to access such data more quickly through the CLOUD Act than through the international mutual legal assistance route.
A recent case involving ProtonMail shows how such legal assistance works:
What exactly does the US CLOUD Act include, and up to where does the scope apply?
The CLOUD Act is only applicable under numerous conditions. For example, the data must relate to a so-called U.S. person, the Internet providers can defend themselves on behalf of their customers, and in many cases a court must examine in depth the extent to which foreign law must be observed and which interests prevail. Microsoft and other Internet providers have contractually regulated how they proceed with CLOUD Act requests. American providers in particular create transparency by providing regular information on the extent to which they have had to release data to authorities. In Switzerland, there are hardly any Internet providers that publish such a transparency report.
As far as can be seen, the CLOUD Act has not yet achieved any great significance. For example, in the first half of 2021, Amazon did not have to grant access to data outside the USA in a single case (more info in the link below). At the same time, many SMEs are not aware of how extensive the Swiss surveillance state is and how few effective legal remedies are available against surveillance by Swiss authorities. These agencies, for example, the Federal Office of Police or the Federal Intelligence Service, cooperate with foreign agencies, including U.S. agencies.
What about data protection?
According to European case law, adequate data protection does not exist in the USA by default. Whether this is true is debatable. The USA tends to have a different approach to protecting data, but this need not be a disadvantage for data subjects. In the U.S., for example, affected individuals can collectively defend themselves against responsible companies with class action lawsuits and sue for damages in a way that is hardly possible in Europe. Fines, as they are pronounced against companies in Europe, flow into the respective state coffers and the persons concerned have nothing to gain from it.
At the same time, it is important for Swiss companies to legally safeguard data processing by third parties and, if necessary, also abroad. For the use of cloud providers, a Data Processing Agreement (DPA) must be concluded. All established providers allow the conclusion of such a contract. If data is to be processed in countries without adequate data protection, data protection must be guaranteed with so-called standard contractual clauses. The Federal Data Protection and Information Commissioner (FDPIC) has published detailed explanations of how this safeguard works, also with regard to the USA.
What is your recommendation for Swiss SMEs?
Depending on the data and country, additional measures may be advisable, for example end-to-end encryption. With American providers, it also makes sense to choose a data location in Europe. All major cloud providers make such data locations available, often in Switzerland as well.