U.S. Clouds: a no-go?
The Bavarian DPA has banned the use of Mailchimp, the ECJ has ruled that the USA fails to provide an adequate level of protection and the Swiss Federal Data Protection Commissioner calls the USA an "unsafe third country". Microsoft is planning an EU Data Boundary for the MS Cloud. US clouds offer services from Switzerland. Are Swiss companies allowed to store personal data in US clouds or not?
Swiss law vs. EU law
Question No. 1: Which legislation do Swiss companies have to comply with?
Approximately 1.4 million EU citizens live in Switzerland at present. In addition, there are about 350,000 cross-border commuters from the EU. We can therefore assume that about 20% of the personal data processed by Swiss companies comes from EU citizens. Swiss companies are therefore directly affected by European data protection legislation and in particular by the GDPR and do not only have to comply with Swiss legislation.
Data in the USA
Question No. 2: Is it permitted to export personal data to the USA?
Legal certainty already exists in the EU: the European Court of Justice ruled against this in the Schrems II case. Accordingly, German data protection authorities already prohibit the use of US SaaS services such as Mailchimp, which process personal data in the USA. In Switzerland, on the other hand, there is no legal certainty yet, but the Swiss Federal Data Protection Commissioner recommends a "careful risk analysis" and makes it clear that the data exporter remains responsible for "any consequences".
Data in U.S. clouds
Question No. 3: Can personal data from the EU or Switzerland be stored in US clouds?
There is still no absolute legal certainty about this. Due to the CLOUD Act, however, it makes no difference to US authorities whether the data is in the US or in the EU or Switzerland: if they want to access it, they have the (US) right to do so, even without informing the companies and individuals concerned. This is prohibited under GDPR Articles 6 and 49...
Encryption
Question No. 4: Ist Verschlüsselung die Lösung?
Not really, because if the data is to be processed in a cloud (data in use), it must be decrypted. This allows access for the provider. Secure encryption is only possible if the data is encrypted before it is transferred to the cloud. However, this means that the data can only be stored in the cloud (data at rest) but cannot be accessed by applications.
Conclusion
If you want to be on the safe side, you should not process personal data in US clouds, regardless of whether they are located in the US, the EU or Switzerland. At best, a hybrid approach would be conceivable: Personal data is stored in Switzerland and an anonymous ID is used for processing in the cloud. Those who want to save themselves this effort should only use Swiss providers.
- Tipps zur DSGVO für Schweizer Unternehmen (EDÖB, 27.05.2020)
- Datenschutz "Online Check" (ECNOMIESUISSE)
- Praktische Auswirkungen der Rechtsprechung des EuGH
- Answering Europe’s Call: Storing and Processing EU Data in the EU (Microsoft-Blog)
- Edöb rät Mailchimp-Kunden zu einer Risikoanalyse
- Microsoft kündigt europäische "Datengrenze" an
- https://www.bfdi.bund.de/DE/Europa_International/International/Artikel/Internationaler_Datentransfer.html
- Wie sicher sind verschlüsselnde Cloud-Speicher-Dienste?
- Swiss Hosting Label