Skip to main content

Data protection: The weather is stormy

 

The choice to outsource data to foreign cloud solutions is being debated. Several polemics disrupt the digital sky and opening up interesting possibilities for data protection solutions.

The future is uncertain. This is how we could summarize the cases and polemics that have been affecting the cloud for several months now, particularly regarding data protection and digital sovereignty. The first step will begin in the early summer of 2021. Six months after the publication of its call for tenders, the Confederation awarded the development of a national cloud to five foreign multinationals (Oracle, IBM, Microsoft, Amazon and Alibaba) to host the federal administration’s current data centers and private clouds.

This decision is incomprehensible for Swiss cloud provider who denounce an attack in the Swiss digital sovereignty and the loss of control of our country on its data. The second act takes place a year later. Also in this context, tempers flare over the demand for transparency that public actors and Swiss providers should display when entrusting the storage and hosting of data to foreign actors. Thus, every citizen should be able to know in which legal form their data is stored.

Until now, companies and public administrations such as hospitals and universities stored data in their own cloud infrastructures. Now, more and more companies are subscribing to “cloud” solutions from foreign providers such as Microsoft for example :” In many cases, when such data transfers are carried out, organizations simply present their clients and users with a fait accompli, for example by giving them new general terms and conditions,” points out Solange Ghernaouti, a professor at the HEC Lausanne business school and international cybersecurity expert, in her blog of the newspaper Le Temps. She thus speaks out for more transparency.

This is the option chosen by SUVA, the largest accident insurance company in Switzerland. The result was not what was expected. What happened? In December 2021, SUVA made the decision to submit its data outsourcing project to Microsoft to the Federal Data Protection and Information Commissioner (FDPIC). This was done to ensure that the changeover would be compliant with data protection requirements. This decision was applauded by Adrian Lobsiger, but he is not satisfied.

In his statement issued on June 13, 2022, he wrote: “Due to partial legal disagreements, the FDPIC suggests that Suva reconsider the outsourcing of personal data to a cloud operated by the U.S. Microsoft group.” Specifically, Adrian Lobsiger criticizes SUVA’s decision not to consider beforehand whether the use of Microsoft’s cloud tools was simply legal from a data protection perspective. An argument refuted by SUVA, which states that it concludes its contract with Microsoft Ireland, subject to the European law on data protection.

If the case is not closed, it brings interesting considerations. This includes ensuring, before any transfer, how the new provider will protect this data. This is obviously a requirement. It is still necessary to apply it to all the layers of information processing and to all all digital players. Thus, we will be able to ensure robust data protection for each entity and each citizen.