US cloud services: A risk to data protection?

The debate about using US cloud services is gaining momentum – and it also directly affects Swiss companies. The background: both European and Swiss data protection experts are increasingly warning of the risks that using such services poses to the security of personal data.

Swiss law and GDPR – double obligation

Swiss companies not only have to comply with national data protection law (Swiss DPA). As around 20% of the personal data processed in Switzerland originates from EU citizens, the European General Data Protection Regulation (GDPR) also applies. This means that anyone processing data from EU citizens must adhere to its strict requirements.

Data transfer to the USA – clear position of the EU

The European Court of Justice ruled in the Schrems II judgement: The USA does not provide an adequate level of data protection. As a result, EU data protection organisations are already prohibiting the use of certain US cloud services such as Mailchimp if personal data is processed in the USA. In Switzerland, the legal situation has not yet been conclusively clarified – but the Federal Data Protection Commissioner (FDPIC) recommends a careful risk analysis.

CLOUD Act – access to data in Europe or Switzerland too

One crucial point: the US CLOUD Act allows US authorities to access data even if it is physically located in the EU or Switzerland – and without informing the data subjects. From a European perspective, this violates the GDPR and raises massive questions about data security.

Encryption – only partially effective

End-to-end encryption can help prevent unauthorised access. However, as soon as data has to be processed in the cloud, it is decrypted and can therefore be viewed. Encryption only remains effective for pure storage (“data at rest”) – but this is impractical for many use cases.

Politically explosive

In addition to criminal prosecution, examples from the USA show that surveillance laws can also be used for political purposes. In the past, data from journalists and political opponents has been accessed. This underlines the sensitivity of the topic and the growing scepticism of European data protectionists towards US cloud providers.

The advantages of the private cloud

A private cloud offers companies a controlled, dedicated infrastructure – often in a local or national data centre – and therefore decisive advantages over public clouds from US providers:

• Legal certainty: storage and processing in Switzerland or the EU, in compliance with local data protection laws.
• Full data control: No extraterritorial access rights as with the CLOUD Act.
• Greater security: Customisable security and access policies.
• Confidentiality: No “gag orders” or covert authority requests from outside the legal system.
• Integration & flexibility: Customisable to existing IT structures and compliance requirements.

Secure paths for your data

The discussion about US cloud services shows: Anyone who handles sensitive personal data should not rely solely on promises made by international providers. A private cloud in Switzerland or the EU can significantly reduce the risk of data breaches – while also offering performance, flexibility and control.