On 13 June 2022, the Swiss Federal Data Protection and Information Commissioner (FDPIC) published a statement concerning a project of the Swiss National Accident Insurance Fund (Suva) that involves the disclosure of certain personal data to Microsoft for processing by Microsoft on behalf of Suva. This article discusses this statement, which calls into question the risk-based approach for data transfers to countries that, compared to Switzerland, do not have an adequate level of data protection.
On 13 June 2022, the FDPIC published a statement on Suva's data protection risk assessment on the "Digital Workspace 'M365'" project. According to the statement, Suva provided the FDPIC with documentation on the outsourcing project that encompasses the disclosure of certain personal data to Microsoft for processing by Microsoft on behalf of Suva. The project provided for the data to be located in Switzerland and was based on the contractual framework between Microsoft and the Swiss Informatics Conference.
According to Suva, the outsourcing could potentially lead to American authorities having access to personal data. However, in the documentation submitted to the FDPIC, Suva classified the risk of access as very low. According to the FDPIC's statement, Suva based its classification on a standard risk assessment model widely used in Switzerland.
In its statement, the FDPIC noted that Suva had assessed the permissibility of the planned outsourcing according to a risk-based approach and had concluded that this approach did not entail any high risks for the data subjects and was hence permissible.
However, according to the FDPIC, there was no basis for a risk-based approach in the law. Risk-based arguments might not necessarily be excluded, but such supplementary arguments should not weaken fundamental rights and guarantees. For the FDPIC, it seemed at least questionable whether the risk-based approach was admissible and may have been invoked to justify outsourcing projects such as this.
Regardless of whether the risk-based approach was admissible, the FDPIC questioned the assessment of the probability of governmental access based on this risk assessment model. According to the FDPIC, the probability values were not convincing because it was not sufficiently clear how they were derived, and, in any case, the claim as to accuracy of the calculated values appeared doubtful.
Finally, the FDPIC left it up to Suva whether it wants to keep pursuing the risk-based approach; in other words, the FDPIC did not explicitly rule out such an approach. However, the FDPIC advised Suva to reassess the risks associated with the outsourcing project and the transfer of personal data in a timely manner. In the meantime, a new privacy shield or a new decision regarding the federal cloud strategy may be released.
The FDPIC's stance is not particularly surprising. With various European data protection authorities currently putting the risk-based approach into question, it would have been hard for the FDPIC to confirm the admissibility of this approach. This holds particularly true because the European Union has still not reconfirmed the adequacy of the level of Swiss data protection. Should Switzerland apply a different standard for transborder data transfers than the European Union, it would risk becoming a hub for unregulated data flows (from the European Union's perspective). On the other hand, the FDPIC is aware that a consistent zero-risk approach would complicate (and even jeopardise) data transfers to countries that do not have an adequate level of data protection and adversely affect the Swiss economy. Based on the forgoing, it is recommended to closely follow any further developments and to carefully assess the risks associated with transborder data transfers in every individual case.
For further information on this topic please contact Jürg Schneider or Simon Henseler at Walder Wyss by telephone (+41 58 658 58 58) or email ([email protected] or [email protected]). The Walder Wyss website can be accessed at www.walderwyss.com.