Cloud contracts with Amazon, Alibaba & Co. have been signed

The major order from the federal government caused a stir in the media. “The federal government outsources government data to the Chinese Alibaba group,” headlined the Tamedia newspapers last summer. For the online magazine “Republik”, the public cloud award to the four US companies Amazon, IBM, Microsoft and Oracle and the Chinese company Alibaba is a “debacle”. Politicians also see Switzerland’s digital sovereignty in danger as a result of the award as part of a WTO tender. Meanwhile, the federal government creates facts. The Federal Chancellery announced on Tuesday that the contracts with the cloud providers had been signed. The last signature arrived in the mail on Friday.

In view of the fuss surrounding cloud procurement, the Federal Chancellery is currently examining whether the contracts with foreign companies can be published. She probably doesn’t do this voluntarily. It would be surprising if journalists or other interested parties did not demand access to the contracts via the Disclosure Act. Sooner or later, the federal government would have to negotiate with the cloud providers anyway about which business secrets have to be blacked out in the documents.

Not all data migrates to the cloud

The “Public Clouds Bund” contract has a total volume of CHF 110 million. The federal government has the option, but not the obligation, to obtain cloud services of this value from the five companies within five years. Which provider is used and to what extent is decided on a case-by-case basis. The federal administration will not simply move all of its data to the providers’ clouds. It continues to rely on its own data centers and private clouds – i.e. clouds that are operated on its own infrastructure (see table). The “only” new thing is that public cloud services can be obtained for certain services.

The offices in the various departments will decide for themselves whether and for what purposes they use cloud services. According to the Federal Chancellery, the focus of use is on public data for which there are no special protection requirements. For the time being, sensitive personal data will not be processed in the data centers of Amazon or Alibaba. The current focus is on less sensitive applications that require rapid scalability. This can be, for example, the calculation of weather models by the Federal Office for Meteorology or dealing with high visitor numbers on federal websites.

Access by the Americans and Chinese

The outsourcing of federal data and applications to foreign cloud providers is controversial for various reasons. Firstly, the federal administration becomes dependent on the companies. Once a decision has been made to work with a cloud company, in certain cases it can only be reversed with considerable effort. Second, there are concerns about data protection laws and regulatory access in other countries. According to the legal opinion of the federal government, the transmission of personal data in EU countries is possible in principle. The European General Data Protection Regulation corresponds to the local standards.

The situation is different in the USA: intelligence surveillance programs and the notorious Cloud Act provide that American authorities can access data from cloud providers without legal assistance procedures. In certain cases, this is also possible if the data is stored or processed outside the USA. The conclusion of contracts with European subsidiaries of the US group does not necessarily protect against government access. Whether a European subsidiary releases the data to the US parent company depends primarily on economic and political pressure. In case of doubt, a company is more likely to want to annoy Bern than Washington.

A residual risk always remains

Electronic data – and also filing cabinets – are never absolutely secure against access by third parties. Even the data centers of the federal government are not perfectly protected. Security also includes various dimensions and is not limited to access by third countries. The security measures of some hyperscalers against criminal cyber attacks or infrastructure failures are likely to go beyond those of the federal government. When deciding where data is stored and in what form, the state must therefore weigh up the risks. With the encryption of the data that is in a cloud, the risk of access can also be reduced. However, it can never be completely eliminated.

The federal government therefore advocates a risk-based approach. In principle, it can be assumed that the American and Chinese authorities can access the data that is in the care of “their” cloud providers. Therefore, before using the cloud, the offices first have to go through a clearly defined process: First, they have to create a “supplier-neutral specification sheet” for their needs. The result is “spit out” which of the five providers best meets the needs of the specific case with its cloud. If, for example, an office does not want to receive any services from Alibaba at all, it is not obliged to do so. Not even if the Chinese company best covers the needs according to the specifications.

However, the authorities do not have a free hand either. You couldn’t arbitrarily take Alibaba out of the race and pick the second-place cloud provider, for example. At least within the WTO framework this would not be allowed. In certain cases, however, it would be possible for an office to procure the cloud services outside the cost ceiling of CHF 110 million. However, that shouldn’t be necessary. Before a benefit is drawn, the offices must carry out clarifications. This also includes the question of whether the outsourcing and processing of data in a public cloud – i.e. a cloud outside the federal infrastructure – is legally compliant. This review also explicitly includes political risks.

Clear words about China

A federal report published on Tuesday is blunt about the legal situation in China: Due to the Chinese data security law, it can be assumed that Alibaba must give the Chinese authorities access to data. At best, even encrypting the data in the cloud is inadmissible if the Chinese state no longer has access to it.

The conclusion of the Federal Chancellery: “For these reasons alone, a transfer of personal data to China is associated with considerable risks that are difficult to assess and can hardly be reconciled with the requirements of Swiss data protection law and other legal requirements.” A transfer of personal data to a subsidiary of a Chinese parent company would have to be carefully examined in terms of whether and under what conditions access to the data by the Chinese parent company or by Chinese state authorities is possible. Freely translated, this may mean something like: personal data should not end up in an Alibaba cloud anytime soon.

A citizen defends himself in court

It is also currently questionable when the federal government will even purchase cloud services from the five providers. The contracts may be signed. However, a citizen defends himself legally against the project of the federal government. He demands that the federal administration does not purchase any public cloud services from foreign providers. A request for precautionary measures is pending with the Federal Administrative Court. The federal government announced on Tuesday that it wants to wait for this interim decision before the offices can receive services from Amazon and Co.

However, the citizen is likely to take the case to the federal court. In addition, the “actual” process continues in parallel. If the Federal Administrative Court does not decide on any precautionary measures, this would only be a stage victory for the federal government. Then he will have to reassess the situation. With the starting signal for the use of the cloud before a final judgment, he would be taking a certain legal risk. On the other hand, the federal government would like to be able to use the cloud services within a reasonable period of time. A lot will therefore depend on how clear the interim decision of the Federal Administrative Court turns out to be.