Working in the 
cloud – the 
challenges for 
data protection

Cloud computing is about more than just “convenience.” Data are increasingly being stored in the cloud so that they can be accessed anytime, anywhere. Information is no longer tied to a particular location – and as a result, employees aren’t either. This facilitates remote working, which is a welcome change to the office for some, but for organizations and businesses, this development poses a challenge that needs to be overcome.

By providing digital infrastructures, applications or information can be used without being tied to a specific device. External resources such as processing power, storage space, or other services can be accessed remotely without a company or its employees needing to have the relevant hardware or software.

When using a cloud service, personal data are transferred and hence “processed” by a third party. Even using an external cloud for storage is a form of outsourcing. At first glance, outsourcing via cloud computing presents many advantages to a company. However, an incredibly broad scope of issues needs to be clarified and individ-ually assessed before outsourcing, in some cases, entire workflows – divorcing them completely from the company.

The decision to outsource business processes or applications can result in dependency on a particular cloud service provider. Where close-knit structures have emerged over time, any problems affecting the cloud service provider will also quickly lead to complications for the contracting company.

A company that decides to process personal data in the cloud must carefully select, instruct, and monitor the cloud service provider (in accordance with Art. 10a of the Swiss Data Protection Act [FADP]). The right partner must be carefully chosen from the different cloud operators. As men-tioned above, outsourcing data results in dependency on the cloud provider. A risk assessment should be carried out beforehand to determine whether personal data can be processed in a cloud environment. It is advisable to bring in specialists during such an assessment.

The cloud operator must also (where possible) be contractually obligated to comply with Swiss data protection law and to process data only as instructed by the company. The cloud operator must be contractually bound by any legal confidentiality obligations. In the case of the major public cloud providers, it is usually not possible to negotiate an individual contractual framework. This means that, for some businesses and organizations (particularly those in the health care sector), it is not possible to use certain cloud solutions, especially in the public cloud, as confidentiality obligations cannot easily be imposed. To uphold confidential-ity obligations and protect professional secrecy, the only possible option is often to use a private cloud (that is, one managed by the company).

The cloud provider’s compliance with contractual and legal obligations should be monitored ac-cordingly. However, in the case of large cloud providers, such monitoring – for instance in the form of audits – is not possible. In-person checks can be replaced with a requirement to comply with internationally recognized security standards.

If personal data (Art. 3[a] FADP) are stored or processed in some other way in an external cloud, this constitutes data processing by a third party (Art. 10a FADP). In this situation, the company must be aware that it remains responsible for the processing and compliance with data protection regulations as concerns the personal data of the data subjects even when the data are transferred to the cloud. A cloud environment can allow unauthorized parties to access personal data. There is therefore the risk that:

1. Data may be deliberately or accidentally tampered with (breach of data integrity);
2. Data may be unintentionally disclosed, resulting in a breach of confidentiality obligations such as professional secrecy (breach of confidentiality);
3. Data may be lost or stolen as a result of technical influences or human intervention (breach of availability).

The situation is especially tricky if data are stored on servers in another country and hence are not adequately protected by data protection regulations, or there is a threat that foreign authorities may access the data. Storing data in Switzerland should always be preferred, but even then there is a risk of access by foreign authorities. Under the US CLOUD Act, which came into force in 2018, US providers with a base in Switzerland can be required by US law enforcement agencies to release data, which would constitute a breach of Swiss data protection law. This presents a risk that companies choosing a US cloud provider must bear.

The cloud offers a range of benefits that are almost indispensable in the modern world of work. To uphold its responsibilities under data protection legislation, a company must make sure that technical and organizational measures are taken so that the cloud meets the legal requirements. A company must be aware of which types of data it processes itself and which types are stored in the cloud. Any confidentiality obligations must be upheld. As a rule of thumb, only those data that are necessary should be processed in the cloud. The mere act of using the cloud increases the potential for abuse. This means it is essential to define precisely who is allowed to access which datasets.

It is important to appreciate the risks in relation to the required data security and data privacy – and to raise employees’ awareness of these risks.