Can Donald Trump effectively access all our data? 

 

Since the outbreak of the war in Ukraine and Donald Trump’s return to the presidency, the debate on digital sovereignty has once again come to the forefront of public awareness. Europe’s dependence on large US technology companies is undisputed and raises two key questions: On the one hand, there is concern that political decisions made by the US, such as targeted trade sanctions, could severely affect entire countries by forcing US IT providers to suspend their services. On the other hand, there is the accusation that US authorities could access data stored abroad at any time. 

The two issues must be considered separately: economic dependence affects political interests, while lawful access follows clear legal procedures such as the US CLOUD Act. The discussion about digital sovereignty is often conducted using buzzwords that do not clearly distinguish between economic policy risks and legal access options. In fact, these are two separate issues. 

 

Sovereignty 

Economic dependence on US IT providers is particularly evident in the so-called lock-in effect, which arises when switching to another provider is difficult due to technical incompatibility, organisational complexity or financial burden, or when there are simply few viable alternatives from a technical perspective. Microsoft Office is often cited as an example here. However, the risk of this lock-in effect being used as a political lever is not limited to the use of US providers. Comparable dependencies can also arise within Europe, and Switzerland would have to question the use of IT providers from the EU as well. 

Both the US, in the wake of the tax dispute, and the EU have already used economic leverage for political purposes. The withdrawal of stock market equivalence or the exclusion of Switzerland from the EU’s Horizon research programme were not legal but political decisions. An exclusive focus on open source solutions is not enough, as there are also limitations in terms of scope of application, operational efficiency and support. In addition, many open-source initiatives are in turn supported by foreign countries. Ultimately, it is essential to define emergency and migration scenarios as part of infrastructure planning in order to ensure one’s own ability to act in an emergency. Unfortunately, however, emergency and migration planning is generally neglected. 

 

Government access 

From a legal perspective, the US CLOUD Act is particularly relevant in the context of access by authorities. Enacted in 2018, this US federal law expands the Stored Communications Act and authorises US authorities to request electronic data from US service providers in criminal investigations under certain conditions, even if this data is physically stored outside the United States. The scope of application is limited: it concerns criminal offences and terrorist activities as well as any connection to the US, whereby the US connection is a relatively minor hurdle. Any disclosure also requires a court order, either in the form of a warrant or a subpoena. This dispels the often populist notion that the US president can call the CEO of a tech company directly and demand data. It is wrong to claim that there is no longer any legal protection at all. Unless, of course, one considers the American legal system to be corrupt per se. What is true is that the US CLOUD Act allows the traditional route via international mutual legal assistance treaties (MLAT) to be circumvented. The US Department of Justice continues to recommend in its guidelines that MLATs be used whenever possible. Incidentally, European and Swiss criminal procedure law provides for similar mechanisms, whereby the accused is also not directly informed about the disclosure of data to third parties and can only defend themselves against it after the fact. FISA, on the other hand, primarily concerns intelligence activities in the area of national security and also allows for broad surveillance measures in this context, but only after approval by the Foreign Intelligence Surveillance Court. What both laws have in common is that providers have the option of seeking legal remedies. Incidentally, the EU has introduced a regulation comparable to the US CLOUD Act in the form of the e-evidence regulation. IT providers offering services in the EU can also be requested by EU criminal authorities to disclose data, even if the server is located abroad. In all cases, these procedures are limited to criminal proceedings; general, unwarranted data requests are not legally permissible. For the average citizen, the risk of their personal data ending up with a US criminal authority due to an order under the US CLOUD Act remains low. 

 

Privacy Framework 

Switzerland, like the EU, has issued an adequacy decision based on the Data Privacy Framework (DPF) that deems data transfers to certified US companies to be compliant with data protection regulations. Although these companies remain subject to US law and thus also to the US CLOUD Act, this has been explicitly taken into account in the adequacy assessment. The claim that the US CLOUD Act should not be taken into account in the adequacy decision because data is requested outside the US fails to recognize that the US parent company is the addressee of such an order. Within the company, an internal announcement is made before the data is passed on to the criminal authorities. The political fragility of this regulation remains problematic, as the DPF is based on an executive order and can therefore be revoked by a US president at any time. In addition, several proceedings are underway in the EU that question the legality of the adequacy decision. In a recent decision, the lower ECJ instance upheld the adequacy decision, but the decision can still be appealed, and it is not yet certain whether the DPF will actually remain in force. 

 

Risk management 

From a risk management perspective, it is striking that the debate about possible access by authorities continues to receive disproportionate attention. Based on statistical surveys of hyperscalers, the probability of this occurring is extremely low for business customers. In addition, in the event of access, there is a legal remedy that opens up possibilities for providers to defend themselves. Cyberattacks, on the other hand, occur at a much higher frequency, often without warning and without the possibility of legal recourse. Nevertheless, they have far less resonance in political and public debate. When several Swiss cantons introduced Microsoft 365, there was considerable political resistance due to potential access by US authorities. Recently, the IT system provider Miljödata fell victim to a ransomware attack, which severely affected 200 municipalities and regional administrations in Sweden. Here, however, the public reaction was muted and largely limited to experts. Such a case could also occur in Switzerland. Against this backdrop, it is worth rethinking the prioritization of risks and not just reacting to geopolitically charged worst-case scenarios, but investing resources and attention where the probability of occurrence and potential for damage are highest.