The City of Zurich uses Cloud Services within its Municipal Administration
Zurich, 13 July 2022. // Link Collection
Resolution of the City Council of the City of Zurich (STRB Nr. 670/2022): Cloud services can be used by administration of the city of Zurich. In its resolution, the city council relies on aLegal Opinion by Laux Lawyers AG on whether cloud use is lawful.
The service department “Organization and Information Technology of the City of Zurich” (OIZ) provides a standardized city-wide service offering (SSA) for use by the other organizational units of the City of Zurich. The city council has now decided that OIZ can provide this by relying on cloud services. The City of Zurich should be able to use external cloud services in a legally compliant and secure manner, in particular to also benefit from innovations and/or cost advantages.
To this end, the City Council has issued a new “Guideline for the use of cloud services for standardized city-wide service offerings” (Guideline Cloud SSA) that came into force on 1 August 2022. The Guideline Cloud SSA sets out the obligations of the OIZ and of the other organizational units of the city of Zurich when it comes to the use of external cloud services. The organizational units of the City of Zurich must use the SSA even if cloud services are part of it.
The cloud services provided by OIZ for the entire city administration must meet high data protection and security requirements. In this respect, the resolution of the City Council permits that the central IT services are being used for data requiring special protection (incl. professional and official secrets), even if cloud services are part oft he offering. OIZ must, however, meet the conditions set out in the resolution when offering IT services that include cloud services.
Legal opinion of Laux Lawyers AG discussing the US CLOUD Act.
The City Council bases this decision on the legal opinion “Rechtmässigkeit von Public Cloud Services – Cloud-Gutachten unter Berücksichtigung des CLOUD Act” submitted by Laux Lawyers AG on 16 September 2021.
The OIZ must ensure that Cloud SSAs generally benefit of a security level that is referred to as the «Basic Protection+» level (Basisschutz+). With this security level, created specifically for Cloud SSAs, the basic requirements of protection according to the Handbook for Information Security (HISi) and the other standards that are used are exceeded, by implementing additional legal, technical and organizational measures.
This approach thus ensures that the Cloud SSA providers meet all legal and infrastructure requirements that may arise from data protection law, including those relating to special personal data (§ 3 IDG/ZH) and official secrecy. If the OIZ confirms the protection level Basic Protection+, the Cloud SSA can be used by the organizational units of the city of Zurich for the processing of data requiring special protection, in particular also for special personal data and information subject to the duty of confidentiality in accordance with the rules protecting the official secrecy obligations.
The City Council, as the principal political body, expressly authorizes the use of Cloud SSAs. This authorization operates as a written consent for the disclosure of secrets without penalty, insofar as the cloud use should amount to such a disclosure (Art. 320 para. 2 of the Swiss Criminal Code), and is furthermore an authorization for the processing of special personal data as provided for under the laws of the Canton of Zurich (§ 25 Para. 3 IDV/ZH).
Organizational units with a special situation
The organizational units do not have to worry about the technical configurations of the Cloud SSA, nor about the organizational and contractual measures assessed by the OIZ. They also do not need to get involved into the control to be applied by OIZ on a continuous basis. Rather, they may rely on the controls applied by OIZ. Only to the extent that an organizational unit is special, and that OIZ has not anticipated such special situation (referred to as a «Sondersituation» in terms of the decision of the City Council), the organizational unit must initiate further evaluations (which, however, often will not be overly voluminous).
Organizational units that identify special requirements for themselves («Sondersituation» confirmed) check, possibly together with OIZ, whether these special requirements are covered by the measures that come with the «Basic Protection+». If they are not the necessary measures are determined together with the OIZ. Thus, only organizational units with a genuinely special need must check additional requirements. In principle, the City Council decision is effective for the entire City administration.
Approval and institutional assurance of the orderly conduct of business
The City Council resolution is an expression of the political will to use cloud services. It also serves the purpose of the City Council to protect its administration, i.e. the personnel. Administrative staff should not be at risk of criminal liability because they are implementing a decision that is politically wanted. The risk of criminal liability does not exist, as the legal opinion has shown. However, sometimes just discussing an issue can have an intimidating effect, which can lead to delays in a project. The City Council resolution protects against such project delays. The City Council’s resolution acts as an institutional safeguard for the proper conduct of business by the City of Zurich and, in this form, is trend-setting for Switzerland. Thus, the procedure of the City of Zurich can serve as a model for other authorities at various administrative levels throughout Switzerland.
Do special professional secrecy obligations trigger a so-called «Sondersituation»?
In various scenarios, federal and cantonal laws mention special (administrative) secrecy rules that are established to respond to special circumstances. One could believe this would amount to a so-called «Sondersituation» (as per the legal memorandum, in the event of a «Sondersituation», further measures would need to be undertaken by the organizational unit of the City of Zurich).
The authors of the legal opinion have provided clarifying statements to cover these and related aspects. These comments and related earlier work show that so-called special secrecy obligations do not per se trigger a «Sondersituation», but are only intended to clarify the main rule (the main rule declaring that a secret should not be actively “divulged” to third parties).
Such special legal rules have no effect on the discussion about the cloud, since cloud use is not about divulging secrets (dogmatically: it is not about the content layer), but about organizing data (code layer) on technical IT infrastructures (physical layer). In most cases, therefore, no special treatment is needed, even in presence of special rules of confidentiality (there is a separate fact sheet on this, which is attached to the published legal opinion).
It can thus be concluded that the threshold for a «Sondersituation» to exist is very high, and that it is usually not exceeded even if there are such special secrets. As a consequence, no additional clarifications will need to be made in this respect. In other words, a «Sondersituation» should not be assumed lightly.
Content and results of the legal opinion
After a thorough and comprehensive examination of all aspects of data protection, administrative and secrecy law, as well as a detailed analysis of access by authorities abroad (namely in the USA, with a special excursus on the processes surrounding the US CLOUD Act), the legal opinion comes to the following conclusions:
- Organizational units of the City of Zurich may use public cloud offerings. For information covered by special rules requiring a special protection, they must select mature providers with technically mature solutions.
- If information that is subject to official secrecy obligations is to be outsourced, solutions must be selected in which, according to general life experience and the normal course of events, there will be no access to plain text (i.e. information will not be viewed by employees of the cloud provider, for example). Whether the organizational unit may assume this depends on whether such access protection is sufficiently safeguarded by technical and organizational measures.
- In addition, suitable contractual measures should be taken to appoint the selected cloud provider as an auxiliary. Specifically, this is about the integration of the cloud provider as an auxiliary. This is a safety anchor in the event that plain text accesses could take place in individual cases (e.g. in support situations) despite suitable measures.
- In addition, the City Council resolution acts as a further institutional safeguard for the proper conduct of business of the City of Zurich; for it has authorizing effect for the acting persons in the sense of Art. 320 para. 2 of the Swiss Criminal Code and 25 para. 3 IDV.
- It does not constitute a breach of official secrecy if a Swiss law enforcement agency accesses data of the City of Zurich in Switzerland. However, the City of Zurich will first attempt to point out its official secrecy and to avert the seizure of such data or subsequent access.
- The same applies with regard to threatened access to data of the City of Zurich by law enforcement authorities in the USA. The existence of the US CLOUD Act and other data accesses by foreign law enforcement agencies, does not represent an obstacle to the City of Zurich going “into the cloud”, even from a conceptual point of view.
- A U.S. court would protect a foreign state (and the City of Zurich is understood to be one). Before any plaintext access occurs, the City of Zurich would be directly addressed. This results not only from significant case law, but also from a US law, the so-called Foreign Sovereign Immunities Act (FSIA).
- A public authority like the city of Zurich in particular is very well protected against access by public authorities in the USA – even if it stores data in IT infrastructures of a US cloud provider. In addition, purely quantitative empirical values show that the problem very rarely arises.
- Even more important than this, however, is the analysis under Swiss law: under Swiss law, the city of Zurich has no responsibility of guarantee to always and in every event exclude every possibility that a foreign law enforcement agency would access its data.
- In summary, the risk of criminal liability of the City of Zurich or its employees or organs (members of the authorities) due to access by foreign authorities can be described as virtually non-existent.
Further articles on the topic:
- White Paper Public Cloud for Public Services: LINK
- Legal opinion on banking secrecy and cloud: LINK
- New EU standard contract clauses incl. SCC generator with DocIQ: LINK
Laux Lawyers AG is the legal services firm in Switzerland with the most extensive experience with highly complex cloud projects, including in regulated sectors (namely public sector, banking and finance, insurance, energy and healthcare).
We advise both providers and customers of cloud services. We support providers in designing and preparing the legally relevant documentation (in particular contracts, security documentation, data protection regulations) in a way that is appropriate for the target group. We offer comprehensive advice to customers of cloud services, starting with the purchase of strategically central software-as-a-service services up to the establishment of a complete cloud governance.
Laux Lawyers AG has made a name for itself through its straightforward and unbiased approach and advice. We provide detailed, authoritative and resilient advice, unafraid of unpleasant truths and always based on careful legal analysis.
Our advisors combine three components – law, technology and context – into an overall statement, which is the essence of IT law. The legally clean examination (law) is, where necessary and reasonable, paired with technical analysis (technology) and the advice is given in knowledge and consideration of the requirements arising from the specific situation of the client and her field of activity (“industry” or “public sector”) (context).
This leads to sustainability and long-term resilient positional references, even in areas that may seem new or in any case are not yet established everywhere. This is important because new developments – as is often the case in IT – often involve paradigm shifts that are not necessarily shared by society as a whole. Especially for the public sector this is of central importance.
We would be happy to support you as a public body in moving into the cloud. Please contact us for further information and reference projects: firstname.lastname@example.org.