This article is by François Charlet, a lawyer specialising in data protection. He seeks to draw attention to some of the legal issues in play when personal or company data is hosted by an external IT provider.

When choosing a provider for a particular service, we want the best services at the best price – something that applies right across the board, from mobile telephony to crafts and education to sport. IT services are expanding rapidly and the market is highly competitive. It’s no secret that the market is currently dominated by American behemoths such as Microsoft and Amazon, but local players are managing to hold their own. There are very good reasons for going for the services of large companies based abroad, but, equally, there are excellent reasons for choosing a Swiss company.

Why is the hosting location important?

Beyond the commercial or customer service aspects – a provider that’s geographically close is likely to be more responsive and able to offer an adapted or even bespoke service – the question surrounding the physical storage location of the data is of real importance: there may be particular legal consequences, e.g. the data could be at risk of sequestration by foreign authorities. This risk doesn’t go away if the data is stored in Switzerland, but the foreign authorities would have to go through international judicial cooperation mechanisms, and it would be for the Swiss authorities to implement any measures. Moreover, it’s easier to defend oneself legally in one’s own country, as we shall see below.

Switzerland enjoys an excellent reputation internationally and among its citizens, so why not take advantage of it? When services are offered in Switzerland, people here are often surprised to know that their data (whether personal or not) is not necessarily stored in this country. As for foreigners, they’ll generally look favourably on the fact that the place where the information is stored is Switzerland – based on the country’s legal and political stability and, more generally, its good name. A note of caution, however: it may well be the case that some providers install their servers in old Swiss Army bunkers, but this rather tenuous benefit will rarely be a real buying argument for the overwhelming majority of customers. What’s more, this type of service is most useful when it comes to archiving data, less so for day-to-day processing.

A local provider for local law

The location of the data is important, but so is the law to which the service provider is subject: in the event of a dispute, particularly a civil one where there are differences of interpretation of a contract, it’s reassuring to initiate proceedings before courts whose procedure is not totally foreign to us and which apply the law to which we’re subject on a daily basis – provided, of course, that the service contract doesn’t specify the jurisdiction and law of a foreign country. Moreover, a legal expenses insurer is less likely to want to fund litigation abroad (assuming litigation isn’t excluded from its terms and conditions).

The same applies to criminal proceedings. Some readers will have heard of the famous CLOUD Act and all the nonsense that’s been said about it. Lots of people shun US providers because of this law, not knowing that a similar one applies in Europe and Switzerland, known as the Budapest Convention on Cybercrime. If, for instance, the French, German or American authorities suspect that information relating to a crime is on a server located on Swiss territory, the Swiss authorities can order the IT service provider to share the information it has in its possession or under its control with the foreign authorities. Similarly, under Swiss law, if a Swiss-based service provider stores data abroad, the Swiss authorities can order it to disclose this information to them.

Hosting in Switzerland but transfer abroad?

Contracts often include a clause covering the “temporary transfer” of data, personal or otherwise; although the data is stored in Switzerland, it’s common for it to have to transit through servers abroad for various processes before returning to the Swiss servers for storage. This situation often arises with global IT providers, less so with local players.

This aspect is important because if the customer has personal data processed by the IT service provider and this data is transferred abroad – even if it isn’t stored there – the customer must ensure that the transfer is legal under the (new) Federal Data Protection Act or even the GDPR, and inform the persons concerned of this transfer. The new Federal Data Protection Act will require this information to contain the name of the state(s) to which the personal data is transferred.

New Federal Data Protection Act

You often saw people on the internet and in the media praising the old act and the very secure Swiss legal framework for personal data, and encouraging individuals and companies to host their data in Switzerland. But these voices have been silenced since the GDPR came into effect in the European Union and drastically increased the requirements for companies from all over the world seeking to offer services to Europeans or to be subcontractors of European companies.

These voices will be heard again, but without the hot air: Switzerland’s new Data Protection Act, passed in autumn 2020 but whose date of enactment remains unclear, contains a raft of new measures charging Swiss companies with more responsibilities, particularly in regard to transparency and governance. As a consequence, the argument that personal data was better protected in Europe than in Switzerland will no longer hold true, as all Swiss IT providers that were not subject (legally or contractually) to the GDPR until now will be subject to the stricter regime of the new Federal Data Protection Act.

The latter reinforces the transparency obligation of data controllers, imposes the application of the “privacy by design and default” principle and the implementation of impact analyses, and provides for the notification of data (security) breaches to the Federal Data Protection and Information Commissioner.

Providers with proprietary solutions

Often, IT providers offering hosting as a service will also offer technical support for the installation of a CMS or e.g. certain facilities to accomplish this in a guided and automated way. IT solutions offered under this scenario are typically sourced from third-party suppliers, who handle the maintenance, updates and security of their solutions. The host isn’t involved, which means that it cannot help its customers correct bugs, errors or security flaws in these solutions.

Conversely, if the host is also a developer of IT solutions which it offers its customers, they benefit from a service that goes beyond mere hosting. Here, the IT service provider has greater responsibilities vis-à-vis its customers, but it will in principle be able to respond to their requests for modifications of the services offered. The service provider won’t necessarily develop its own tools from scratch, but will often use open-source solutions tailored to its IT systems, the needs of its customers and its service offer. Under this scenario, it benefits from developments of the open-source code made by the community (and can contribute to them) while remaining master of the solution it offers. Another factor in favour of using a local provider that develops its own tools is the law on espionage to which it is subject. By using proprietary solutions developed abroad, users may be exposed to “backdoors” installed at the request of a foreign authority (see this RTS report). However, as the local provider will usually have no choice but to use IT technologies and infrastructure developed and manufactured abroad (servers, operating systems, etc.), the above aspect loses its strength despite remaining of interest. There are, of course, exceptions.

Conclusion

All of the above offers the local IT provider greater independence and, generally, also requires it to have greater control over the data entrusted to it by its customers. The provider may be protected from certain hacking attacks that target massively used infrastructure and solutions. Depending on the subcontractors it uses, it will often be able to ensure that its customers’ data is not transferred abroad or accessed by persons abroad. In the event of a dispute, the customer will in principle benefit from a place of jurisdiction in Switzerland and the applicable law will be Swiss law, with its de facto guarantees of a fair hearing and local courts.

The author of this article has remained independent and has not been subjected to any request or pressure from Infomaniak Network SA, of which he is, in fact, a customer.