What legal framework conditions do Swiss financial institutions have to consider from a national and European perspective when using cloud service providers and what requirements does this result in for contract design?
In May 2021, the European Cloud User Coalition (“ECUC”), a pan-European stakeholder group of financial industry representatives, published its position paper with proposals for uniform requirements for collaboration with and outsourcing of data to Cloud Service Providers (“CSP”)[1]. The ECUC position paper contains proposals for agreements on technical and organisational measures, monitoring and enforcement to minimise risk. In the following, we provide a brief overview of the Swiss and European legal frameworks. Subsequently, you will find a list of the most important measures for risk minimisation as a checklist.
1. The Swiss and European legal framework
a. Data protection Switzerland and Europe:
If personal data is involved when data is outsourced to a CSP[2], Art. 6, 8 of the revised Swiss Data Protection Act (“nDSG”) and Art. 5 of the General Data Protection Regulation (“GDPR”) stipulate that data processing must be purposeful, proportionate and secure. The requirements for “commissioned data processing” are set out in Art. 9 of the Data Protection Act and Art. 28 of the GDPR, according to which the controller must ensure by means of careful selection, instruction and monitoring that the commissioned processor only carries out the data processing defined by the controller and that the controller is able to fulfil its data protection obligations[3]. According to Art. 9 para. 3 nDSG and Art. 28 para. 2 sentence 2 DSGVO, the involvement of a third party subcontractor is only permissible with the approval of the data controller, see also FINMA Circular No. 33 “The company shall ensure that it is informed in good time about the involvement or change of subcontractors performing essential functions and has the possibility to terminate the outsourcing in an orderly manner in accordance with No. 18.1”[4]. Finally, in the case of data transfer abroad, an adequate level of data protection must be guaranteed under Art. 16 of the FADP and Art. 45 of the GDPR, or corresponding guarantees must have been concluded in accordance with Art. 46 of the GDPR[5].
b. Confidentiality obligations Switzerland:
In addition to the data protection requirements, which can be fulfilled by means of corresponding contractual agreements with the CSP regarding purpose, proportionality and security as well as the correct geographical “setup” with regard to data transfer and storage, there are also the requirements for maintaining professional secrecy, for financial institutions namely from Art.47 BankG, Art.69 FINIG and Art.321 StGB.
In the context of these explanations, the relevant banking secrecy from Art.47 BankG is of particular interest, which requires a “disclosure”, in the sense of actual knowledge, of data / information entrusted to the bearer of the secret (financial institution) in its function. This means that an unauthorised person has gained access to the data “in plain text”, i.e. not encrypted, and the person holding the secret has caused this by breaching a duty of care (Art.12 para.3 SCC), i.e. this was foreseeable and avoidable for him[6]. The overall result is that the current state of opinion is that the use of CSP services, and a related, unencrypted data transfer, even abroad, is not punishable under Art.47 BankA[7], provided that technical and organisational measures have been taken to protect against access by unauthorised persons[8].
The primary criterion for the involvement of a third party is not the qualification of the third party (depending on the relevant wording of the law as an auxiliary person or a third party), but that data security and control continue to exist[9]. This is also regularly advocated for data processing abroad[10].
The extent to which data protection and security precautions are to be taken must be assessed on a case-by-case basis according to the respective risk. In an attempt to assess the risk, one can fall back on the principle that data security must be “risk-adequate” and all measures must be taken that are highly likely to prevent a disclosure that would be expected in the ordinary course of events[11], or that the bank has fulfilled its due diligence obligations if it concludes after “careful examination” that “in the foreseeable course of events in normal operations” no disclosure will take place[12].
The assessment of a disclosure risk is then made according to service model[13], or using a statistical probability model[14].
As a general rule, a robust contract must be concluded with the CSP that contains clear responsibilities as well as security measures, access and control rights[15].
This has also been addressed and summarised accordingly by the ECUC in its position paper. The following catalogue of measures is based on these recommendations and goes into more detail on individual points:
c. European legal framework and recommendations for contract design
The European Banking Association, which formulates standards for outsourcing with its “EBA Guidelines on Outsourcing”, including the requirements for “critical infrastructure” according to Directive 2014/65/EU (MiFID II), focuses on similar points[16] as the European Cloud User Coalition[17], which are all summarised in the checklist below.
Also worth mentioning in this context is the “Digital Operational Resilience Act” (“DORA”) scheduled for 2022, with which the European Union aims to consolidate the existing national regulations in the area of digitalisation of the financial sector, in particular digital or information and communication technologies (ICT) (including the EBA Guidelines). The regulatory points again correspond to the list below. With DORA, the regulations for ICT risk management and reporting in particular are to be harmonised and their examination placed under the supervision of a supervisory authority[18].
For Switzerland, FINMA has laid down principles for the handling of electronic client data in Annex 3 of its Circular 2008/13[19].
From the aforementioned list of regulatory provisions or plans, it can be seen that there are a large number of individual risk and regulatory points that need to be consolidated. In our shop you will find a free checklist in german with a collection of the points requiring regulation that should be included in a contract with a CSP.
Footnotes and comments
[1] The term “cloud service provider” is not legally defined in the ECUC position paper, but refers to three different “operating models” that are widely used to define “cloud services”, see: European Cloud User Coalition (ECUC) : Position Paper Requirements for standardisation of compliant use of public cloud technology in regulated European financial institutions, Version 1.0, 12 May 2021S.6.
The Swiss Bankers Association also bases its definition on this model: “Cloud computing is a model of computing that provides convenient on-demand access to a shared pool of configurable computing resources (e.g. networks, servers, storage systems, applications and services) over a network, anytime, anywhere. These can be made available quickly and with minimal administrative effort or service provider interaction. The cloud can be used in three variants (Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (Saas)). The type of cloud differs depending on the type of provision (private cloud, community cloud, public cloud, hybrid cloud). Cloud banking in this context is defined as the provision and delivery of banking and financial services based on cloud technology.” in: Swiss Bankers Association “Cloud Leitfaden Wegweiser für sicheres Cloud Banking”, June 2020, 2nd edition, p.8.
Note: The distinction between service variants and the characteristic of using external data networks via so-called. “Cloud providers” as opposed to the provision of an own IT infrastructure is also used here as a definition, whereby the criterion of “mature” cloud solutions is still cited here, but this is not explained in more detail, see: Laux, Dr. Christian; Hofmann, Alexander; Schieweck, Mark; Hess, Dr. Jürgen: Rechtsgutachten Nutzung von Cloud-Angeboten durch Banken: Zur- Zulässigkeit nach Art.47 BankG, zugleich Diskussionsbeitrag aus Anlass der Publikation eines Cloud-Leitfadens der Schweizerischen Bankenvereinigung (SBVg) zum Einsatz von Cloud-Dienstleistungen durch Banken und Effektenhändler”, 14 February 2019, p.III, 27
[2] See Rosenthal on the definition of “cloud provider”: “This refers to an intra-group or external provider of IT-related services that stores and processes the information entrusted to it using a cloud-based infrastructure.” In: Rosenthal, David: Mit Berufsgeheimnissen in die Cloud: So geht es trotz US-CLOUD Act, in: Jusletter 10 August 2020, p.5
[3] It is assumed that the CSP in cloud banking qualifies as a processor, see Schwaniger, David; Merz, Michelle: Cloud Computing: Selected Legal Problems in the Cloud 2.0, in: Jusletter 21 June 2021, On the questions of delimitation, Rosenthal, David; Epprech, Barbara: Banken und ihre datenschutzrechtliche Verantwortlichkeit im Verkehr mit ihren Dienstleistern, in: Susanne Emmenegger (ed.), Banken und Datenschutz, Basel 2019, p.130(http://www.rosenthal.ch/downloads/Rosenthal-Epprecht-ControllerProcessor.pdf) as of 15 Dec.2021
[4] FINMA Circular 2018/3 on outsourcing at banks and insurers, para. 33.
[5] Transfer abroad (admin.ch) With the FDPIC pointing out that even the use of standard contractual clauses does not prevent foreign authorities from accessing personal data: Positionspapier_PS_ EDÖB_DE.pdf.
[6] Rosenthal, David: Mit Berufsgeheimnissen in die Cloud: So geht es trotz US CLOUD Act, in: Jusletter 10 August 2020, p.6 and 29 as well as Laux, Dr. Christian; Hofmann, Alexander; Schieweck, Mark; Hess, Dr. Jürgen: Rechtsgutachten Nutzung von Cloud-Angeboten durch Banken: Zur Zulässigkeit nach Art.47 BankG, zugleich Diskussionsbeitrag aus Anlass der Publikation eines Cloud-Leitfadens der Schweizerischen Bankenvereinigung (SBVg) zum Einsatz von Cloud-Dienstleistungen durch Banken und Effektenhändler”, 14 February 2019, p.5
[7] Reference is also regularly made here to the will of the legislator, who wanted to enable third parties, in particular data centres, to be included in the bank’s risk sphere in an increasingly division of labour world, see: Günter Stratenwert, Art. 47 para. 7, 15 in: Rolf Watter, Nedim Peter Vogt, Thomas Bauer, Christoph Winzeler, Basler Kommentar zum Bankengesetz, 2nd edition, Helbing Lichtenhahn Verlag, 2013 and Laux, Dr. Christian; Hofmann, Alexander; Schieweck, Mark; Hess, Dr. Jürgen: Rechtsgutachten Nutzung von Cloud-Angeboten durch Banken: Zur Zulässigkeit nach Art.47 BankG, zugleich Diskussionsbeitrag aus Anlass der Publikation eines Cloud-Leitfadens der Schweizerischen Bankenvereinigung (SBVg) zum Einsatz von Cloud-Dienstleistungen durch Banken und Effektenhändler”, 14 February 2019, p.9. Sowie verweis auf die Botschaft über die Revision des Bankengesetzes, BBl 1970 1182 in: Federal Court Judgement, Criminal Division, 10 October 2018, 6B_1314/2016, 6B_1318/2016 “Elmer case”.
[8] For the state of opinion, see Rosenthal, David: Mit Berufsgeheimnissen in die Cloud: So geht es trotz US-CLOUD Act, in: Jusletter 10 August 2020, pp.7-10: Note: The requirements range from a consent of the person holding the secret (see Wohlers, Wolfgang: Outsourcing durch Berufsgeheimnisträger, in: digma – Zeitschrift für Datenrecht und Informationssicherheit, 2016) to a “reasonable interest” of the bank and no conflicting client agreement (see Walder Wyss AG; Isler, Michael; Kunz, Oliver M.; Müller, Thomas; Schneider, Jürgen, Vasella, David: Zulässigkeit der Bekanntgabe von Bankkundendaten durch schweizerische Banken an Beauftragte im Ausland unter Art. 47 BankG Date 15 February 2019 submitted to Swiss Bankers Association (SBA), p.4) up to the approach that an “implicit consent” of the bank client with regard to the division of labour including the involvement of a CSP by the bank is to be assumed (see Laux, Dr. Christian; Hofmann, Alexander; Schieweck, mark; Hess, Dr. Jürgen: Rechtsgutachten Nutzung von Cloud-Angeboten durch Banken: Zur Zulässigkeit nach Art.47 BankG, zugleich Diskussionsbeitrag aus Anlass der Publikation eines Cloud-Leitfadens der Schweizerischen Bankenvereinigung (SBVg) zum Einsatz von Cloud-Dienstleistungen durch Banken und Effektenhändler”, 14 February 2019, p.11).
[9] Rosenthal, David: Mit Berufsgeheimnissen in die Cloud: So geht es trotz US-CLOUD Act, in: Jusletter 10 August 2020, p.14.
[10]Rosenthal, David: Mit Berufsgeheimnissen in die Cloud: So geht es trotz US CLOUD Act, in: Jusletter 10 August 2020, p.20 as well as Laux, Dr. Christian; Hofmann, Alexander; Schieweck, Mark; Hess, Dr. Jürgen: Rechtsgutachten Nutzung von Cloud-Angeboten durch Banken: Zur Zulässigkeit nach Art.47 BankG, zugleich Diskussionsbeitrag aus Anlass der Publikation eines Cloud-Leitfadens der Schweizerischen Bankenvereinigung (SBVg) zum Einsatz von Cloud-Dienstleistungen durch Banken und Effektenhändler”, 14 February 2019, p.15 and Walder Wyss AG; Isler, Michael; Kunz, Oliver M.; Müller, Thomas; Schneider, Jürgen, Vasella, David): Zulässigkeit der Bekanntgabe von Bankkundendaten durch schweizerische Banken an Beauftragte im Ausland unter Art. 47 BankG Date 15 February 2019 submitted to Swiss Bankers Association (SBA), p.24 and also the SBA considers its principle of “over-the-border-out-of-control” based on which CID (personal identifying data) would neither be held outside of Switzerland, nor would access to it be possible, as outdated – see: SwissBanking: Cloud-Leitfaden Wegweiser für sicheres Cloud Banking, 2nd edition, June 2020, S1.
[11] Rosenthal, David: Mit Berufsgeheimnissen in die Cloud: So geht es trotz US-CLOUD Act, in: Jusletter 10 August 2020, p.30, 33
[12] Laux, Dr. Christian; Hofmann, Alexander; Schieweck, Mark; Hess, Dr. Jürgen: Rechtsgutachten Nutzung von Cloud-Angeboten durch Banken: Zur Zulässigkeit nach Art.47 BankG, zugleich Diskussionsbeitrag aus Anlass der Publikation eines Cloud-Leitfadens der Schweizerischen Bankenvereinigung (SBVg) zum Einsatz von Cloud-Dienstleistungen durch Banken und Effektenhändler”, 14 February 2019, p.16
[13] Laux, Dr. Christian; Hofmann, Alexander; Schieweck, Mark; Hess, Dr. Jürgen: Rechtsgutachten Nutzung von Cloud-Angeboten durch Banken: Zur Zulässigkeit nach Art.47 BankG, zugleich Diskussionsbeitrag aus Anlass der Publikation eines Cloud-Leitfadens der Schweizerischen Bankenvereinigung (SBVg) zum Einsatz von Cloud-Dienstleistungen durch Banken und Effektenhändler”, 14 February 2019, p.18 et seq
[14] On the likelihood of access abroad, see Rosenthal, David: Mit Berufsgeheimnissen in die Cloud: So geht es trotz US-CLOUD Act, in: Jusletter 10 August 2020, p.34ff
[15] FINMA, Circular 2018 / 3, Outsourcing – banks and insurers, 21 September 2017, para.30 FINMA, Circular 2018 / 3, Outsourcing – banks and insurers, 31 January 2017, p. 39
[16] European Banking Authority (EBA) Final Report on EBA Guidelines on outsourcing arrangements, 25 February 2019, p.9 – for the risk assessment see p.40, the points “monitoring” and “governance”, documentation and control as well as data security and business continuity upon termination are also mentioned here, p.27ff and the most important points to be regulated contractually listed, p.44 A partial list of the points to be regulated by contract can also be found here: Schwaninger, David; Merz, Michelle: Cloud Computing Selected Legal Issues in the Cloud 2.0 in: Jusletter 21 June 2021, p.12f.
[17] European Cloud User Coalition (ECUC): Position Paper Requirements for standardisation of compliant use of public cloud technology in regulated European financial institutions, Version 1.0, 12 May 2021
[18] https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:52020PC0595&from=DE
[19] FINMA Circular 2008/13 Operational Risks – Banks, Annex 3, p.29 et seq