The CLOUD Act & Swiss Neutrality. Switzerland Protects Your Data
Swiss Data Protection, the US CLOUD Act Solution
On 21 March 2018, the 115th United States Congress posted the full text of the Consolidated Appropriations Act, 2018. This so-called spending bill clocked in at 2,232-pages. Two days after its release, it became law.
There was no public debate.
Buried on page 2,212 was the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Yes, the US Congress tacked the CLOUD Act on to a must-pass spending bill that narrowly prevented a government shutdown.
With all the attention on the data and its meaning, one question often slides under the radar. How protected is it?
When this question inevitably rears its head, someone—maybe you—points to your organization’s encryption policies.
Encryption, the time-honored art of encoding sensitive information to protect it from unauthorized eyes, is a requirement for data security.
Recognizing the need for file, folder, and drive encryption, Microsoft added two encryption utilities. Introduced as part of Windows 2000, the encrypting file system (EFS) encrypts individual files and folders. Vista brought us BitLocker, which encrypts volumes. Each version of Windows builds on the next, offering additional cryptographic algorithms, certificates, keys, and supported file systems.
Learn how to elevate the productivity of your enterprise through secure collaboration.
To find out more about the CLOUD Act and its risks, download our free white paper
Officially, omnibus spending bills like this one let the US combine multiple budgets from multiple agencies and pass a single bill for them all. Unofficially, omnibus bills are where the US Congress hides things their constituents might object to like bridges to nowhere and fighter jets their Department of Defense neither asked for nor wanted.
The CLOUD Act expands US law enforcement access to data held by US companies to include data held on foreign soil and creates a process that allows select US allies to bypass the US Court system and present their requests directly to the service provider. There’s a reason they didn’t hold public debates.
Senator Wyden called the CLOUD Act’s protections “toothless.” Senator Rand Paul said it “fails to protect human rights or Americans’ privacy.” It passed 65-32. Wyden even voted for it.
For the US, this behavior is normal. If you don’t believe us, look at the US Patriot Act, which amended eleven other acts and allowed the US government to spy on their own citizens without due process. Like the CLOUD Act, it also passed in less than a week with little debate and no expert testimony.
US tech giants did not condemn the CLOUD Act. Instead, Microsoft, Google, Facebook, Apple, and Oath, which now Verizon Media, sent a joint letter to the US Senate supporting the legislation because it “protect(s) consumers’ rights.”
For anyone concerned about data privacy and security, the position of these tech giants and the US government is profoundly troubling and, possibly, part of a broader international trend.
In 2012, researchers discovered a hardware backdoor in two mobile devices manufactured by ZTE. At the time, ZTE was classified as one of China’s state-controlled enterprises. In October 2019, reports emerged that Study the Great Nation, an app promoted by the Chinese Communist Party, included a backdoor. Some believe the backdoor “was created and maintained by Alibaba or Alibaba Cloud.” There are also concerns among the international business community that China’s updated cybersecurity regulations, which go into effect on 1 December 2019, will subject their operations to these and other backdoors.
In 2017, a Russian court fined the messaging app Telegram when it refused to turn over the encryption keys. Australia’s Telecommunications Access and Assistance Act (2018) mandates that service providers give law enforcement access to encrypted communications. In other words, Australian wrote their backdoor requirements into law.
In this ever-changing environment, where protecting national interests often comes at the expense of privacy and freedom, you must ask yourself these key questions.
- Who owns the app?
- In what country is the app-provider based?
- Do they store their data on servers owned by a US, Russian, or Chinese company?
- Will they store your data in one of the above countries?
- How protected are you by the data storage country and the app provider’s national laws?
- If you’re a foreign national, do you have any protections under these laws, or are you a second-class citizen?
Swiss Data Protection and Privacy
Adeya is a Swiss company. When you use Adeya On-Cloud, we store your data in Switzerland. If you use Adeya On-Premise, your data resides on infrastructure you control.
In Switzerland, neutrality and privacy are at the core of our national identity. We are the oldest neutral country in the world. Our “perpetual neutrality” is formally recognized by multiple international treaties. We maintained it through two world wars.
We did not join the EU because doing so would compromise our sovereignty and our neutrality. We do not compromise on our principals.
Switzerland enshrined the right to privacy in our constitution. The idea that private information should remain private is an intrinsic part of our culture and our laws.
Initially passed in 1992, the Federal Data Protection Act (DPA) with its ordinances, including the Ordinance to the Federal Act on Data Protection (DPO) and the Ordinance on Data Protection Certification (ODPC), established with current European Legislations one of the world’s strictest data protection and privacy regimes.
Our lawmakers also understand that technology evolves and regularly update our laws to reflect these changes. That’s why the Schengen Data Protection Act enacted in 2019 added genetic and biometric data to the list of protected sensitive personal data.
Unlike GDPR, which only protects personal data belonging to a natural person, the DPA applies to personal data belonging to natural or legal persons. In other words, the DPA protects both you and your organization.
DPA protections include:
- mandating data controllers and processors follow privacy by design principals,
- requiring data breach notification,
- requiring security, technical, and organizational measures to protect your sensitive information from loss, errors, theft, and unauthorized access, and
- mandating data controllers either designate a data protection officer or register their data files.
What Switzerland Doesn’t Do
If you’ve read our CLOUD Act whitepaper, you’re probably wondering what restrictions, if any, Switzerland places on electronic intelligence gathering and law enforcement.
In the wake of the PRISM scandal, the EU elected to incorporate greater privacy protections than initially planned into the proposal that later became GDPR. Although they rightly condemned the US for the mass surveillance program, they said little about the UK, which participated in the program as part of the Five Eyes network. At the time, the UK was an EU member-state.
Unlike the US, Switzerland does not have secret courts like the FISA Court nor does it employ tactics like national security letters. Furthermore, under Swiss law, there are no requirements for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide law enforcement authorities with encryption keys.
Switzerland’s Blocking Statutes
Our blocking statutes, primarily Articles 266, 271, and 273 of the Swiss Criminal Code, are infamous among foreign law enforcement and intelligence officials. Most recommend approaching other companies in other jurisdictions and seeing if they have the data first. They say Swiss companies are “difficult.”
Consider this. If a US company receives a data request, it will most likely comply. For example, from July through December 2018, Facebook produced data for 73.1% of all requests worldwide, 88% for US requests.
Swiss laws and courts err on the side of privacy, not corporate advertising dollars or national security fishing expeditions. Under the blocking statutes, if a Swiss company discloses information improperly, especially to a foreign entity, their board members risk fines and imprisonment. Switzerland does not encourage blind compliance with data requests.