In our recent published global paper “Getting Cloud Right – How can banks stay ahead of the curve?” we explained the key components of a successful cloud journey and the major steps that need to be undertaken.
In this blog we give some insights on international regulations that may impact the use of cloud services in Switzerland – the US CLOUD Act and the General Data Protection Regulation (GDPR).
The US CLOUD Act
The US has come up with a law called the CLOUD (Clarifying Lawful Overseas Use of Data) Act that requires US cloud storage providers to give government authorities access on request to stored data wherever in the world it is stored, even inside Switzerland. In theory, this would enable US authorities to request the extraction of data from the Swiss subsidiary of a US domiciled group, even if the data is stored in Switzerland. However a subsidiary of a US-based group that complies with such a request without regard to the local laws that prohibit the handover of data to foreign authorities without authorisation of a competent Swiss court or Swiss authority will most likely violate Swiss law. The data belongs to the bank, not to the cloud provider, and a legal entity domiciled in Switzerland must first and foremost comply with local law and not with orders issued by authorities with competence over a foreign parent entity.
It goes without saying that a Swiss bank can only rely on cloud service providers that adhere fully to the applicable Swiss laws (or the laws of the jurisdiction where the data is stored, in line with the contractual provisions). The SBA Cloud Guidelines therefore recommend to put in place a coordinated procedure agreed by the cloud provider and the bank in case of requests from foreign authorities.
To provide some needed clarification to the rationale behind the CLOUD Act, the US Department of Justice (DoJ) in April 2019 published a white paper “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act”. The white paper explains that the CLOUD Act was enacted to fix the conflict of laws that affect Mutual Legal Assistance Treaties and impede effective access to evidence hosted on the cloud in cases of serious crime, however while still respecting national sovereignty and personal data privacy.
In order to achieve this purpose, the CLOUD Act authorises the United States government to enter into so-called “CLOUD Act Executive Agreements” with foreign jurisdictions, under which each country removes barriers arising from a conflict of laws that would create an obstacle to compliance with foreign-issued court orders to obtain evidence from data hosted on the cloud. Of particular interest to Swiss and European companies is the explanation in the white paper about US jurisdiction over foreign companies. The white paper insists that US jurisdiction over foreign companies has not been extended by the CLOUD Act. “Whether a foreign company located outside the United States but providing services in the United States has sufficient contacts with the United States to be subject to U.S. jurisdiction is a fact-specific inquiry turning on the nature, quantity, and quality of the company’s contacts with the United States.”
The fact that the DoJ made a significant effort to explain the reasoning behind the CLOUD Act, and highlighting that US jurisdiction is by no means expanded by it, is an important signal. It shows that the opinion often expressed, that the CLOUD Act makes it impossible for banks to use the services of US-headquartered cloud provider, is not correct. While international legal assistance in cases of crime will most certainly be facilitated by the CLOUD Act, there is still the requirement for a suspicion of a serious crime and a judicial decision before US authorities can reach out for data under the CLOUD Act. This means that the area for legitimate concern about the CLOUD Act is rather narrow and should be considered like any other aspect in a proper cross-border risk assessment.
In any case, a bank is generally able to prevent unauthorized access to customer data by using technical measures such as anonymization, pseudonymisation or encryption of data. These measures, together with the legal and contractual framework mean that the risk from foreign authority data requests, e.g. based on the US CLOUD Act, can be mitigated. Furthermore, an official request for administrative assistance from the involved authorities is mandatory in any case.
General Data Protection Regulation (GDPR)
The European Data Protection Board’s Guideline 3/2018 clarifies the scope of Article 3 of the GDPR by stating that if a data controller outside the territorial scope of the GDPR uses a data processor in the EU, the data controller does not come within the scope of the GDPR. The GDPR will however apply to the data processor to the extent that it is processing personal data as part of its services.
This means that the requirement to implement the GDPR does not extend to a Swiss bank (or any other non-EU resident bank) simply because it is using an EU-domiciled cloud services provider. On the other hand, many Swiss banks fall still within the scope of GDPR, because they serve customers resident in the EU.
In this context, it is worth mentioning that on 25 February 2019 the European Banking Authority (EBA) published its Revised Guidelines on Outsourcing Arrangements, with the aim of harmonising the outsourcing framework for all financial institutions within the scope of the EBA’s mandate. Affected banks will have to complete all outsourcing arrangements in line with these Revised Guidelines by 31 December 2021.
The EBA Guidelines state that outsourcing arrangements with cloud services providers must ensure that:
Personal data are adequately protected and kept confidential, and that outsourced cloud infrastructures and services meet internationally-accepted security and data protection standards;
Business continuity and contingency plans have been devised. As consequence some cloud services providers might even be deemed critical or important in accordance with PSD2 or MiFID II;
Appropriate traceability mechanisms are in place, aimed at recording technical and business operations. As the performance and quality of the outsourced cloud services, as well as the level of risk, depends largely on the ability of cloud services providers to protect the confidentiality, integrity and availability of data, and of their systems to process, transfer and store such data, tracing operations are also important for detecting and preventing cyber attacks; and
EU Directives, national laws, and contractual obligations are respected. Despite the Revised Guidelines, institutions should continue to respect local regulations in which the outsourced cloud infrastructure or service has a footprint, as well as the applicable law in the country of origin of the cloud service provider.
In addition cloud service providers must notify outsourcing institutions when sub-outsourcing critical or important function to third party providers. Furthermore, if this involves personal data, consent should be obtained before proceeding with sub-outsourcing, in line with GDPR rules.
Governance is a key point addressed by the Revised Guidelines. This should be structured so that bank have a holistic, institution-wide framework enabling them to make sound management decisions concerning risk management, including measures with respect to cyber risk. Such a risk management framework should include:
- Responsibility and accountability of management;
- Approved outsourcing policies in line with the EBA’s Guidelines on Internal Governance;
- Assessment, identification and management of conflicts of interest;
- Creation and adoption of business continuity plans;
- Internal auditing of outsourced functions; and
- An updated register of information on all outsourcing arrangements, which in the case of cloud arrangements should reflect the type of cloud service and deployment models (e.g. public, private, hybrid, community), as well as the specific nature and location of the data that will be processed and stored.
With the EBA’s Revised Guidelines on Outsourcing Arrangements, an important step has been taken by the European Banking Authority toward making it easier for financial institutions to conduct business in the European Union. Even if a Swiss bank comes to the conclusion that these Guidelines are not applicable for the time being, they may provide additional, helpful guidance and insights to what is already available in the Swiss regulatory framework.
In conclusion, compliance with the regulations outlined here means that, in general, a shift of banking services to the cloud is permitted and even supported by the controlling authorities.
In the next blog we will provide a framework of decision criteria when it comes to selecting the appropriate cloud service provider in Switzerland.