The Swiss government is trying to move everything to Microsoft 365… but there’s a privacy-shaped stumbling block.
This has come about because the government wants to promote the establishment of standardized interoperable interfaces, with the aim of both strengthening the competitiveness of businesses and to facilitating decision-making based on data.
And with that in mind, it has begun its migration to Microsoft 365. But there’s a problem with that – a privacy problem.
Or, as Green national councilor Gerhard Andrey (FR) puts it: “With its cloud strategy, the government has identified three pillars: data which is not sensitive and can be managed by foreign giants, fairly sensitive data which can be processed within a reliable legal framework by companies as long as the servers are in Switzerland and finally the data whose sensitivity requires management by a sovereign actor.”
So, is your data falling between the cracks?
We’d wager you’re going to say ‘no’. After all, you’re aware of data security, you have passwords and a grasp on who can and cannot access your data, right?
But we’d also wager that you’re wrong.
We say that because all three of these major players aren’t really talking about data jurisdiction. Now, you may not have heard much about data jurisdiction, but we’re pretty sure you’ll have heard talk of geographic data location.
And that makes sense, because up until Microsoft V United States in 2015 (and later the US Cloud Act), everyone was very concerned about geographic data location – to the point where it was considered as important as data jurisdiction.
What is data jurisdiction?
Data jurisdiction is essentially the rules that dictate which authorities have legitimate right to access private data.
And it matters. In fact it matters a whole lot more than the (much-talked about) geographic data location.
Because for the last ten years, Amazon, Microsoft and Google have been building data centers across a huge range of countries and territories to satisfy local privacy laws – at great cost to themselves.
But then the American courts and Congress decided that American companies can access anything anywhere, as long as they’re dealing with a US company.
So, these companies (amongst many others) have put efforts into making us think about data location, when actually only data jurisdiction matters now.
And no government wants to admit that their citizens’ data can be freely accessed by these American companies and, with a warrant, by American courts and intelligence agencies.
So, what can you do to keep your data safe?
Here’s what we think: there is no reason Switzerland can’t host data with truly pure Swiss companies, like Penta.
And Microsoft has to unbundle its services anyway – that is to say they have announced they will do this, because the anti-trust EU told them they had to.
But that move (which now has to happen) means that we (Swiss companies) can offer Microsoft 365 on our own – purely Swiss – infrastructure. The advantage of that for our clients is that they only have to deal with one authority: the Geneva justice system.
If this sounds like Swiss banking secrecy, it’s because it is like that. And like Swiss banking secrecy, Penta staff sign agreements on the understanding that any breach makes them personally liable and open to prosecution. If you have any questions about this or would like to discuss it further, just get in touch.