The Swiss privacy regulator Privatim has taken steps to ban Microsoft, Amazon, and Google’s American cloud services for government agencies. Data storage within Switzerland offers no protection against American laws, Privatim argues.
The manual published by the Swiss data protection authority in Zurich concludes that government agencies are acting unconstitutionally when they entrust sensitive citizen data to providers subject to the US CLOUD Act. The law gives US investigative services access to data, even when it is physically located in Switzerland. This makes cloud services from major US providers unusable for Swiss schools, hospitals, and police forces.
The US CLOUD Act of 2018 allows US authorities to request data from tech companies, regardless of where the servers are located. This creates an unsolvable conflict for Swiss regulators. Data in Zurich is subject to Swiss privacy protection, but at the same time to US subpoena law. This conflicts with the sovereign cloud initiatives of the major US cloud platforms, which aim to offer solutions with these initiatives.
Dominik Baumann, the privacy officer responsible for the canton of Zurich, believes that foreign legal obligations make the transfer of personal data illegal as soon as it enters the provider’s infrastructure. This means a binary choice for CIOs in the public sector: locally hosted alternatives or violating the constitution by using American cloud and SaaS solutions.
The ban extends to all data covered by “professional secrecy.” This category includes medical records, tax data, social security information, and education data. The authorities in Zurich are effectively demanding a return to on-premises infrastructure or strictly European providers for the majority of critical government functions.
Encryption is not a solution
The Swiss decision dismantles the argument that encryption offers protection. For modern SaaS applications such as Microsoft Teams or Google Workspace, data must be decrypted in the provider’s working memory during processing. This involves indexing files, scanning for malware, and real-time collaboration. During these processing moments, the data becomes vulnerable and accessible.
The regulator argues that encryption is valid only if the cloud provider has no access to the keys and the data remains fully encrypted throughout its lifecycle. This condition breaks the functionality of most modern cloud platforms.
According to the regulator, industry solutions such as ‘Bring Your Own Key’ fail because they do not neutralize the legal risks inherent in SaaS architectures. Years ago, Microsoft attempted to find a solution with a ‘Cloud Germany’ trustee model, in which T-Systems was designated as an independent data trustee, but that initiative was not considered successful. The idea behind such a model is to create a kind of legally separate European entity with no business ties to the US.
Consequences for digital plans
The practical impact for Swiss institutions is immediate and far-reaching. Many organizations had already begun migrating to cloud platforms to facilitate remote working and modernize education. Reversing these migrations entails significant financial and operational costs.
The alternatives are primarily to host open-source solutions such as Nextcloud or to rely on smaller, local Swiss hosting providers. These options often lack the seamless integration and feature richness of the hyperscalers. IT administrators face the daunting task of building customised, compliant architectures that match the usability of commercial SaaS products, all within tight public budgets.
Domino effect expected in the DACH region
Switzerland is not an EU member, but its data laws are closely aligned with the EU’s GDPR. Swiss regulators often move in lockstep with their stricter German counterparts. The Federal Data Protection and Information Commissioner in Bern has previously expressed skepticism about data transfers to the US.
Zurich’s explicit guidance provides a blueprint for other cantons. If Basel, Geneva, and Bern take similarly hard lines, a de facto embargo on US cloud services for the Swiss public sector will emerge. This will create a fragmented regulatory environment in Europe, where a hospital in Zurich may not be allowed to use tools that a hospital in Warsaw does use.
The move also casts a long shadow over the newly negotiated EU-US Data Privacy Framework. While the European Commission has granted an adequacy decision to the US, privacy advocates and regulators remain unconvinced that the fundamental conflict between US surveillance laws and European privacy rights has been resolved. By taking a position based on the CLOUD Act, which does not override the DPF, Swiss regulators are signaling that political agreements cannot override the material legal reality of data exposure.
Meanwhile, the Netherlands is also focusing on its own sovereign government cloud to reduce its reliance on foreign cloud services. Former State Secretary for Digitalization Zsolt Szabó previously stated that excessive dependence on a single or a few market players is undesirable.