swiss hosting is based on two promises:
- The data remains in Switzerland.
- This data can only be accessed by third parties via the Swiss authorities.
The first promise can be upheld by large international providers with a base in Switzerland – but not the second. Any statements indicating that data protection to Swiss standards can be enforced via a contract are false. The following four cases provide interesting examples:
- CLOUD Act: This US law has been in place since 2018. It allows US authorities to access data stored by US-based companies. The company’s presence in a foreign jurisdiction is irrelevant.
- Schrems II: For a long time, the Privacy Shield agreement was what enabled data to be exported from the EU to the United States in line with EU standards. The ECJ declared Privacy Shield invalid as of July 2020 as a result of its ruling on Schrems II. The court considered it proven that US-based companies could not resist any desire by their domestic government authorities to access the data they store, meaning that the data is therefore not secure. In other words: A legal fiction was hereby dismantled. The Swiss Federal Data Protection and Information Commissioner (FDPIC) concurred with this ruling shortly thereafter. As a result, the parallel agreement applicable in Switzerland also collapsed. The Swiss FDPIC takes an explicit position on this in its “Guide to checking the admissibility of direct or indirect data transfers to foreign countries” (document).
- The case of Crypto AG: This Swiss company supplies cryptographic devices to third-party governments and was secretly owned by the CIA and its German equivalent, the BND.
- Everyday handling of data: There is ultimately a conflict between two separate obligations. A person responsible for data in a Swiss subsidiary company must comply with the laws of Switzerland, but they are also obligated to comply with instructions given by foreign superiors. In practice, data (e.g., customer data for marketing activities) is frequently shared, even when this is not in compliance with data protection legislation. But if nobody complains, no crime can be considered to have taken place. Aside from anything else, few people would wish to share a typical whistleblower's fate.
swiss hosting is a promise of a specific legal status. It states that only Swiss authorities will have access to data as part of proper proceedings, and that the affected parties will be treated in accordance with Swiss law.