29 June 2022 – On 13 June 2022, the Federal Data Protection and Information Commissioner (FDPIC) published a statement on Suva's data protection risk assessment on the “Digital Workspace 'M365'” project which encompasses the disclosure of certain personal data to Microsoft for processing by Microsoft on behalf of Suva. By applying a widely used risk assessment model, Suva concluded that the risk of access by American authorities was very low and that the transborder data transfer was hence permissible.

However, according to the FDPIC, there is no basis for a risk-based approach in the law. For the FDPIC, it seems at least questionable whether the risk-based approach is admissible and may be invoked to justify outsourcing projects such as the one under discussion here. Even if the risk-based approach is admissible, the FDPIC questions the assessment of the probability of governmental access based on the used risk assessment model. According to the FDPIC, the probability values are not convincing because it is not sufficiently clear how they are derived and, in any case, the claim to accuracy of the calculated values appears doubtful.

Finally, the FDPIC leaves it up to Suva whether it wants to stick to the risk-based approach; in other words, the FDPIC does not explicitly rule out such an approach. However, the FDPIC advises Suva to reassess the risks associated with the outsourcing project and the transfer of personal data in a timely manner. In the meantime a new Privacy Shield may be on the horizon or a new decision regarding the federal cloud strategy might have been taken.

Based on the foregoing, it is recommended to closely follow any further developments in this matter and to carefully assess the risks associated with transborder data transfers in every individual case.