Header

Author: Dajana Dakic
Source: inside-it.ch
Publication date: November 25, 2025
Summary reading time: 3 minutes

Executive Summary

The Swiss data protection association Privatim urgently warns in a current resolution against outsourcing sensitive government data to international SaaS services such as Microsoft 365. While government agencies are increasingly relying on cloud-based solutions, there are serious data protection concerns due to the lack of end-to-end encryption, insufficient transparency with subcontractors, and the US Cloud Act, which potentially allows American authorities access to Swiss data. Privatim classifies such outsourcing as "inadmissible in most cases."

Critical Key Questions

  • How can Swiss authorities maintain their digital sovereignty while simultaneously leveraging the efficiency benefits of modern cloud infrastructures?
  • What long-term risks arise for civil rights when sensitive government data falls under the influence of foreign jurisdictions?
  • To what extent must cloud providers improve their transparency and data protection standards to even be considered as trustworthy partners for public administrations?

Scenario Analysis: Future Perspectives

Short-term (1 year):
Authorities will need to reassess their cloud strategies, with ongoing projects such as the one in Canton Lucerne facing increased justification pressure. Alternative solution approaches with local providers or encrypted architectures are gaining importance.

Medium-term (5 years):
Development of a "two-tier IT" in government agencies: non-critical data could remain in international clouds, while sovereign infrastructures would be built for sensitive information. European cloud alternatives and open-source solutions experience a boom.

Long-term (10-20 years):
The fragmentation of the global data space along geopolitical boundaries could intensify. At the same time, new international agreements and technical standards could emerge that enable both data protection and cross-border data use, thereby strengthening the digital sovereignty of smaller states.

Main Summary

Core Topic & Context

Privatim, the Swiss data protection association, clearly positions itself against the use of international SaaS services such as Microsoft 365 for sensitive government data. This warning comes against the backdrop of increasing migration of government agencies to the cloud, partly due to active pressure from providers.

Key Facts & Figures

  • According to Privatim, common SaaS offerings like Microsoft 365 offer no real end-to-end encryption
  • The US Cloud Act potentially allows American authorities access to data, even if stored in Swiss data centers
  • Complex provider structures with long subcontractor chains make transparency and control difficult
  • Canton Lucerne is currently planning to store government data in Microsoft 365
  • Privatim classifies the outsourcing of particularly sensitive data as "inadmissible in most cases"

Stakeholders & Affected Parties

  • Cantonal and municipal administrations in Switzerland
  • Citizens whose personal and sensitive data are affected
  • International cloud providers such as Microsoft
  • Swiss IT service providers as potential alternatives

Opportunities & Risks

Risks:

  • Significant loss of control over sensitive citizen data
  • Potential fundamental rights violations through data access by foreign authorities
  • Legal uncertainties with data subject to confidentiality requirements
  • Lack of transparency in processing by third-party providers

Opportunities:

  • Development of data protection-compliant alternatives with complete self-encryption
  • Strengthening of local IT infrastructures and competencies
  • Clarification of legal frameworks for cloud use in the public sector

Action Relevance

Government agencies should critically review ongoing cloud migrations and pause them if necessary. Alternative solutions with proprietary key management and complete data encryption should be examined as a priority. Particularly for especially sensitive or confidential data, a data sovereignty strategy is recommended. Building up internal IT competencies and regional cooperations could represent a long-term alternative.

References

Primary source:
Privatim: Outsourcing sensitive government data to M365 inadmissible

Additional sources mentioned in the article:

  1. Canton Lucerne plans to store government data in Microsoft 365
  2. Rorschach region launches its own IT services
  3. Digital Sovereignty: Aargau parliamentarians submit further motions

Verification status: ✅ Facts based on the provided article