The privacy protection "bug" is in US legislation

The American "Cloud Act" and the European rules on personal data, to which Switzerland will join in September 2023, are not compatible, but...

The stars and stripes flag of the United States of America in the background of a video surveillance camera (Photo: Francesco Ungaro/Pexels)
The stars and stripes flag of the United States of America in the background of a video surveillance camera (Photo: Francesco Ungaro/Pexels)

What happens to our personal or even sensitive data when it reaches a Cloud?
It should immediately be said that we are protected by potentially ineffective privacy laws if the cloud is US. Recent news events have in fact recently undertaken to prove it.
Some quite striking events have raised the clamor of public opinion on the issue of information confidentiality, all on the eve of the entry into force of the new LPD or Law for the Protection of Data and Transparency in the Swiss Confederation.

At the LAC in Lugano, a 2022 "LPD Day" full of great news

Carmaker Tesla, which sells many cars in Switzerland and Europe, is subject to the US Clarifying Lawful Overseas Use of Data
Carmaker Tesla, which sells many cars in Switzerland and Europe, is subject to the US Clarifying Lawful Overseas Use of Data

A German investigation has uncovered Pandora's box

In the May 6 episode of the "Patti Chiari" broadcast of the RSI, the problem of the protection of personal data related to their use by a well-known US manufacturer of electric cars was raised.
Several episodes are highlighted, but mainly we talk about three very significant cases in which the Public Prosecutor of Berlin, Andreas Winkelmann, requested the data relating to two road accidents and a case of excess speed from the manufacturer of the vehicles involved: Tesla.
Surprisingly, he not only obtained the data which, mandatory and useful by law, correspond to the dynamics of the vehicle relating to the five seconds before the impact: the Prosecutor also received the data relating to the opening of the vehicle's door a good forty-eight seconds after the impact and even the video, recorded by the rear camera of the vehicle, relating to the intervention of the rescuers following the accident.
The Swiss Radio and Television service does not mention whether or not there was authorization from a judge for requests for access to data by the Public Prosecutor.

Secure data rooms and digital self-determination: two “musts”

The General Data Protection Regulation (in English GDPR is the acronym General Data Protection Regulation), officially Regulation (EU) number 2016/679, is a regulation of the European Union regarding the processing of personal data and privacy, adopted on 27 April 2016
The General Data Protection Regulation (in English GDPR is the acronym General Data Protection Regulation), officially Regulation (EU) number 2016/679, is a regulation of the European Union regarding the processing of personal data and privacy, adopted on 27 April 2016

The underlying problem: the United States is not the… EU

Let's take a step back though. Why is there so much talk about Tesla and very little about Renault, BMW, Mercedes and other car manufacturers? There is one problem, and only one: it is the location of the company headquarters. While Renault, BMW, Mercedes are European companies, indeed of the European Union, Tesla is an American company.

That strange perception of digital in the absence of know-how

"Cloud computing" (in Italian "nuvola informatica") indicates, in information technology, a paradigm for the provision of services offered on request by a supplier to an end customer via the Internet (such as archiving, processing or transmission data), starting from a set of pre-existing, configurable and remotely available resources in the form of a distributed architecture
"Cloud computing" (in Italian "nuvola informatica") indicates, in information technology, a paradigm for the provision of services offered on request by a supplier to an end customer via the Internet (such as archiving, processing or transmission data), starting from a set of pre-existing, configurable and remotely available resources in the form of a distributed architecture

The US Cloud Act is much less “stringent”

Is what we say a problem for our privacy?
Certainly yes, as US companies, under penalty of total cessation of their activities, must submit to an American law, the Cloud Act, where "Cloud" does not stand for the normal Internet service that probably each of us uses, but is actually an acronym that stands for “Clarifying Lawful Overseas Use of Data”.
This establishes that even the data stored "overseas", therefore outside the United States, must always be accessible by the US Government, the police forces, and other official bodies, whether they are US or foreign States, which can request it.
This means that if some entitled entity requests the vehicle manufacturer or any other service provider to access the data of a user, be it an individual or a company, the provider can object to the lawfulness of this request in the competent court In the USA.
However, the Cloud Act, approved at the federal level on March 23, 2018, superseding the Stored Communications Act (SCA) of 1986, authorizes US judges to have these providers proceed with the delivery of data even without a specific legal reason.

Digital responsibility: Swiss the first brand in the world

A data center next to a personal computer: they should be the sanctum of privacy (Photo: Antonio Moreno Nadal/Pexels)
A data center next to a personal computer: they should be the sanctum of privacy (Photo: Antonio Moreno Nadal/Pexels)

The potential consequences? We cannot oppose it

This opens the door to data access without the requesting bodies having the specific authorisations.
The only condition for the delivery of data is that the request comes from a body based in a state that fulfills the standard requirements of respect for human rights and privacy.
Since there is no specific regulation in this regard, at this point the provider is obliged to provide the requested data without being able, in fact, to oppose in any way.
We therefore do not know what and how much data vehicle manufacturers transmit to headquarters, but we can be sure of one thing: if the manufacturer is American, we are not protected in any way from access to information concerning us, even without our explicit consent.
The Berlin Public Prosecutor obviously works in the interest of the community, but without the authorization of a German judge, if he had requested the data directly from Tesla, which is obliged to provide them, he would probably have committed an offense in his own country.
The question is even more subtle: with the Cloud Act, not being able in fact to receive a refusal from the court, any prosecutor could request, on the basis of preventive investigations not related to an event that occurred, but only based on a suspicion, the anyone's data under any circumstances.
This would make it possible to find the evidence necessary to request ex post the legal authorization for new access to the data (since the former were hired illegally, according to European legislation).

All about privacy in the time of mass sharing

The hard disk of a personal computer is a collector of personal and sensitive data (Photo: Antonio Moreno Nadal/Pexels)
The hard disk of a personal computer is a collector of personal and sensitive data (Photo: Antonio Moreno Nadal/Pexels)

Many of our devices are made in the USA

So just avoid buying American cars?
Not really: our digital life often travels on devices that interface with software produced in the United States and that try in every way, through pop-ups or authorization requests, to access our data while we carry out our daily actions.
And the UX (or User eXperience), if you decide to ignore these login attempts, would become very impractical: you would be flooded with emails and red notifications.
I always advise all companies and individuals to interface as little as possible with this type of company, to have greater control of their digital life and personal data.
With the new law LPD (Law on the Protection of Personal Data and Transparency), which will enter into force in Switzerland on 2023 September XNUMX, it will be easier for a citizen of the Swiss Confederation to approach respect for their data.
The new legislation incentivizes privacy systems based inside and outside Switzerland to collaborate with each other, also meeting the GDPR.
In this way everyone will be able to obtain respect for their data even outside the Confederation simply by contacting the Swiss authorities.

Facebook, the data of millions of profiles publicly disclosed online

The LPD Day logo
The LPD Day logo

Are we safe? Lugano will go in search of answers…

Let's try to recap: will our data on the Cloud be safe with the new LPD law? Will it be enough for a US company's servers to be physically in Switzerland to be protected?
Not really: the Cloud Act allows access to our data in any case.
There is still a lot to work on, also to inform citizens of their rights. I'll try organizing the first one “LPD Day” on 14 June at the LAC in Lugano.

The Guardia di Finanza launches blanket checks on online privacy

The Law for the Protection of Personal Data and Transparency (LPD) is destined to change the paradigms of privacy in Switzerland: it is expected to enter into force on 2023 September XNUMX
The Law for the Protection of Personal Data and Transparency (LPD) is destined to change the paradigms of privacy in Switzerland: it is expected to enter into force on 2023 September XNUMX
Personal data Sensitive data