29 November 2023
Switzerland and the United States: a centuries-old affinity strengthened by the common federalist and liberalist ideals. Yet the two countries diverge on a key issue: the privacy of citizens and companies: it is regarded as sacred in Switzerland but feared to us Swiss, feared and curbed in the US.
This growing difference leads to very serious consequences that force almost all organizations to rewrite their GDPR documentation and prevent them from guaranteeing the necessary confidentiality to their employees, customers and other stakeholders even worse for software houses and software service providers.
We are talking about the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a law enacted by Congress on March 23, 2018. This law allows US authorities, law enforcement and intelligence agencies to acquire any type of data held by any cloud provider regardless even if they reside on servers located outside the US.
Providers are forced to share this data immediately and without going through the normal diplomatic-legal channels and perhaps without even being able to warn their customers the cloud and data storage service providers.
Both US companies and companies headquartered in other countries but controlled by US companies are subject to this rule, and even European or Swiss companies that have a ‘permanent establishment’ in the United States.
In practice, the Swiss Acme SA, controlled by an US Acme Inc, as well as an Acme SA that has opened a small office in the USA, are forced to open their servers even if located in the Confederation. To whom? Not just in response to an American judicial enquiry but even to FBI, CIA, NSA, and any government request. Resisting these demands may in fact turn out to be impossible.
Companies and organizations that use the services of companies based in the USA or with American shareholders are therefore warned: the privacy of these data may no longer be guaranteed. Waiting for the European Union to be able to give a diplomatic and legal response to this. American move the indication is therefore: make sure that your data is managed or stored, obviously outside the United States, by companies that are not American or belong to US groups. You also need to make sure that your cloud service provider has no establishments in the United States.
Tinext MCS is among them. Our servers are located just in Switzerland, our shareholders are Swiss citizen and companies and, despite having offices in Italy, Kuwait and the United Arab Emirates, we do not have any permanent establishment in the USA. Therefore we are not subject to the Cloud Act.
The data kept by Tinext could be accessed just after a detailed and motivated request by the US judicial authority, carefully examined by the Swiss judiciary.
Let's another consideration: Tinext, in addition to being 100% Swiss and 0% American, is an ICT 'pure player' as a company and as a group. We have no interests other than the provision of ICT services. Some of our biggest competitors instead belong to groups that are or could become competitors of the companies to which they provide cloud services. As Andy Grove said: "only the paranoid survive".