Content

1. Introduction and definitions
   1. Background
   2. Definitions
      1. Concepts
      2. Components
      3. Territories
      4. Actors
   3. Digital sovereignty intitiatives
2. Socio-economic issues
   1. Swiss ICT capacities
   2. Material dependence
   3. Intellectual dependence
   4. Recommendations
3. Legal issues
   1. Data Sovereignty
      1. Extra-territoriality of laws
      2. Data transfer abroad
      3. Digital self-determination
   2. Technological sovereignty
   3. Cyberadministration
      1. Federalism and the distribution of powers
      2. Three steps of the implementation of public policy
      3. Principle of rule of law
      4. Public procurement law
   4. Cybersecurity
   5. Recommendations
4. Bibliography

Executive Summary

Digital sovereignty can be defined as the ability of authorities to maintain their strategic autonomy, i.e. to be able to autonomously use and control the tangible and intangible assets and digital services that impact the economy, society, and democracy. Digital sovereignty has several components, mainly “technological sovereignty” and “data sovereignty”. Digital technology re­de­fines the notion of “territory” into “sovereignty on networks”, which has several layers (hardware, software, and data), with the State being able to exercise exclusive sovereignty over the 1st layer (hardware) and limited sovereignty over the 2nd and 3rd layers (software and data). Finally, the degree of sovereignty is assessed according to the State’s ability to control each layer, which will depend in particular on the location of the data or access to the data, and the nature and links of the service provider with the State in question. Policy and regulatory strategies may also address the different actors in the digital ecosystem (public, industry, and civil society).

From the socio-economic standpoint, the study analyses Switzerland’s dependencies on the three layers (hardware, software, data) and from the point of view of the different actors (public, industry, civil society). It concludes that Switzerland has strong digital assets but that there are issues to watch out for, in particular the fact that consumer digital activity and intellectual property are concentrated in the hands of a few companies (with effects on privacy, public policy, and economic development). It also describes an autonomy-sophistication dilemma: dependencies increase in proportion to the intensity of ICT use. Consequently, measures shall be taken according to the degree of criticality. When the use is critical and complex, measures may range from data residency (or data localisation) to diversification of suppliers and shared sovereignty. The analysis also emphasises that sovereignty is not only spatial but also temporal, i.e. in terms of the ability to anticipate and react to a new situation.

From the legal standpoint, the study analyses the main components of digital sovereignty, namely data sovereignty and technological sovereignty, as well as cyberadministration and cybersecurity. Data sovereignty requires to clarify the law, including those that may have extra-territorial effects (e.g. GDPR, Cloud Act, LPD)^[1]GDPR stands for the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on … Continue reading and rules on international data transfers, which may range from the free flow of data to a requirement for the localisation of data or servers. Technological sovereignty requires an innovation policy with state measures (legal, economic, and technical). This requires a careful assessment of which critical technologies (Key Enabling Technologies or KETs) can be accessed and which data protection laws apply. Cybersecurity requires coordination at different levels, depending on the area concerned (civil cybersecurity, cyberdefense, cybercrime), and requires resilient technology, adequate preparation, appropriate contracts, and compliance monitoring processes. Cyberadministration requires that the State can decide whether and how to digitise its processes and services autonomously while respecting the principles of federalism, legality, and public procurements.

On this basis, several recommendations can be made to guide public action on digital sovereignty (see II.4 and III.5)^[2]For an overview of all recommendations, see the complete report Benhamou/Bernard/Durand, 41 ff.. At the international level, it is also important to pursue determined diplomatic action to reduce the negative repercussions of digital sovereignty (fragmentation of the Internet, barriers to data sharing and innovation).

I. Introduction and definitions

1. Background

This paper aims to contribute to the general debate on digital sovereignty in Switzerland and abroad, including on Swiss cloud^[3]FDF/UPIC, Swiss Cloud Report; Swiss Digital Strategy 2023: These 2 reports consider the issues of Cloud and digital sovereignty as priorities and conclude that there is a need to clarify the … Continue reading. Beyond Switzerland, the specificities of the Confederation (federalism and distributed competencies) make its ecosystem an interesting laboratory for digital sovereignty^[4]For an analysis of the EU, see Brunessen, 15 ff; Moghior, 104, highlighting the difficulty of finding a consensus due to the decentralised nature of the institutions and the heterogeneity of the … Continue reading. This analysis follows a complete multidisciplinary study carried out within the framework of the Latin Conference of Digital Directors (CLDN), based on desk research and interviews.

Digital sovereignty presupposes that the state, the economy and society have ongoing control over their digital transformation, i.e. that they can determine whether and what information to digitize for re-use^[5]Tan/Chi, 1; FDF/UPIC, Swiss Cloud Report.. Although governments have technical expertise in this area (as shown in the rapid development of Covid applications), it is often the private sector that has control over ICT. This applies not only to market-dominant economic actors (e.g. GAFAM and BHATX)^[6]GAFAM stands for the US tech giants, namely Google (Alphabet), Apple, Facebook (Meta), Amazon and Microsoft; BHATX stands for the Chinese tech giants, namely Baidu, Huawei, Alibaba, Tencent and … Continue reading who decide on the faith of data, or even replace state prerogatives (e.g. via their general terms of use, authentication techniques, or by making states dependent on their services with digital currencies or reliable au­then­ti­ca­tion techniques) but also to non-market-dominant actors who create dependencies with other operators^[7]Cottier, N 8; Türk and references; Jäger et al., 189.. Economic actors thus acquire de facto normative power in cyberspace^[8]Türk and references; Pohle/Thiel, 6 ff; Seifried/Bertschek, 10 ff..

Given the emergence of new power relations, politicians frequently use the concept of digital sovereignty in their speeches with the aim of restoring the centrality of the nation-state^[9]Falkner et al., 3; Aufrechter/Klossa, 11, indicating that the concept of digital sovereignty is also used as a pretext for economic protectionism, referring to a US government report of 2021.. However, this concept is not yet clarified, making achieving coherence at the decision-making and operational levels difficult. The rapid proliferation of initiatives in digital sovereignty also complicates the delimitation of the concept and the distribution of powers between the different levels of the state. The diversity of initiatives can be highlighted by models or indexes that quantify digital sovereignty based on indicators, such as the components of digital sovereignty^[10]Kaloudis, 8 ff; European Commission, Digital Economy and Society Index (DESI) 2022 (<https://digital-strategy.ec.europa.eu/en/library/digital-economy-and-society-index-desi-2022>); … Continue reading. However, these models vary according to the country and/or entity concerned, and no such model exists in Switzerland at the moment.

It is worth noting that, while it is logical for Switzerland to take a position on digital sovereignty, this debate may also have negative repercussions on society, such as the fragmentation of the Internet, barriers to data sharing for the common good and to innovation (e.g. the development of technologies such as web3)^[11]See Diplofoundation, Balancing digital sovereignty and the splinternet (event report), Internet Governance Forum, 2022; Ganne, 101; Cory/Dascoli, stating that data localisation requirements have … Continue reading.

2. Definitions

The term “digital sovereignty” has not yet been defined in a harmonised way at the international or national level. However, several attempts to define have emerged, notably in the academic world. The concepts (a), components (b) and territories (c) at stake will be analysed to better define the outlines of this concept and to establish terminological benchmarks.

a) Concepts

An initial approach is to define the two terms that make up the concept. “Digital” refers to the infrastructure, the underlying technologies, the data and its contents and their consequences on society, culture and processes^[12]Couture/Toupin, 2306.. Sovereignty refers to the territory of a state, i.e. sovereign actor that is the nation (external sovereignty) and that has a monopoly on the rules of law and law enforcement (internal sovereignty)^[13]See art. 2 UN Charter; Pohle/Thiel, 49; Alcaud; INTERNET SOCIETY, Navigating Digital Sovereignty and its Impact on the Internet, december 2022; Norodom, 21 ff: political and economic contexts can … Continue reading. However, this classical approach is criticised because it does not take into account the new power relations exercised by non-state actors (e.g. internet users or platform operators)^[14]See footnote 5..

Digital sovereignty is also often defined from a technological standpoint, which sometimes distinguishes three degrees of sovereignty (high, medium and low) for each stage of the life cycle of a digital system and data^[15]Couture/Toupin, 2313; Pohle/Thiel, 6 ff; Kaloudis, 16.. Beyond technology and given the transversality of the issues, it is interesting to define the notion from a multidisciplinary standpoint, in particular socio-economic and legal. The latter prefers the notion of ‘strategic autonomy’ to that of digital sovereignty. Strategic autonomy refers to the ability of a state or organisation to decide and act autonomously and over the long term on key digital aspects of its economy, society and democracy^[16]Moerel/Timmers, 8 and references; Tan et al., 4 and references; Danet/Desforges, 179 ff; Schmitz Seidl, 12.. While a state’s digital sovereignty has become inseparable from technology, strategic autonomy refers to the means to achieve it, i.e. the state’s ability to control ICTs and data^[17]Chrétien/Drouard, 15 ff; Danet/Desforges, 184; Moerel/Timmers, 8.. This definition seems more precise and better delimited than the notion of “digital sovereignty”, in particular because it would avoid the legal controversies linked to the recognition of the “sovereignty” of non-state or supranational actors^[18]See Moerel/Timmers, 8 and Danet/Desforges, 180; Schmitz/Seidl, 31..

b) Components

Digital sovereignty includes several components, mainly “technological sov­er­eignty” and “data sovereignty”^[19]Other dimensions of sovereignty can also be considered, such as “network sovereignty”, “information sovereignty”, “platform and infrastructure sovereignty”, “economic … Continue reading. Technological sovereignty refers to the ability of a State and its economic operators to control the layers (hardware, software, data)^[20]See. below III.3; Fabiano, 272; Bertani et al., 7; Couture/Toupin, 2317; Kagerman et al., 10.. Data sovereignty refers to the capacity of the different actors (administration, industry, civil society) to control and use data in a self-determined way^[21]See. below III.2; Golliez, 83; Celeste, 211 ff; Kaloudis, 6.. It therefore implies control over the personal and non-personal data stored and processed, including access rights (on a contractual or technological basis)^[22]Golliez, 83: distinguishing three axes of data sovereignty: the use of non-personal data by as many actors as possible (“open data”), the use of personal data by the persons concerned (“my … Continue reading.

Data sovereignty (control over data) has become central in an ultra-connected society given the security and privacy issues at stake^[23]See below III.1; Tan et al., 2.. As data are strategic assets, states also seek to minimise foreign interference with state or private, sensitive or strategic data (e.g. through espionage methods). In order to protect against intelligence activities and to protect the Swiss economy, the concept of the “Swiss cloud” emerged in political circles^[24]FDF/UPIC, Swiss Cloud Report, 22 ff., which evolved into the notion of “sovereign cloud”.

Sovereign cloud can be defined as a cloud computing environment controlled, deployed and/or managed locally within a single jurisdiction. The idea is that the user organisation retains control over the data, systems and applications. The requirements vary according to the degree of control: for some, the provider, data, systems and/or applications must be managed locally; for others, it is sufficient that the data is inaccessible from abroad. There are thus different degrees of cloud sovereignty according to the following 3 components: (i) data sovereignty (controlling who owns and accesses the data) regardless of the data localisation a single territory (data residency), (ii) operational sovereignty (controlling operations on services, including busi­ness continuity and regulatory compliance), (iii) technical sovereignty (per­form­ing operations oneself without relying on a provider)^[25]Capgemini, referring to a sovereign cloud continuum and distinguishing several categories of cloud (from least to most sovereign): (i) Public Cloud (without local providers and without restriction … Continue reading.

c) Territories

Technologies evolve in a context of interconnected global communications networks without well-defined spatial territories. We are therefore shifting from an approach of “territorial sovereignty” to a notion of “sovereignty over networks”^[26]Vatanparast, 1; Chapdelaine/McLeod, 66; Cottier Cyberespace, 205 ff; Roguski, 5..

These networks (new forms of territories) are composed of several layers over which the State can exercise its authority: (i) physical layer (ICT components and technical capacities located on a spatial territory) (ii) logical layer (codes and standards governing the ICT components, making it possible to exchange information between them) and (iii) data layer (data circulating on the net­works)^[27]Roguski, 5; Ducheine, 458 ff; Goldman, 17-1; Sheikh, 6.. The degree of sovereignty will depend on the State’s ability to control each layer. The State can exercise exclusive sovereignty over the 1st layer (physical) and limited sovereignty over the 2nd and 3rd layer (logical and data) which have no spatial limits^[28]This is subject to a nationalisation of cyberspace (e.g. China and Russia). Roguski, 10 ff..

d) Actors

Digital sovereignty requires political and regulatory strategies, which may involve various actors in the digital ecosystem (the State through public and semi-public entities, industry, civil society), each of which plays different roles and can be described as “governance and regulatory levers”^[29]Couture/Toupin, 2317; Türk and references; Pohle, 14; Gueham, 12; Pohle/Thiel, 8.. The State is the first actor concerned. Through its regalian and regulatory functions, the state plays a key role in protecting state or critical infrastructures, the population and industry^[30]Fabiano, 270; Tan et al., 5.. Industry also has a decisive role as technology companies influence innovation and generate skills. Civil society is an essential lever of governance and regulation within a democratic system. The term ‘weak sovereignty’ is used when these issues are driven by the private sector (e.g. in the form of self-regulation) and ‘strong sovereignty’ when they are driven by the state (e.g. in the form of strict regulation and safeguarding national security)^[31]Couture/Toupin, 2313; Pohle/Thiel, 6 ff; Celeste, 6; Pohle, 6; Kaloudis, 7.. The term ‘internal sovereignty’ is also used when rules and policy are focused on internal processes and ‘external sovereignty’ when they are internationally oriented^[32]Bendiek/Stürzer, N 20; Swiss Data Alliance, 3, looking at “digital sovereignty” from an international perspective and asking how Switzerland can promote its objectives (positive approach) and … Continue reading.

3. Digital sovereignty initiatives

Digital sovereignty is subject to numerous initiatives, both internationally, abroad and in Switzerland.

At the international level, it should be recalled, without going into detail, that digital sovereignty has become a major issue, it being recalled that the debate on digital sovereignty may also have negative consequences and that some people are calling for increased international collaboration to reduce these risks^[33]Diplofoundation (op.cit.)..

Abroad, digital sovereignty initiatives vary by region and state. Three approaches to digital sovereignty can be identified: the first one focused on entrepreneurial freedom (e.g. in the US), the second one on the state (e.g. in China), the third one on the individual (e.g. in the EU)^[34]DETEC / DFAE, Création d’espaces de données fiables, sur la base de l’autodétermination numérique, 30 March 2022, 35; Bendiek/Stürzer; Baischew et al., 63 ff; Celeste, 8 ff; … Continue reading. In the EU, digital sovereignty is mainly envisaged in the strengthening of local European ca­pa­bil­i­ties, in particular in its dimensions of infrastructure and cloud platforms (also called “sovereign cloud”) and cybersecurity^[35]As an European sovereign cloud project, mention should be made of the Gaïa-X project launched in 2020. As cybersecurity projects, the “cloud (EUCS)” certification issued by ENISA or … Continue reading. At the strategic level, it focuses on artificial intelligence on the one hand and on data on the other hand^[36]Among many documents, see Burwell/Propp, 11: defining data and AI as the Lifeblood of Digital Sovereignty.. At the regulatory level, it aims to create norms allowing the emergence of global standards (e.g. RGPD with extra-territorial effects) and to limit access to the European market for non-European companies (e.g. by controlling access to data)^[37]Burwell/Propp, 15.. At the national level, several Member States (e.g. Germany, France) follow the same approach centred on European values (freedom, tolerance and solidarity), some having a real policy of digital sovereignty^[38]For example, Germany and France are keen to develop indigenous skills in relevant technology areas to counterbalance non-European suppliers and are investing in certain strategic areas (hardware … Continue reading. Finally, it is generally observed that the EU is pushing to emancipate itself from foreign technology by creating European “champions”, while smaller or more liberal countries want to benefit from the best technologies available.

In Switzerland, public digital policies have already been considered, without defining digital sovereignty or strategic autonomy^[39]Mayer/Lu, 5.. As Switzerland is a federal state, reflections on digital sovereignty are conducted at all levels of the state (federal, cantonal, communal and intercantonal)^[40]At the federal level: FDF/UPIC, Swiss Cloud Report. At the cantonal and communal level: for example, in Geneva, the Geneva Digital Policy, 37 ff and in Vaud, the Digital Strategy, 35 ff. At the … Continue reading as well as in the academic world^[41]For example, in spring 2022, the University of Geneva set up a “UNIGE Digital Sovereignty” think tank, which is working on drafting a Charter of Good Practice. and civil society^[42]See Swiss Data Alliance, which brings together companies, professional associations, civil society organisations, research institutions and individuals to establish a future-oriented data policy in … Continue reading. The difficulty of solving the challenges of digital sovereignty can be illustrated by several concrete cases, such as the electronic patient record or cybersecurity.

II. Socio-economic issues

Digital sovereignty is a concept used in many ways. However, they all refer to a central meaning: to what extent is a political entity able to control the 3 layers (physical, logical and data)^[43]See above I.2.c); Chander/Sun, 283; Floridi, 369 ff; Falkner et al., 3.. This question of control of the layers arises from the point of view of the various actors, in particular national security, economic development and the capacity of the authorities to preserve the rights of individuals and their autonomy of individual and collective action. These three dimensions of digital sovereignty (regalian, economic and civic) depend on the more or less important capacities to supervise and standardise the design and use of technologies and data^[44]See above I.3.. These capacities are themselves a direct function of Swiss ICT capacities (1), and of their material (2) and intellectual (3) dependence.

1. Swiss ICT capacities

Switzerland consistently ranks high in the indexes assessing digital de­vel­op­ment and ICT usage^[45]Switzerland was 3rd in 2017, International Telecommunication Union (ITU), ICT Development Index 2017 (website); World Economic Forum (WEF), Global Competitiveness Index 2017-2018 (website); Portulans … Continue reading. This assessment is based on nationally developed infrastructure, services and skills that play a favourable role for innovation. But it is also a potential source of social, economic and political vulnerability. This is the case in the field of cybersecurity, where Switzerland is considered to be lagging behind due to poorly developed legislation and insufficient preparation of public authorities for major incidents^[46]Switzerland was 23rd in the 2021 edition of the National Cyber Security Index of the Estonian e-Governance Academy. EGovernance Academy, National Cybersecurity Index (website). It should be noted … Continue reading. It is also the case of the omnipresence of foreign technological devices, i.e. devices produced, developed and/or controlled outside the country. Thus, the notion of digital sovereignty implies taking into account the degree of dependence of a country on the rest of the world in general and on certain countries in particular with regard to ICTs. This dependence cannot be reduced to a single metric and must be understood in its material and intellectual dimensions^[47]See Lu/Mayer, 5 ff.. Rather than seeking a state of unattainable and undesirable autarky, it is a question of pointing out the vulnerabilities and potential problems that they pose.

2. Material dependence

The degree of Switzerland’s material dependence in the digital domain can be assessed on the one hand through usage data from internet browsing and on the other hand through trade. With regard to usage data (i.e. data from devices such as computers, smartphones and tablets used from Switzerland), the studies show a total dependence on foreign hardware infrastructure (e.g. Apple and Samsung accounting for 85% of the equipment used in Switzer­land)^[48]Statcounter GlobalStats, Browser Market Share Worldwide (<https://​gs.​statcounter.​com/vendor-market-share/mobile/switzerland/2022>).. With regard to trade, the studies also show a dependence on certain countries (e.g. around 85% of consumer hardware, computers, telephones and components are imported, 95% of which come from China)^[49]DFAE, Strategy China 2021-2024, 28-29..

3. Intellectual dependence

Dependencies are not limited to hardware, but also refer to intellectual aspects (e.g. computer services and softwares)^[50]Haskel/Westlake, 153.. This is particularly sensitive for government services, including in their regalian functions, when they have to call on foreign service providers for office suites, specialised software or specific audits, including in the field of technological security.

With regard to usage data, the studies show total dependence on foreign software infrastructure, whether for browsers or platforms, with American companies dominating (e.g. Microsoft, Apple and Google account for 90% of operating systems)^[51]Statcounter GlobalStats, Browser Market Share Worldwide (<https://​gs.​statcounter.​com/os-market-share/all/switzerland/2022>).. Trade in digital services (e.g. computer services, software and telecommunications) is less unbalanced. At the global level, imports of digital services account for 56% of trade (compared with 76% for ICT goods) and are more geographically diversified. A country’s intellectual dependence requires a global view of intellectual property^[52]Pagano, 1413.. The concentration of in­tel­lec­tual property in the digital fields on a global scale is a source of vulnerability for Switzerland as for most countries. The United States has the most digital patents in the world (42%), followed by Japan (23%) and South Korea (8%), accounting for three quarters of digital IP. China and Germany account for 8% and 3% respectively, leaving only 15% for the rest of the world. Among the main digital fields (e.g. semiconductors, audiovisual technologies, telecommunications, coding/decoding), Switzerland relies on foreign in­tel­lec­tual property with only 0.9% of Swiss patents.

The development of learning and adaptive algorithms has major implications for human-machine relations, economic competition, and military-police control capabilities^[53]Durand/Rikap, emphasising that the dynamics of intellectual monopolisation in the digital age cannot be reduced to patent issues, but also include specific logic relating to returns to scale … Continue reading. Despite having one of the highest densities of artificial intelligence researchers in the world, this development is a concern for Switzerland’s digital sovereignty, as it is for other European countries^[54]Groth/Straube, 7. and most other countries except China and the United States, which are in exclusive rivalry in this area^[55]Lundvall/Rikap, 2 ff..

This duopoly is mostly a success of consumer platform firms in these two countries. Conversely, the lack of consumer platforms comparable to Big Tech in Europe and in Switzerland^[56]See above II.2. has negative effects. Since user data is one of the main fuel for innovation in this field, without the huge pools of user data generated by consumer platforms it is very difficult to be at the frontier of the evolution of artificial intelligence^[57]Groth/Straube, 7.. Countries such as Switzerland are exposed to the consequences of external developments of these powerful technologies, but over which they have almost no control.

4. Recommendations

As an outcome, Switzerland has strong strengths in the digital field, in particular thanks to the quality of its infrastructure and skills that are reflected in the dynamic and balanced foreign trade in digital services. Such trade is however unbalanced on the hardware side, particularly in terms of the terminals used, but this is part of a more general context of international fragmentation of production processes and is not a concern, at least as long as there are various supply options.

However, a first worrying concern relates to the consumer digital activity on the Internet which is almost entirely in the hands of American companies (Apple, Microsoft, Alphabet, Meta). There is a threefold issue of sovereignty here. Firstly, in terms of control of personal data and respect for privacy. Secondly, in terms of public action, the data controlled by Big Techs not only makes it possible to better understand individual behaviour but also to influence it^[58]A recent example is the impact of social networking platforms on the health of young and old.. Thirdly, in terms of long-term economic development. The rise of artificial intelligence is largely driven by the mass harvesting of data by consumer platforms and has implications for the security of individuals, organisations and political institutions based in Switzerland as well as for future economic development.

A second important concern relates to intellectual property in digital fields which is concentrated on a global scale in American and Asian companies (Japan, Korea, China). This limits the ability of Swiss-based entities to act, with cumulative effects on innovation, as in the case of data.

Table 1. Summary assessment of sovereignty issues in the field of ICT

	General capabilities	Physical infrastructure	Massive data	Intellectual property
Vulner­ability	low	moderate	strong	strong
High­lights	good quality of infra­structure high competence cyberse­cu­rity to be strength­ened	unbalanced trade in consumer goods and equipment balanced trade in components (core industrial competencies)	uses of consumer data monopolised by US platforms development of artificial intelligence	concentration of intellectual property limits to innovation capacity economic cost

These vulnerabilities exposed on the material and intellectual levels result in the existence of an autonomy-sophistication dilemma (Figure 1). Authorities must be aware that being at the forefront of digital uses may result in a loss of autonomy, both in terms of public action and data control by individuals and industry. Indeed, since the State cannot control ICT in all its dimensions given the dependencies exposed, the vulnerability of the various domains grows in proportion to the intensity of ICT use.

This difficulty is unavoidable, but it must be the subject of an assessment of the degree of criticality of the various uses of digital technology within and outside administrations, in order to guide public action in terms of digital sovereignty. This cannot be done a priori and requires a multi-criteria assessment of what is critical from a digital sovereignty standpoint, in the regalian, economic and social fields. On the basis of such an assessment by domain, four configurations can be identified, involving distinct measures depending on the complexity of the systems mobilised and the degree of criticality^[59]See Luzeaux, 16, who speaks of 3 levels of sovereignty, namely (1) weak with limited control over vital infrastructure, (2) partial with limited control over critical infrastructure and … Continue reading.

1. When the uses are not critical and simple, it is desirable to maintain openness (blue zone). This ensures dissemination of the most effective solutions to local actors and allows for learning effects.
2. When the uses are critical and simple (green zone), it is necessary to develop local solutions guaranteeing maximum sovereignty, especially as relatively inexpensive solutions allow this.
3. When the uses are critical and complex (red zone), it is desirable but difficult to develop local solutions ensuring full sovereignty. When the issues at stake are essential for the community, it is important to preserve a capacity for action that is not hindered by dependence on actors beyond the reach of public action. These solutions can be very costly. In the event that they are completely out of reach, because it is not possible to exercise genuine sovereignty, public action must seek ways of limiting the risks incurred, either through protective measures, or in the selection of the entities with which it contracts, or by seeking cooperation enabling it to exercise shared sovereignty.
4. When the uses are both uncritical and complex (orange zone), the development of autonomous solutions is either out of reach or extremely costly while the issues are not essential. Openness is then necessary.

In sum, with regard to dependencies, it is recommended to adapt the measures according to the degree of criticality of the various digital uses within and outside administrations (e.g. critical and simple uses; complex but not very critical; critical but simple; critical and complex). In the latter case (critical and complex uses), measures may range from data residency to diversification of suppliers or the search for cooperation for shared sovereignty^[60]For the concept of shared and cooperative sovereignty, see Weber, Digital Sovereignty revisited, 77..

Finally, temporality should be taken into account. Indeed, the question of criticality evolves over time. While some issues are crucial at all times (control of administrative and tax data, confidentiality in military and diplomatic matters), other applications that are a priori less sensitive (e.g. in the field of education, transport or health infrastructures) may suddenly become so in a geopolitical crisis. In particular, it should be borne in mind that legal guarantees of data access abroad are not equivalent to political and material control over data on national territory. Only the latter is a real guarantee of sovereignty in the event of a major geopolitical crisis, as the Covid-19 crisis and the war in Ukraine have reminded us.

Sovereignty is thus not only spatial but also has a temporal dimension^[61]Jessop, 41-61., i.e. in terms of the ability to anticipate and the time an authority has to react to a new situation. In a field where innovation is very dynamic, it is difficult for public authorities to anticipate relevant problems upstream through regulation alone. Indeed, territorial location requirements are not necessarily a sufficient guarantee, as an entity resident in Switzerland and controlled from abroad could be subject to decisions contrary to the country’s interests by the parent company. This is all the more true as the very question of nationality is not self-evident when it comes to effective economic control: is it the address of the head office, the majority of the shareholding, the nationality of the management? Based on these uncertainties, public authorities could be led to take shareholdings in the resident entities on which they depend for critical services, so as to have an internal view of the issues that directly concern their sovereignty^[62]This would mean going further than the Swiss Cloud Report recommends. See FDF/UPIC, Swiss Cloud Report..

III. Legal issues

The legal challenges are numerous, starting with the variety of legal regimes that apply depending on the components, layers and actors involved^[63]For the components, layers and actors, see above I.2.. Among the main legal regimes, one thinks of personal data protection laws^[64]The monitoring of compliance with data protection laws by companies and federal bodies is the responsibility of the Federal Commissioner, while the monitoring of compliance with cantonal laws by the … Continue reading and intellectual property, unfair competition and contractual rights^[65]Beyond personal data, data in general (e.g. industrial and technical data) are at the heart of technologies, which explains why they are subject to several legislative developments in Switzerland and … Continue reading. There are also fundamental rights^[66]At the international level, one thinks first of the general instruments protecting human rights (ECHR; UN Covenant II; Convention 108). At the national level, one thinks of the Cst./CH, in particular … Continue reading, cybersecurity and secrecy issues (e.g. art. 320 CP; art. 47 LB and 321 CP)^[67]CP stands for the Swiss criminal code, code pénal suisse RS 311.0; LB stands for the Swiss banking act, loi sur les banques, RS 952.0. FDF/UPIC, Swiss Cloud Report, 27; Federal Council, Federal IT … Continue reading. The analysis of legal issues will focus on the two components of data sovereignty (1) and technological sovereignty (2), as well as on cyberadministration (3) and cybersecurity (4) as prerequisites for digital sovereignty.

1. Data Sovereignty

a) Extra-territoriality of laws

The concept of territorial sovereignty has been undermined over the last decade by the extraterritoriality of certain laws that apply to events occurring abroad (e.g. GDPR and Cloud Act). This generally serves strategic and economic objectives^[68]Thelisson, 524 ff; Bradford, who speaks of the “Brussels effect” of the GDPR in imposing data protection standards on a global scale consisting of the EU promoting its standards and leading to a … Continue reading. For example, the GDPR protection extends to all data subjects who are in the European Union, regardless of the actual location of the data^[69]Thelisson, 524 ff, indicating that the GDPR also serves strategic and economic purposes and influences digital sovereignty as it subjects the data of European individuals to European protection … Continue reading. The Cloud Act gives authorities a right of access to data located outside the US but managed by US companies^[70]Thelisson, 521, stating that the Cloud Act is seen as a US response to the extraterritoriality of the RGPD and complements and gives extra-territorial scope to the SCA (for Stored Communications … Continue reading. Swiss law also provides for laws with extra-territorial effect, such as the DPA (art. 3 DPA)^[71]With the DPA, the Federal Court extended the scope of application of the former DPA by making certain data processing operations that take place abroad subject to it (see in particular ATF 138 II … Continue reading.

This extraterritoriality of laws leads to a certain decline in territorial sov­er­eignty, or even to a deterritorialisation of law, it being specified that it creates competition between jurisdictions^[72]See Thelisson, 525, indicating that competing jurisdictions should be resolved according to the conflict of laws rules that determine the applicable law (subject to regional solutions for resolving … Continue reading and that it must in any case respect international law^[73]Thelisson, 513-517: in Swiss law, the Constitution establishes the principle of respect for international law by the Confederation and the cantons (Art. 5); Mayer, 9 ff; Van Hecke, 309..

b) Data transfer abroad

Given the strategic importance of data, states adopt rules on the transfer of data abroad. These rules can be liberal with free flow of data or restrictive with localisation requirements for data, servers and/or data controllers. These localisation requirements characterise the debate on digital sovereignty. Thus, they pursue both a legal objective (to control compliance with these rules abroad) and a political objective (to strengthen data sovereignty).

Under Swiss law, the rules on data transfer abroad provide for the free flow of data to countries with an adequate level of protection and, in the absence of such a level of protection, for the data transfer abroad subject to additional safeguards (e.g. standard contractual clauses or bilateral agreement)^[74]FF 2017 6594, stressing that the free flow of data is a cardinal principle of the Swiss Data Protection Act (LPD).. Thus, where there is a risk that data will be transferred to a country without an adequate level of protection, a risk assessment should be carried out and the contractual relationship should be adapted accordingly. The assessment will take into account the nature of data (e.g. ordinary, sensitive data, secret data) and the existence of a right of access to the data by foreign authorities under foreign law^[75]E.g. if the data is hosted by a US provider or a Swiss provider under the control of a US group, the US Stored Communications Act respectively the Cloud Act may give access to the authorities from US … Continue reading.

In European law, the rules are similar and provide for the free flow of data, even if authorities and courts sometimes limit the possibilities of transferring data abroad through a strict interpretation of the rules (e.g. the Schrems II judgment)^[76]European Court of Justice, 16 July 2020, C-311/18 (Schrems II). and localisation requirements for certain personal data and infrastructures (e.g. the DGA providing for data localisation requirements respectively cybersecurity certification requirements for cloud services)^[77]See Joint Opinion 03/2021 of the EDPB and the EDPS on the Proposal for a Regulation of the European Parliament and of the Council on European Data Governance (Data Governance Act), adopted on … Continue reading.

It should be noted that, even when data is hosted in Switzerland but with a provider controlled by a foreign group (e.g. Swiss Microsoft), some legislations have extra-territorial effects and give access to authorities regardless of the localisation of the data (e.g. Cloud Act)^[78]See III.1.a).. On this basis, in case of data storage and processing in Switzerland, the risk of access by foreign authorities can only be avoided when the Swiss-based data controller has no relationship or contact with foreign companies (e.g. with a US affiliate) or, if it does, when the foreign companies do not have possession, custody, control or responsibility of the Swiss entity. This kind of immunity of the Swiss-based data controller presupposes, in organisational terms, that its registered office and central administration are established in Switzerland and that its share capital and voting rights are not individually or collectively held above a certain threshold (e.g. 24% individually, 39% collectively) by third parties with their registered office, central administration or principal place of business based abroad^[79]Ramos et al..

For this reason, the use by the public administration of service providers located abroad or belonging to an American group is currently under debate. The Federal Data Protection Commissioner (FDPIC) considers that the use of M365 cloud (Outlook and Teams services) by the Swiss Accident Insurance Fund (SUVA) is contrary to the DPA, even if the data is hosted in Europe, on the grounds that there is a residual risk of access by foreign authorities (zero-risk approach)^[80]See FDPIC, Guide June 2021: contrary to SUVA’s assessment of the risk as very unlikely (höchst unwahrscheinlich)., whereas the Federal and Zurich Cantonal Administrations consider that such recourse for the administration is permissible provided that certain additional protective measures are taken to limit the risk of access by foreign authorities (risk-based approach)^[81]Federal Council, La Confédération passe à Microsoft 365, Communiqué de presse, 15 February 2023..

In both cases, there is a question of risk analysis, in that the lawfulness of the cloud is analysed according to whether or not the additional protection measures make it possible to limit the risk of access by foreign authorities^[82]The Swiss Lawyers Bar (FSA), follows the risk-based approach but recommends caution (local solutions), at least on tax and ILL issues and if foreign legislation makes it difficult to enforce … Continue reading. The reluctance of the FDPIC is certainly due to the tightening of the practice of the European authorities regarding transfers to the United States and pending an agreement replacing the Privacy Shield^[83]See Fischer/Pittet, citing the strict decisions in the Google Analytics cases.. This being said, the risk of access by foreign authorities is reduced, since a data transfer by a Swiss entity to foreign authorities would be a violation of Article 271 of the Swiss Criminal Code, which prohibits activities on behalf of a foreign state (except mutual assistance)^[84]See Fischer/Pittet, recalling other issues that are just as important as the access risk in the case of data outsourcing, such as data security and the need to ensure business continuity in the event … Continue reading.

c) Digital self-determination

Digital self-determination is a new approach to strengthening data sov­er­eignty, in particular the control of individuals, businesses and society over their own data. It could be enshrined through the interpretation of fun­da­men­tal rights^[85]E.g. right to life and personal freedom (Art. 10 Cst./CH), from which personality rights (Art. 27 ff CC) are derived; protection of the private sphere (Art. 13 Cst./CH), from which informational … Continue reading or through the recognition of a new right, such as the “right to digital integrity”, which has been recently proposed in French-speaking cantons^[86]Draft constitutional amendments have recently emerged in Geneva, Jura, Neuchâtel, Valais and Vaud, so as to fil the gaps of existing laws (e.g. for a right to offline life and a better … Continue reading.

2. Technological sovereignty

Technological sovereignty requires an innovation policy that includes state measures (legal, economic and technical) and international cooperation^[87]See Chrétien/Drouard, 24 ff; COMCO, Annual Report 2020 of the Competition Commission (COMCO), DPC 2021/1 23 ff, 42, categorising innovation policies according to 3 approaches: the “competition” … Continue reading. Protectionist measures (e.g. investment controls, repatriation of the value chain) should be avoided, as total independence from exclusively indigenous ICTs is unlikely, given the extreme interweaving of the Swiss digital ecosystem with the infrastructures and services deployed worldwide^[88]Illgner, 8 ff; Seifried/Bertschek, 6 ff.. An innovation policy aimed at technological sovereignty requires an analysis of which technologies are critical (“key enabling technologies”, KETs) and what measures are needed to maintain control over these KETs (in the short or medium term)^[89]Edler et al., 19 ff; Westphal, 7; Chrétien/Drouard, 23 ff; Maurer et al., 53 ff; Illgner, 8; Kaloudis, Action Plan, 7 ff, pointing out that access to the necessary raw materials and knowledge must … Continue reading. It will also be necessary to improve the decision-making and op­er­a­tional skills of public and private users in order to strengthen freedom of choice and avoid a concentration of supply (e.g. advanced training to make up for the lack of personnel in the production and/or use of KETs)^[90]Decision-making skills are understood as the ability to understand, evaluate and verify the reliability of solutions in the market, operational skills as the effective use of technologies to increase … Continue reading. The digital transformation of government activities (e.g. e-ID identification and electronic signature) should also be reclaimed^[91]Türk and references..

Intellectual property regulation is a key element in strengthening innovation, data protection and trade secrets (e.g. algorithms and data analysis tech­niques)^[92]See March/Schieferdecker.. However, regulation alone is insufficient, as only an understanding of the technologies and an ex ante analysis of the regulation can strike the right balance between protection and free use^[93]Pagano, 1413.. It is in this spirit of balance that data flow is at the heart of the development of innovation policy, including artificial intelligence (AI), which explains why it is the subject of numerous legislative developments in Switzerland and abroad.^[94]In European law, one thinks of sectoral or horizontal regulations, such as the GDPR, the Regulation on the free flow of non-personal data, the Open Data Directive, the Data Governance Act, the … Continue reading In addition, com­ple­men­tary support measures (e.g. standard contracts, certification, awareness raising and training) could be used to promote data flows rather than major legislative measures^[95]The European certification mechanisms for a sovereign cloud are good examples that Switzerland could learn from, especially given the similar considerations that led the EU to turn to certification … Continue reading.

3. Cyberadministration

a) Federalism and the distribution of powers

Digital sovereignty presupposes that the state can freely decide whether and how to digitise its internal processes and services to the population (cyberadministration) under the right conditions and independently^[96]The term “cyberadministration” is used here in a broad sense to refer both to the transformation processes of the administration and to the digitised processes themselves providing administrative … Continue reading. Digital sovereignty can also mean not digitising certain services (e.g. for cybersecurity and/or digital sobriety reasons).

Digital sovereignty is a cross-cutting issue, which requires a common public policy for the Confederation, the cantons and the municipalities^[97]Montavon, 25 ff; FDF, Digital Administration (website); Federal Council, Swiss Digital Strategy 2020, 12.. The main constraints stem from the federal nature of the state (federalism). The cantons are sovereign as long as their sovereignty is not limited by the Federal Constitution and their rights are not delegated to the Confederation (art. 3 Cst/CH^[98]Cst/CH stands for the Federal Constitution, RS 101.). Thus, if digital transformation (in the broad sense including administration and society) is considered a new task of the state, it is by default a cantonal task^[99]Montavon, 53 ff.. Consequently, there is a certain tension between power decentralization (which is guided by the cantonal autonomy, Art. 47 Cst/CH) and power centralization (which is guided by the efficiency principle, Art. 170 Cst/CH). This raises the question of how far the Confederation can restrict cantonal competences for the sake of efficiency.

In this context, many voices advocate the introduction of common norms and standards at all levels of the state, while others see the diversity of technical solutions adopted in the various communities that make up the federal state as an asset in terms of cyber security^[100]This is illustrated by the electronic patient file (EPR) project, for which it was decided to introduce the EPR in a decentralised manner through officially certified regional “communities”. See … Continue reading. The cantons will also be better able to take account of their specific characteristics (e.g. large cross-border population)^[101]To take account of these constraints, more flexible modes of collaboration can be used (e.g. Framework Agreement on eGovernment Collaboration in Switzerland).. On the other hand, when a competence has been entrusted to the Confederation by means of a federal constitutional amendment and the Confederation has made use of its competence, the cantons are no longer competent to make certain choices (e.g. in the area of digital transformation) (Art. 49 Cst/CH; primacy of federal law)^[102]This is illustrated by the debate on the deployment of 5G technology, in respect of which the Constitutional Chamber of the Geneva Court of Justice annulled the Geneva law on buildings and various … Continue reading.

b) Principle of rule of law

Digital transformation must comply with the principle of rule of law (Art. 5 para. 1 Cst/CH), which requires that any state action be based on a legal basis (legal basis requirement) and that the latter be sufficiently precise (normative density requirement)^[103]Malinverni et al., 683 ff; OFK-Biaggini, BV 36 N 13 and BV 164 N 3-4, recalling that the degree of requirement depends on the norm in question (see Art. 36 para. 1 and 164 para. 1 Cst./CH requiring … Continue reading. In our view, the digital transformation must be based on formal legal foundations (legal basis requirement), given its importance beyond the organisational measures of the administration^[104]Montavon, 350 ff.. Much of the debate surrounding digital transformation currently focuses on the re­quire­ment for a legal basis, as in the case of the LMETA^[105]Loi fédérale du 4 mars 2022 sur l’utilisation des moyens électroniques pour l’exécution des tâches des autorités, FF 2022 804, 2., and the awarding of cloud contracts to private service providers^[106]Federal Supreme Court, Decision 1C_216/2022 of 28 July 2022.. However, the requirement for normative density must be equally analysed and well used. The technical complexity of the field and its development make it difficult to regulate exhaustively in law. To a certain extent, therefore, it seems legitimate to allow for clauses delegating powers to the executive^[107]Montavon, 323: The author also identifies a phenomenon of ‘legislative inversion’, which reverses the traditional model of elaboration and hierarchy of norms. On this phenomenon, Flückiger, … Continue reading, as well as references to technical standards^[108]Zufferey, 61 ff..

Finally, one could consider experimental legislation, that is to say legislation that is limited in time and to specific sectors, which can be then evaluated and, if necessary, made permanent and extended to other sectors (e.g. the LLExp in Geneva)^[109]Loi genevoise du 14 décembre 1995 concernant la législation expérimentale (RS/GE A 2 35).. This solution would be well suited to the digital transformation of the administration and society, which is currently in the midst of a “learning phase” and characterised by legal uncertainties^[110]Montavon, 431 ff. On experimental legislation and the precautions that must accompany its use in a rule of law, Flückiger, Légistique, 660 ff; Flückiger, Droit expérimental, 142; Cottier, … Continue reading. This solution would allow time to learn and to develop the elements necessary for the adoption of a final regulation at a later stage^[111]See FOJ, Guide to Legislation, 269, which sets out the principles that must be observed when creating and applying legislation of an experimental nature.. It should also be added that innovations may be proposed at the cantonal level before being considered at the federal level, which can be called the “laboratory of federalism”^[112]For a recent example, one can think of the draft constitutional amendment in GE for the recognition of a “right to digital integrity” (Cst.-GE) (For a strong protection of the individual in the … Continue reading.

c) Three steps of the implementation of public policy

In the implementation of public policy, it is useful to distinguish between different steps (each of which takes place at the three levels of the state, Confederation, canton, municipalities).

As a first step, a planning phase should be carried out to examine existing technical solutions and the risks they pose to the values and principles of the Swiss rule of law (e.g. massive data collection, concentration of a few hyperscalers, extraterritoriality of foreign laws, threat to secrecy), in order to identify strategic choices, such as legislative initiatives at the international or national level^[113]Federal Council, Message of 4 March 2022 on the Federal Act on the Use of Electronic Means for the Execution of the Tasks of the Authorities, FF 2022 804; DETEC/DFAE, Report on the Creation of … Continue reading. This implies clarifying the division of competences between the different levels of government, the role to be played by public authorities (e.g. service providers and/or issuers of an appropriate legal framework or self-regulation)^[114]DETEC/DFAE, Report on the Creation of Trusted Data Spaces, 40. and the need for dedicated infrastructures (e.g. National infrastructure of network for mobility data, NaDIM in the field of national mobility data infrastructure), cooperation bodies (e.g. Swiss Digital Ad­min­is­tra­tion ANS in the field of cyberadministration) and the authority(ies) in charge to support or promot digital transformation within each public authority (e.g. at federal level, the Federal Statistical Office (FSO) for networking AI skills)^[115]At the cantonal and communal level, for example, the digital delegates who meet in the Assembly of Delegates of the Swiss Digital Administration. See Federal Chancellery, Digital Transformation and … Continue reading. In a second phase, the implementation phase begins, which consists of the adaptation of existing legal texts (e.g. LMETA), the creation of new bodies or the selection of companies to provide the desired services^[116]At the communal level, the Municipal Council of the City of Geneva voted on 28 June 2022, on the proposal of the Administrative Council, a credit of CHF 2,000,000 for the implementation of the Office … Continue reading. In a third phase, the measures adopted, and their implementation are monitored. This control is carried out by judicial or supervisory bodies and may lead to changes in the adopted legislation in order to comply with the set requirements.

d) Public procurement law

Digital transformation of the administration must also take into account public procurement law, as the procurement of ICT by administrative entities from private companies is in principle subject to public procurement law^[117]Public procurement law includes the agreements ratified by Switzerland in the field of public procurement, i.e. the WTO Agreement on Government Procurement revised in 2012 (“GPA 2012”, RS/CH … Continue reading. This requires an analysis of the scope of application of public procurement law (e.g. which IT services are subject to the Public Procurement Agreement with their classification code).

The application of public procurement law makes the wording of tenders and the requirements set by contracting entities crucial. For example, the tender “Public Clouds Confederation” in 2020 for the provision of cloud services for a period of five years required that “[t]he bidder must have data centres on at least 3 continents (including within the European Economic Area”^[118]See simap.ch, project no. 204859 (call for tender of 7 December 2020).. This meant that Swiss companies were excluded from the procedure and the award decision selected foreign companies. This being said, public procurement law allows a certain amount of leeway for the use of direct agreement procedures, particularly in the case of an in-house solution or the presence of a single company capable of supplying the required goods or services. It should also be noted that the European States are interested in the American procedures for awarding public contracts (e.g. the Small Business Act), which have enabled the development of technological giants, by putting in place instruments enabling small and medium-sized enterprises (SMEs) to use public contracts to develop^[119]E.g. the Small Business Act has directed a share of public procurement to small businesses, which has allowed innovative companies to rely on creditworthy customers to improve their products and … Continue reading.

4. Cybersecurity

Cybersecurity is a key element in a digital society, especially in view of the risks of unauthorised access to data, manipulation of information or other forms of cybercrime, which are amplified in a technology-dependent digital society^[120]Federal Council, Security Report, 7. See Durand, 91; National Cyberstrategy, 13 April 2023, 9.. Cybersecurity is a cross-cutting issue that concerns all levels of government, especially in Switzerland, where the division of tasks is governed by federalism. However, cybersecurity has several dimensions for which the responsibility lies at different levels: civil cybersecurity requires consultation at different levels, cyberdefence is primarily a matter for the Confederation and the military, and cybercrime for the criminal prosecution authorities^[121]National Cyberstrategy, 13 April 2023, 9..

Cybersecurity implies the use of resilient ICT, i.e. technological means to ensure the security, confidentiality and availability of data. The sovereign cloud or, more generally, the storage of data in a single territory (data residency) is often mentioned for this purpose^[122]Tipper/Krishnamurthy, 2 ff, distinguish 4 approaches to resilience: isolationist consisting of using domestic components and local labour for a state’s digital infrastructure (e.g. Russia’s … Continue reading. However, this approach may be counterproductive, as the more concentrated the data, the more vulnerable it is^[123]Bauer/Erixon, 26 ff.. Instead, a diversification of hardware and software solution providers is needed to reduce dependencies^[124]Federal Council, Product Security and Supply Chain Risk Management in Cyber Security and Cyber Defence, 7; Bauer/Erixon, 26: Cyber espionage, however, remains undetectable in most cases., taking into account that imported technologies may contain backdoors^[125]And the risk of leakage of critical data or cyber attacks on critical systems. See Berchtold Carina, Have you thought about all the backdoors? in ICTJournal, 22 August 2022; The market is mainly … Continue reading.

Cybersecurity also requires adequate preparedness in case of a cyber incident^[126]Adequate cybersecurity preparedness traditionally involves the following 5 phases: identify, protect, detect, respond, recover (NIST Core Framework). DEFR/OFAE, IT Resilience, 14 ff., which implies the development of (production, decision-making and/or operational) skills, the establishment of contracts to maintain (legal and de facto) control over data^[127]Contractual commitments include the commitment to technical and organisational measures (e.g. data encryption), the absence of liability in the event of a breach of confidentiality, the obligation to … Continue reading and of monitoring and compliance processes with regard to potential breaches of applicable regulations^[128]Tan et al., 3; Tipper/Krishnamurthy, 2 ff.. Cybersecurity also requires a clear legal framework, possibly by strengthening legal in­stru­ments (e.g. criminal offences, obligations to report cyber attacks)^[129]These obligations are provided for in various laws and reinforce the identification of threats, in particular in the NISP (Art. 24 NISP) and in the ISL (Art. 74a ff ISL). See FF 2023 84., by National Cybersecurity Center’s (NCSC) recommendations and incentives or constraints to ensure compliance^[130]See Chavanne Yannick / Züllig Yannick, Cybersecurity: the Confederation launches a prevention campaign, in ICTJournal, 5 September 2022; Koller Rodolphe, Mobilising employees to report phishing … Continue reading.

Internationally, it would be interesting to look for global solutions to protect civilians in case of state cyber attacks^[131]E.g. Digital Geneva Convention was envisaged to protect cyberspace. See Digital Geneva Task Force, A white paper to make Switzerland the core of digital governance in a secure digital world, 9., to sanction government cyber attacks^[132]Breitenfeldt/Jordan, 959 ff. and to subject technology companies to humanitarian law rules^[133]E.g. based on the Montreux Document. See DFAE Montreux Document (website) and ICRC, The Montreux Document (website).. It would also be interesting to develop political-legal measures, such as virtual embassies (i.e. data storage with immunity/inviolability status like diplomatic missions)^[134]The Estonian state stores a duplicate of critical data “in a friendly country”, in order to ensure system continuity in case of a serious cybercriminal attack on the national state … Continue reading.

5. Recommendations

On this basis, several recommendations can be made to guide public action on digital sovereignty. With regard to data sovereignty, it is recommended that, when foreign laws apply in Switzerland, the courts analyse their compatibility with Swiss sovereignty before admitting their extra-territorial effects in Switzerland. When transferring data abroad (whether personal or non personal), it is also recommended that the contractual relationship be adapted to the risk of access to the data by foreign authorities, and that a local solution be preferred if critical data or infrastructures are involved.

With regard to technological sovereignty, it is recommended to favour European and international cooperation (instead of protectionist measures). With regard to state measures, it is recommended to favour complementary support measures (e.g. standard contracts, certification, awareness raising and training) over major legislative measures. It is also recommended to improve the skills of public and private users and to keep full control (e.g. in-sourcing) for the digital transformation of regalian activities (e.g. e-ID identification and electronic signature).

With regard to cyberadministration, it is recommended that the digital transformation be planned on an ongoing basis, carefully analysing the need to adapt or enact the necessary legal bases and public procurement law (e.g., wording of calls for tender or competitive bidding procedures). It is also recommended to clarify which cantonal autonomy remains and, in case of doubt, to consider that there is cantonal autonomy by default in the name of the principle of primacy of federal law and subsidiarity.

With regard to cybersecurity, it is recommended that contracts with ICT providers that include TOMs be put in place. It is also recommended to ensure a clear legal framework, which calls for the follow-up of the NCSC rec­om­men­da­tions and incentives or binding measures to ensure compliance. Internationally, it would be interesting to look for solutions to protect civilians in the event of state cyber attacks, to subject technology companies to the rules of humanitarian law and to develop solutions such as data embassies.