Topics: Data Law, Technology Law, Data Protection Switzerland, Cloud Security, Data Protection Practice, Hold Your Own Key, Microsoft 365 Data Protection, Risk-Based Approach, Data Protection Authorities, Challenges, Career Tips, VISCHER.
Feel free to comment on Linkedin.
Reading time: 7 minutes.

Good morning Mr. Rosenthal. Your career in data and technology law is highly diverse. Could you please share the experiences and milestones that have particularly shaped you and led you into these fields of law?

One of those milestones was a conversation with my father when I was a young adult. At the time, my hobby was programming, and we discussed whether I should become a software engineer. However, we also talked about law. Both disciplines have much in common; both are about rules and how things need to function. I felt that law offered me more flexibility and impact, so I chose it academically while continuing to deepen my technical skills through self-study. Analytical thinking, however, is essential in both fields. The third pillar, journalism, I discovered when I became, I believe, Switzerland’s first online journalist, creating content for my BBS system, a precursor to today’s blogs. I attended press conferences and gathered press releases; a journalist from the Basler Zeitung explained how it all worked. I was also an independent entrepreneur from the beginning, even during my school years. This unique mix shaped me.

What does a typical workday look like for you, especially as a partner at  VISCHER , and what experience particularly stands out for you?

My days are long and filled with interactions, new topics, and continual problem-solving. There are many video meetings and workshops with clients, meetings with colleagues in my team or with others at the office, and, of course, handling dozens of emails each day. The reason for the long workdays, however, is not just the usual workload, but the fact that I have so many ideas for other projects I could pursue, including new publications, innovative approaches to legal issues, and, as of this past year, a return to software development. I want to bring these ideas to life.

When I need to tackle bigger challenges or in-depth work such as writing a legal analysis on a new topic, drafting an article, or preparing a complex contract — I need silence, which I often only find early in the morning, in the evening, or on weekends. I also have administrative tasks, but thankfully not too many — my excellent office team takes care of scheduling and other organizational details for me.

At VISCHER, you have built and led the data protection practice. Could you share some of the biggest challenges you faced and explain how you overcame them?

I still lead it and we now have about a dozen people in the team. My greatest personal challenge, alongside time management, is leading my team. This is not something we learn at university. I also needed to overcome my hesitation to delegate tasks and avoid micromanagement. This ranges from managing my calendar to interacting with clients. The latter, in my view, is especially important for the younger, motivated lawyers in my team. They should learn to take responsibility, think entrepreneurially, and sharpen their psychological skills alongside their legal expertise. For instance, recognizing where a client is struggling, understanding what is truly needed in legal advice, or what leads to success in contract negotiations. When I assign someone a task, it is not just about my trust in their ability to complete it. I also need to ensure that they have the same standards and expectations as I do regarding how tasks are carried out. In my experience, that is the bigger challenge.

Regarding the assurance of data protection in Switzerland, particularly in dealing with the MS Cloud and the use of HYOK (Hold Your Own Key), what technical and legal challenges do you see and how can they be effectively addressed?

Today, we have a good understanding of what is required for the legally compliant use of cloud services in Switzerland. Data protection has never really been the issue. Rather, it is the protection of professional and official secrecy, despite the concerns raised by data protection authorities. However, these authorities are now realizing that their negative stance was largely based on ignorance and in some cases emotional reasoning.

The Hold Your Own Key approach, which involves encryption where the provider has no access to the key, is generally unnecessary and would likely disrupt most applications today. I actually want the provider to do something with my data. However, there are other considerations such as data storage in Switzerland, access restrictions, and specific contractual obligations. In my view, the bigger challenges lie elsewhere, such as the increasing dependence on major hyperscalers like Microsoft, AWS, and Google. So far, we have been able to find solutions for our clients in many areas because the hyperscalers wanted to enter the market and were therefore willing to compromise. But what will it be like in the future? For instance, we are also creating concentration risks with them regarding security. The lack of transparency, constantly changing systems and contracts, and their complexity are challenges that are often underestimated.

What are the advantages of a risk-based approach, particularly in Swiss administration, and do you consider an exit strategy to be relevant?

The question assumes that we have a choice. The risk-based approach is simply valid because our data protection and many other areas of law are based on it. Again, some data protection authorities advocate for somewhat strange approaches without proper justification. Our lives are full of risks, and 'zero risk' does not exist. There is a risk of being killed by a cow or struck by lightning while hiking. This risk is low, and we can reduce it, but it is never zero. Total focus on individual risks, such as the US CLOUD Act in the cloud sector, is misguided and likely due to the fact that some local authority representatives are unfamiliar with it. They envision terrible scenarios instead of examining it more closely and realizing that we have all of this in Europe too. When an administration moves to the cloud, it must weigh all risks and opportunities. None should be unacceptably high, but if they are not, a balancing of options is necessary and permissible. Public administrations have no problem with this. We have also developed our free, publicly available method 'CCRA-PS' to make these decisions carefully, which is already being used in many places. An exit strategy is always important (and is also required by CCRA-PS) because there can be many reasons for changing course, such as if a provider no longer meets requirements. A public administration should have a plan in this regard.

What technical and (governmental) defense measures can be taken when using Microsoft 365 to prevent violations of fundamental rights?

First, there is the storage of data in Switzerland, as this is an effective means of defending against foreign access. Additionally, it is ensured in practice that provider employees do not have access to data in plain text during normal operations, which is not a problem due to the high level of automation. Additional encryption is utilized; the key is held by the provider, but the customer determines who may use it and how. Certain documents can be protected with so-called sensitivity labels so that they are protected even in the event of data theft or accidental loss. Then there are, of course, the contracts, which are more or less standardized in the case of M365 based on our negotiations today. Finally, a range of internal organizational measures must be implemented, such as regularly reviewing the configuration (Microsoft likes to change things without notice) as well as monitoring security practices and identifying anomalies. With the previously mentioned CCRA-PS, these points can be systematically checked and documented. This is primarily used for larger and more sensitive projects, as it is substantial. There is also my method for assessing the likelihood of government access from the USA or, if necessary, other countries. I am pleased that it has become standard today. However, a comprehensive risk assessment should also be conducted. We often experience moments of realization in workshops with agencies that think they have thought of everything.

The main problem in data protection regulation is unfortunately various data protection authorities that believe they do not have to comply with the law and use their position to extend data protection beyond what the legislature intended. - David Rosenthal

What aspects support and oppose the notion that data protection in Switzerland is overregulated?

I do not believe that data protection in Switzerland is overregulated. We have good, reasonable data protection laws. It is much better than the EU GDPR. At its core, it is principles-based. This has the drawback of being harder for non-specialists to understand, but the great advantage is that it is timeless, follows societal values, and adapts well to technological developments.

The main problem in data protection regulation is unfortunately various data protection authorities that believe they do not have to comply with the law and use their position to extend data protection beyond what the legislature intended. When addressed about this, they merely state that affected companies can go to court if they disagree. However, companies often do not do this for opportunistic reasons and instead keep their grievances to themselves. The data protection authorities then feel emboldened and continue to push further. Such behavior from an authority does not align with my vision of the rule of law, and I am not alone in this. Unfortunately, this method is evident not only in the EU but also in Switzerland.

Finally, we would like to ask you for advice for those interested in a career in data and technology law.

You must be willing to learn constantly, not only about the law but also about technology and use cases. Practical knowledge is important here. For example, understanding how data trading in online advertising works or how large language models really function and are constructed. The good news is that there are free and excellent sources of information for all of this. The bad news is that it requires a significant time investment beyond working hours, which some are not willing to make. I can understand that someone is looking for a "9-to-5" job or maybe even "8-to-6" while having other things on their mind. However, my experience is that someone won't reach the top tier in my field with that mindset. The field is evolving too quickly and diversely, both legally and technically. Just as in sports, where not only elite athletes are needed, data protection and technology law also offer exciting opportunities for young people.

Furthermore, what applies to any career is to do something to stand out from the crowd. For example, publications—not just summarizing what others say, but developing a profile with your own opinion or new approaches. Show some passion. I don’t want my employees to simply echo me; I want them to represent their views and challenge me. Unlike in other areas of law, there are still many opportunities in data and technology law to actively contribute to legal development.

Thank you very much for the fascinating insights into your work and Swiss data protection law. We wish you all the best in the future.

_{Translated by AI}