Swiss law firms enjoy a privilege that is strongly protected in very few countries worldwide: attorney-client privilege under BGFA Art. 13. This privilege is non-negotiable. It is the foundation of client trust and a legal obligation whose violation carries criminal consequences.
At the same time, numerous Swiss law firms use cloud services from US providers for their daily work. Microsoft 365, Google Workspace, Dropbox, various legal tech tools with US hosting. Many are unaware that they are incurring a compliance risk that may be incompatible with attorney-client privilege.
What the CLOUD Act Actually Says
The Clarifying Lawful Overseas Use of Data Act was passed by the US Congress in 2018. The law is short, and its core is simple: US authorities can require companies subject to US law to hand over data, regardless of where that data is physically stored.
In concrete terms, this means: If a Swiss law firm stores its client data on a Microsoft server in Zurich, US authorities can still demand the disclosure of that data. Not from the law firm itself, but from Microsoft. And Microsoft, as a US company, is subject to the CLOUD Act.
The law does contain provisions that allow companies to challenge a disclosure if it conflicts with local law. However, this challenge mechanism does not provide reliable protection. The proceedings take place before US courts, under US law, and existing case law shows no consistent line of protection for foreign confidentiality obligations.
BGFA Art. 13: Attorney-Client Privilege
Swiss attorney-client privilege is codified in Art. 13 of the Federal Act on the Free Movement of Lawyers (BGFA). It protects everything entrusted to a lawyer in the course of professional practice. This privilege is comprehensive and unlimited in time. It applies even after the mandate has ended.
Violation of attorney-client privilege is punishable under Art. 321 of the Swiss Criminal Code. In cases of qualified commission, it constitutes an offence prosecuted ex officio. Consequences range from fines to imprisonment of up to three years.
Crucially, attorney-client privilege does not only prohibit the active disclosure of client data. It also obliges lawyers to take appropriate measures to protect confidentiality. The use of a cloud service that gives a foreign jurisdiction the legal ability to access client data may be deemed a violation of this duty of protection.
The Gap Between Theory and Practice
In practice, many law firms argue that the CLOUD Act has not yet been used against Swiss attorney data. That is correct, as far as publicly known. But this argument misses two essential points.
First: Compliance is not measured by whether a risk has materialized, but by whether it exists. Cantonal supervisory authorities do not assess whether US authorities have actually accessed client data. They assess whether the law firm has taken adequate measures to prevent such access. The use of a US cloud service for client data may be deemed an insufficient protective measure.
Second: The CLOUD Act is not the only instrument. US authorities have additional legal tools at their disposal, including National Security Letters, FISA orders, and subpoenas. In certain cases, these can be deployed without judicial approval and under a gag order on the affected company. A law firm would not even learn that its data had been accessed.
Technical Safeguards and Their Limits
Some law firms point to technical safeguards. Encryption, private keys, zero-knowledge architectures. These measures have their value but do not provide complete protection.
Encryption at rest and in transit protects data from unauthorized third-party access, but not from the cloud provider itself. When Microsoft or Google operate the infrastructure, they control the encryption architecture. Even with customer-managed keys, the infrastructure operator retains the technical ability to access the data.
Confidential computing is a promising approach where data remains encrypted even during processing. However, the technology is not yet mature enough to guarantee full protection against a cloud provider compelled to cooperate with authorities.
Contractual assurances from the cloud provider not to disclose data are not legally enforceable in this context. A US company that receives a government order to hand over data must comply. Contractual agreements with customers do not change that.
The DPA Dimension
Beyond attorney-client privilege, the revised Swiss Data Protection Act (DPA) compounds the situation. Art. 16 DPA governs the disclosure of personal data abroad. Personal data may only be transferred to countries that ensure adequate data protection. There is no general adequacy decision by the Federal Council for the United States.
The DPA provides for personal fines of up to CHF 250,000 for violations. Unlike the GDPR, these fines target natural persons, meaning potentially the responsible managing partner personally.
For law firms that fall under both the BGFA and the DPA, a dual risk arises: the same action can simultaneously violate attorney-client privilege and data protection law.
What the Supervisory Authorities Say
Cantonal attorney supervisory authorities have not yet taken a uniform position on the CLOUD Act. However, individual statements suggest that awareness is growing. The Swiss Bar Association (SAV) has highlighted the risks in various publications without issuing a binding recommendation.
It is foreseeable that supervisory authorities will tighten their requirements in the coming years. Law firms that still rely on US cloud services for client data at that point could face significant pressure to adapt.
Practical Alternatives
The good news: there are functioning alternatives to US cloud services that meet the requirements of attorney-client privilege.
Swiss cloud providers. Companies such as Infomaniak, Exoscale, or Green offer cloud services that are fully subject to Swiss law. Functionality is comparable to international providers, and pricing is often competitive.
Self-hosting. For particularly sensitive data, hosting on owned or leased infrastructure in Switzerland can be the safest solution. The administrative overhead is higher, but control is complete.
Swiss AI tools. For AI-powered legal research and document analysis, solutions now exist that are hosted entirely in Switzerland, without US corporate dependencies. The Enclava platform by Mont Virtua is one example: Swiss hosting, Swiss jurisdiction, no CLOUD Act exposure.
Hybrid approaches. Not all data is equally sensitive. A pragmatic solution may consist of leaving non-critical data (public documents, general correspondence) on international platforms and migrating confidential client data to Swiss infrastructure.
A Concrete Action Plan
For law firms looking to review their cloud strategy, we recommend the following steps:
Inventory. Which cloud services does the firm use? Which of these are subject to US jurisdiction? What types of data are stored or processed there?
Risk assessment. Which of the services in use process client data or other confidential information? This is where the greatest risk lies.
Prioritization. Start with the services that pose the highest risk: email, document storage, AI tools for legal research. Less critical services can be migrated in a second phase.
Migration. Replace US services with Swiss alternatives, starting with the priority areas. Allow sufficient time for the transition.
Documentation. Record the measures taken in writing. In the event of a review by the supervisory authority, documentation is the decisive proof.
Conclusion
The CLOUD Act is not a theoretical risk. It is a law in force that enables US authorities to access data held by US companies. For Swiss law firms that process client data on the infrastructure of US companies, there is a real conflict with attorney-client privilege under BGFA Art. 13.
The solution is not complicated: client data belongs on infrastructure that is exclusively subject to Swiss law. Swiss alternatives exist and are practical. The question is not whether, but when law firms will take this step.
If you would like to review your cloud strategy in light of the CLOUD Act, contact us at [email protected] or visit our contact page.