UK and US cloud service providers know that Germany has considerable growth potential for cloud computing services but some say they have been told German data protection laws prohibit any data transfer to data centres outside Germany. This misunderstanding is often erroneously spread by people who haven’t read the law or who are repeating internal policy as law or who are seeking to protect their own economic interests. Who better to dispel this and other myths than an expert in German law? So I talked to Andreas Leupold whose Munich law firm Leupold Legal specialises in all legal aspects related to cloud computing.
Frank Jennings: Andreas, many people believe that German law requires German personal data to be kept in Germany – it can’t even be transferred to the UK. Is that true?
Andreas Leupold: No, this is plain wrong. The EU data protection directive prevents Germany – and all EU Member States – from restricting or prohibiting the free flow of personal data to another EU Member State on privacy considerations. Accordingly, the German Federal Data Protection Act (“Bundesdatenschutzgesetz” or “BDSG”), which implements the directive into German law, provides that the transfer of personal data to bodies in other EU Member States is treated the same way as any data transfer within Germany.
FJ: So, UK cloud providers can hold German data in the UK?
AL: Yes. Transferring personal data from Germany to the UK is permissible if either the data subject (i.e. the individual affected by the transfer) has granted his/her consent or the BDSG provides an alternative legal basis for the transfer.
In fact, if a UK cloud service provider processes personal data for a German customer, the transfer of that data to a British datacentre may not even be considered a “data transfer” in legal terms, as the BDSG treats the cloud provider as processing the data not for its own business purposes but for those of the data controller (i.e. the customer) if the cloud provider is subject to the customer’s directions and other requirements are met.
FJ: Why is data protection so prominent in Germany?
AL: Germans have always been very sensitive when it comes to protecting their personal data from being used by public or private organizations. To understand this deep routed mistrust against bodies which collect and process personal data, you must consider Germany’s history. In the Third Reich, Germans were subject to George Orwell like surveillance and as the Oscar winning movie “The life of others” so vividly showed, this situation got even worse after the erection of the Berlin wall as any personal expression was noted and examined by the East German state security service Stasi. These experiences left a mark on generations of Germans and led to the boycott of the collection of personal data for the national census in 1983 by the people who simply refused to answer the questions posed on their personal details by the local communities. The census was later declared unconstitutional by the Federal Constitutional Court.
FJ: Is that changing with the Facebook / Twitter generation happily sharing all their data online?
AL: Today, young Germans are not always aware of the ways their personal data is used by private sector organizations on the internet. As a recent study by the State Institute for Media in Northrhine Westfalia has shown (PDF in German), adolescents under 15 lack the experience and knowledge to make an informed choice which data they should publish on social media networks but this changes as users grow older and come of age.
The current situation is characterized by the so called “Privacy Paradox”: Although most users of social networks under the age of 18 are wary of protecting their personal data, many still divulge more personal information than their rising concern would permit. Overall, though, information such as mobile phone numbers and personal data which affects their privacy is only revealed by a minority of users. While students and young professionals in Germany are generally well aware of the perils associated with the uncritical handling of their personal data and take precautionary measures to protect themselves from unwanted disclosures and uses of their data, personal information has also become a new currency which some are willing to use for receiving perceived advantages such as an enhanced user experience or small pecuniary rewards at retail.
FJ: What is the German view of the new EU general data protection regulation?
AL: The forthcoming general data protection regulation received a fair deal of criticism in Germany. Much of it was due to the curtailing of the national supervisory authorities’ competencies and the fact that initial drafts of the regulation made the designation of a data protection officer only mandatory for companies with a minimum of 250 employees. These concerns have by and large been resolved, by later versions of the draft regulation.
FJ: So, Germans are happy with it now?
AL: No. The BITKOM association is still concerned that the provisions on data processing still do not provide clear rules for distributing the liability for compliance shortcomings between cloud service providers and their customers and could lead to legal uncertainty. Also, BITKOM asked for an extension of the permission to transfer personal data to companies in third countries provided that such companies are subject to binding corporate rules (BCR). This question will still play an important role as the Safe Harbor agreement with the US became highly controversial as a legitimate tool for transferring personal data in the wake of PRISM. The EU Commission is still negotiating with the USA on how to improve the adherence to and enforcement of Safe Harbor.
FJ: Are Germans less likely to do business with US providers following the Snowden / Prism revelations?
AL: German companies have always been reluctant to transfer any of their business data to a US cloud or countries outside the EU. The Snowdon revelations have only spurred their reservations. In particular, small to medium sized enterprises and family led companies have a strong preference to select cloud providers who either have their seat and datacentres in the EU or at least run their servers in an EU Member State. As a recent study has shown, cloud security is still an oxymoron for many European companies and the majority of them still have doubts as to whether cloud services are thoroughly vetted before deployment. Uncritical data will certainly still be stored with US cloud service providers but German companies clearly prefer to store business secrets either in-house or in a private cloud that is run by a European service provider. German companies certainly are not much different from UK companies in this regard.
FJ: So what can cloud providers do to win German business?
AL: Cloud service providers, who wish to overcome these reservations and the unfounded assumption that even service providers in other EU Member States may not offer the same level of protection as a German cloud service provider must take this seriously and demonstrate their determination to offer their customers storage facilities and software which are in fact more secure than any in-house solution. To achieve this, service providers should not only be certified by trustworthy organisations such as EuroCloud Star audit or the TÜV but should demonstrate that they ensure their ongoing compliance rather than considering it as a one-off, singular effort.
FJ: So, even though UK providers are basically subject to the same harmonised data laws as Germany, German businesses would prefer them to have some form of German cloud accreditation?
AL: Yes ideally, as German data protection standards are sometimes still higher than European law. They should also prove that they walk their talk by making clear data commitments in their customer contracts that can be relied on by their customers and continuously take all feasible technical measures to protect customer data from any unwanted access by intelligence agencies and/or industrial espionage. Finally, European cloud service providers should play out their competitive advantage of not being subject to foreign laws such as the US Foreign Intelligence Surveillance Act which means they can’t be forced to surrender any customer data to authorities from third countries.