April 23 is St George’s Day, the national day of England. To be truly patriotic, I could have led with Host your cloud in the UK. But it would also be of help to English cloud providers and their customers to dispel one of the confusions about German data protection law. A US provider looking to set up its EMEA operations called me in a quandary saying he had been told that, unless the operations are based in Germany, he wouldn’t get any German customers as German data protection law, the Bundesdatenschutzgesetz, requires German personal data to be kept in Germany – it can’t even be transferred to the UK. In fact, numerous people have asked me this. So, last year I interviewed a German legal expert, Andreas Leupold, on this very point.
German law does NOT say keep data in Germany
He said this rumour is plain wrong: the EU data protection directive prevents Germany – and all EU Member States – from restricting or prohibiting the free flow of personal data to another EU Member State on privacy considerations.
For more info, check out the original interview. In order to balance this out, remember UK law doesn’t prevent transfer of data to Germany either.
If you would like assistance on German data protection laws, email me and I’ll put you in touch.
[…] In my experience, data security and — specifically data protection laws — are used as a lazy way of not making a decision that will lead to change. Sometimes this is to protect a large established on-premise IT team and the kudos and budget that goes with it. Sometimes it is a specious understanding of what the law says: yes it says be careful how and where you store your data but, no, as a general rule it doesn’t say you can’t move data outside the UK / Germany / EU / EEA / into a cloud. […]