New German rules for government cloud computing means official data can only be processed in Germany. The restrictions are a strike against US-based cloud providers such as Amazon and Google.
German IT officials agreed on terms for public sector cloud use on Tuesday (18 August).
“Cloud providers have to sign a non-disclosure agreement, according to which these data aren’t allowed to end up in foreign disclosure obligations and access abilities that can be used against cloud providers outside the Federal Republic of Germany,” the rules specify.
The caveat about cloud providers that are beholden to foreign disclosure obligations alludes to the American tech companies that have been legally required to share client information with US intelligence agencies.
The document also limits German government offices to only using clouds certified by the government’s IT security office BSI, or by equally strict standards.
Germany is planning a “Bundescloud” to host government data as part of a larger move to slim down several government ministry IT services.
The new rules on government cloud use only affect national agencies, but the Federal Ministry of the Interior is nudging the private sector to follow its lead.
A press release on Monday (17 August) called the measures “a signal that others can orient themselves around, like for example the IT industry with its cloud services.”
German Commissioner for Information Technology Hans-Georg Engelke said in a statement, “The criteria make clear what cloud services the national government will buy in the future.”
A number of other EU member states have issued guidelines for consumer and government use of cloud computing that generally outline concerns for data protection and other considerations, primarily focused on security.
But Germany’s new rules get to the heart of the cloud industry’s achilles heel: Almost 40% of European companies using clouds named security as the main factor limiting their use, according to Eurostat’s most recent reading of attitudes towards clouds.
The European Commission will start consulting with businesses, government regulators and others on cloud use this fall ahead of proposals anticipated for next year as part of its digital single market plans. The inquiry will focus on cloud company certification, contracts and setting up a European cloud for research.
Despite broad reluctance about security concerns, the Commission talked up the potential of clouds in its May digital single market announcement, citing a potential €450 billion clouds could add to the EU’s GDP over the next five years.
EurActiv reported last month that the EU cybersecurity agency ENISA lacks the funds and technology experts to do sufficient research on cloud security.
For consumers who are wary of cloud security, plans to build up cloud use between EU member states might not ease concerns.
A study last fall by tech consultancy Pierre Audoin Consultants showed German companies are warming up to clouds, though 57% of those polled said they’d prefer their company data be processed within Germany.
Cloud providers can qualify for the ‘German cloud’ certification if their servers and company headquarters are in Germany. Veerle Türling, spokesperson for Cloud Ecosystem, the organisation that approves German cloud and other certification, said about 85% of the small and mid-sized cloud providers certified by Cloud Ecosystem process data only in Germany.
“German companies are more sceptical about clouds than our European neighbours,” Türling said.
The Commission wants to dispel reluctance towards data processing in other EU countries, as its inquiry over cloud use approaches next month.
According to the Commission’s digital single market strategy, “Data localisation requirements can in fact limit the benefits offered by digital services such as cloud computing as they create barriers to EU cross-border data transfers, limiting the competitive choice between providers and raising costs by forcing organisations and companies to store data on servers physically located inside a particular Member State.”
Commission spokesperson Nathalie Vandystadt said of Germany’s new rules on cloud use, “The European Commission supports such individual initiatives from Member States that aim to build trust in cloud computing. However, common solutions at European level are necessary to avoid the fragmentation of the market and to create jobs and growth for the digital economy in Europe.”
Cloud computing describes a whole range of infrastructure, software, data or applications residing in the cloud – that is to say, off your own premises and accessed via the Internet.
A number of EU member states have expressed interest in starting public national clouds. The European Commission floated the idea of a 'European cloud' in the wake of Edward Snowden's 2013 revelations about US intelligence agencies' surveillance in Europe.
August 2015 rules prevent sensitive data from Germany's government agencies from being processed outside of Germany.
The European Commission is launching a public consultation on cloud computing in fall 2015 and will propose legal measures in 2016 focusing on cloud contracts, certification, switching providers and on setting up a European research cloud.
- Fall 2015: the European Commission will conduct a public consultation on cloud computing
- 2016: the Commission will make proposals on clouds, focusing on contracts, certification and a European research cloud