As the Frankfurter Allgemeine Zeitung (FAZ) reported at the end of last week with reference to the German government, the Federal Economics Minister Peter Altmaier is striving to create a European cloud network. More specifically, small providers from the cloud sector should join forces by creating an open network and therefore providing Europe with computational power. As a source for this information, the FAZ cited an internal paper of the Minister, according to which a European data infrastructure is the goal. The German government continues to plan to assume a central role as a user of the European cloud. The decision whether the project initially named “Gaia-X” should be founded as a company, foundation or association currently still remains open.
Considering the current dominance of US cloud providers the advance of Mr. Altmaier is not very surprising. At the moment many companies in Germany as well as the state itself often fall back on services from American providers – the cloud environment is currently being dominated by Google, Amazon and Microsoft. However, the fact that the use of these services can be problematic in terms of data protection and data security for users has long preoccupied companies and authorities in this country. At least since the so-called CLOUD Act came into force in March 2018 many organizations face a real dilemma, because in practice this is not compatible with the EU’s current GDPR, but strongly contradicts it. The US-law, called the “Clarifying Lawful Overseas Use of Data Act”, is a further development of the Patriot Act of 2001, which regulates the disclosure of personal data of US companies to American authorities. Since March last year, IT companies – for example in the cloud sector – are legally required to grant access to stored data on demand even if it has been stored outside the USA. This even applies if local laws at the place of storage prohibit disclosure. The fact that the GDPR states that companies may not disclose their information stored in the EU without a mutual legal assistance agreement therefore poses major problems for commercial users of US cloud services. Particularly with regard to the sensitive penalties under the General Data Protection Regulation of up to 20 million euros, or four percent of the annual turnover, companies should carefully consider this situation and only use solutions that guarantee conformity with the European law.
The advance of the Federal Economics Minister should be welcomed, since Gaia-X has the potential to create a real force to counterbalance the current dominance of US cloud providers. Since ultimately their use can lead to massive problems in the fields of data security and data protection for companies. To keep the sovereignty over their own data, companies should not take risks when choosing a suitable solution and ideally choose software “Made in Germany” with European server locations. Providers from this area must comply with strict German data protection laws, guarantee compliance with regulations such as the GDPR and preserve digital freedom thanks to data sovereignty.