According to the Business Software Alliance’s (BSA) “Global Cloud Computing Scorecard”, Germany is ready for the cloud computing age, ranking at a spectacular No. 3, ahead of such cloud computing powerhouses as the United States, Italy and Poland! If you’re interested in the methodology (a word that my spell check has never heard of) uses by the BSA, go here. Either way, the result is interesting. Because, and I know I’m repeating myself, if you ask data protection practitioners in Germany, “ready” is certainly not the term that comes to mind when dealing with the cloud.
As of now, data protection authorities, at least some of them, effectively reject that you can use the available standard services such as Amazon’s Web Services, not to speak of services like Dropbox, and be compliant with German data protection law (for a good examply of the attitude, read this). Now, of course, if the providers would just listen and change their ways… But, as of now, there is still a huge amount of legal insecurity around. So, it was a good thing that the “Data Privacy” bracket of the Scorecard was not one of the really heavy hitters in terms of its relative weight in computing the score (strangely, we did score a 6.6 over the 6.5 score of the U.S. What does that tell us?).
I do not think that using a cloud computing service is per se unlawful, even with the services and policies available today. But I do understand the concerns. In the end, it is a matter of how much control – not in technical terms, necessarily, but in your own approach to the business solution you are looking for – you exercise when you chose your cloud computing service as well as your approach as to what you want to do with it.
You are afraid your data will be stored outside of the EEA (a no no for our data protectors)? Choose a provider who guarantees that your data will stay in the EEA.
You are afraid that the data you are dealing with is too sensitive? Well, don’t use a cloud computing service for such data, but don’t let that keep you from thinking about using it for other data.
You think that cloud computing and the data protection level that is expected from you don’t mix? Encrypt the data and make them “anonymous” (oops, there it is) for everyone but you before it leaves your own network (independently of the cloud computing provider of your choice, and on your own devices). The technology exists.
The bottom line, in my opinion, is that privacy protection and data security remain as much tasks for your CIO than ever. Whether it is about your own IT or about employing the services of a cloud computing provider doesn’t’ really make a difference. At least it doesn’t in legal terms. If the demand in the market for high end data privacy and data security solutions is there, the rest will follow. And it won’t be by some tweaking of the dreaded data controller to data processor agreements, but rather through technological solutions for a technological problem.
For more updates on German and EU IT law and other IT-related matters please follow us on Twitter @germanitlaw.