Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration
In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany). The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give shape to these concerns.
Germany’s federal cloud and IT consolidation plan
The Bundes-Cloud is part of a larger plan of the German government to consolidate the entire IT infrastructure of the German federal administration by 2022 (for the press release in German, see here). The idea of a Bundes-Cloud is not entirely new, but has now been concretized as part of the consolidation plan.
In particular, the consolidation plan aims to:
reduce the number of server and data center locations (currently more than 1,300) and to centralize IT operations (with one or two IT providers);
develop IT applications and services centrally; and
centralize IT procurement.
The project is led by the Federal IT Representative (BfIT) of the Federal Ministry of the Interior. In parallel, Germany wants to create federal cloud infrastructure in order to improve the performance, flexibility, security and data protection of the federal administration’s IT. According to the German Interior Minister (see here), the Bundes-Cloud is a reaction to the trend of “more and more IT companies processing and storing data in the Internet, outside of our networks and outside of Germany.”
It is unclear at present whether this cloud infrastructure will be developed from scratch, and by whom. The design phase is scheduled for completion by the end of 2016, with the Bundes-Cloud starting to operate by the end of 2018. The Federal Office for Information Security (BSI) will be involved in the project, and is expected to prepare security requirements for cloud computing.
New criteria for the use of cloud services by the federal administration
In the meantime, in August 2015, the BfIT published a set of criteria for the procurement and use of cloud services by the federal German administration, endorsed by IT Board resolution No. 2015/5 (see here). These criteria have been developed in response to a call of the IT Board (which is comprised of, among others, the IT representatives of the different German ministries, of other German constitutional organs, the German Federal Court of Auditors and the German Federal Commissioner for Data Protection and Freedom of Information) for the Interior Ministry to develop a catalog of minimum requirements in relation to IT security, data protection, interoperability and standards for use of private sector cloud services by the federal administration.
Although these criteria only directly target the federal administration, they are seen as “a signal, which others may follow” and as such may create a ripple effect, both at state-level as well as in the private sector.
Key criteria for the use and procurement of cloud services (SaaS, PaaS and IaaS) provided via the Internet by entities in the private sector, set out in resolution No. 2015/5, include:
1) The federal administration must conduct a prior check whether comparable and appropriate services can be provided by the federal administration or third parties on behalf of the federal administration, including state-owned companies (the preferred solution).
2) Any plans and procurement for the use of cloud services will respect the following principles:
Information which needs to be protected (e.g., business secrets and sensitive data about the federal IT infrastructure) must exclusively be processed in Germany. Cloud providers must enter into a Non-Disclosure Agreement, whereby such data may not become subject to foreign disclosure and access obligations.
Cloud providers must implement appropriate technical and organizational measures to ensure that data which is subject to specific secrecy obligations is not disclosed to unauthorized third parties. German data protection rules applicable to outsourcing to processors must be respected.
Cloud solutions that use open standards should be preferred in order to avoid lock-in effects and economic dependencies, and the existence of alternative providers should be considered.
The costs (including, for instance, costs for migration, insourcing, training and monitoring) and risks associated with usage of the cloud services must be evaluated, including in terms of efficiency, reliability and security. A prior risk analysis must be conducted, examining the security measures offered by the provider. The provider must provide contractual assurances that the security measures have been implemented, and allow the federal administration to conduct adequate controls.
Contracts must, for example, contain price guarantees, and provide for the application of German governing law and jurisdiction of German courts.
Outright acquisition of long term use rights is preferred over use rights which are limited in time (leasing/rent) or which the provider can unilaterally terminate or withdraw on short notice.
Cloud providers must provide proof of their incident management system, and show that they offer sufficient information security, preferably on the basis of specific ISO norms and BSI standards or procedures.
The recent rise in data localization requirements have caught the European Commission’s attention. As part of its Digital Single Market Strategy, announced on May 6, 2015, the European Commission committed to launching a European free flow of data initiative, which will tackle unjustified restrictions on where data is located or accessed from. The European Commission will be gathering information on existing data location restrictions as part of its forthcoming public consultation the regulatory environment on platforms, online intermediaries, data and cloud computing and the collaborative economy (for a leaked draft of the consultation, which is only expected to be officially released later this month, see here).