Recently, the Conference of Independent Federal and State Data Protection Supervisors (DSK) published a position paper defining criteria for Sovereign Clouds. The paper is divided into the categories of traceability, data sovereignty, openness, predictability and regular auditability, and lists the respective criteria for each, distinguishing between must and should criteria. Among other things, it lists as mandatory criteria that there is no access by third countries, that applicable law can be effectively enforced, that the providers are based in the European Economic Area and that data processing also takes place there.
With this position paper, our top data protection officials declare the cloud platforms of the major US players practically unusable: they all fail to meet the mandatory criteria. At the same time, the DSK is probably giving the green light to the cloud offerings that SAP is planning with Microsoft and Telekom with Google. With the “Delos Cloud”, SAP wants to make Microsoft 365 available to the public administration in the future, among other things, and the “T-Systems Sovereign Cloud” is to provide authorities and companies with the services of the Google Cloud in the future. The management of the services and the operation of the clouds will be under the control of German subsidiaries of SAP and T-Systems. As a kind of trustee, they are to ensure that no data flows into the USA and thus eliminate the deficits of the current US clouds.
The DSK’s position paper is welcome. It makes an important contribution to the discussion about digital sovereignty, which the European Union and also the German government repeatedly state is a worthwhile goal.
However, the paper does not go far enough.
Its mandatory criteria undoubtedly guarantee more digital sovereignty than is provided by today’s public clouds. However, this is only a medium level of sovereignty. It is pretty much the same level that government agencies and enterprises get with classic on-premises deployments in their own data centers.
For a high level of digital sovereignty, more is needed. It also includes the possibility of self-determination, and this requires transparency and independence. However, the guarantors of this, namely open source and open standards, are listed in the DSK’s position paper only as target criteria. This is regrettable, because open source enables organizations to check the software they use themselves or have it checked by external service providers and thus decide for themselves whether they can use it to comply with data protection requirements. Also, open standards allow organizations to exchange software for an alternative solution at any time, because they can transfer their data to it without any obstacles. This is what true sovereignty looks like.
Read the original article (German)