By Holger Dyroff, Co-Founder and COO of ownCloud
In a position paper, Germany’s top data protection officials outline how they envision sovereign clouds. Their demands are welcome, but do not go far enough, regrets Holger Dyroff, Co-Founder and COO of ownCloud.
Recently, the Conference of Independent Federal and State Data Protection Authorities (DSK) published a position paper defining criteria for Sovereign Clouds. The paper is divided into the categories of traceability, data sovereignty, openness, predictability and regular auditability and lists the respective criteria, distinguishing between must and should criteria. Among other things, it lists as mandatory criteria that there is no access by third countries, that applicable law can be effectively enforced, that the providers are based in the European Economic Area and that the data processing also takes place there.
With this position paper, our top data protection officials declare the cloud platforms of the big US players practically unusable: they all do not meet the mandatory criteria. At the same time, the DSK probably gives the green light for the cloud offerings that SAP is planning with Microsoft and Telekom with Google. With the “Delos Cloud”, SAP wants to make Microsoft 365 available to the public administration in the future, among other things, and the “T-Systems Sovereign Cloud” is to provide authorities and companies with the services of the Google Cloud in the future. The management of the services and the operation of the clouds will be under the control of German subsidiaries of SAP and T-Systems. As a kind of trustee, they are to ensure that no data flows into the USA and thus eliminate the deficits of the current US clouds.
The DSK’s position paper is welcome. It makes an important contribution to the discussion on digital sovereignty, which the European Union and also the German government repeatedly state is a desirable goal. However, the paper does not go far enough. Its mandatory criteria undoubtedly guarantee more digital sovereignty than is given with today’s public clouds. However, this is only a medium level of sovereignty. It corresponds pretty much to the level that authorities and companies get with classic on-premises implementations in their own data centres.
For a high level of digital sovereignty, more is needed. It also includes the possibility of self-determination, and this requires transparency and independence. However, the guarantors of this, namely open source and open standards, are only listed in the DSK’s position paper as target criteria. This is regrettable, because open source enables organisations to check the software they use themselves or have it checked by external service providers and thus decide for themselves whether they can use it to comply with data protection regulations. And open standards allow organisations to exchange software for an alternative solution at any time because they can transfer their data to it without obstacles. This is what real sovereignty looks like.