German Federal IT Committee Issues New Restrictions for Cloud Service Providers

August.24.2015

Last month the German Federal Government IT Advisory Committee ("Federal IT Committee") issued new cloud computing service criteria for all prospective vendors to German Federal Agencies. Cloud services providers who offer, or are considering offering, cloud computing services to relevant German Federal Agencies should plan proactively for these restrictive requirements and think of strategies to address them. The Federal IT Committee defines Cloud Services very broadly as any SaaS, PaaS or IaaS, which is provided by vendors not belonging to the public administration of the German States (Länder) or the Federal State.

Under the IT Advisory Committee's criteria, before purchasing third party cloud services, German Federal Agencies must first evaluate whether similar services can be obtained from their own resources, e.g. their own IT department, or Federal or State owned IT providers. If it is determined that the service needs to be outsourced, vendors under consideration must meet the critical criteria summarized below, along with other requirements.

Business sensitive information, including critical infrastructure information, must be stored in servers in Germany.
Cloud service providers must sign vendor contracts agreeing not to disclose sensitive data to, and ensuring that data is not accessible by, foreign agencies. This requirement may trigger compliance issues for U.S. providers due to their obligations under the US Patriot Act.
Data that is subject to professional secrecy rules must be protected against unauthorized third party access.
Personal Data (PII) can be stored/processed in the cloud only when cloud service providers enter into commissioned data processing agreements that conform to the requirements of Section 11 of the Federal Data Protection Act (BDSG).
Open Standards must be used to prevent a "Vendor Lock-in."
Service contracts are subjected to German law and German courts, and do not include mandatory preceding alternative dispute resolution.
The Federal Agency must conduct a risk analysis based on the recommendations of the Federal IT Security Agency (BSI) and contractually ensure that required security controls can be met.

The publication of the afore listed criteria represents a very important, predominantly German trend to localize the data storage/processing services for the purpose of (re)gaining more control over such data that will have significant impacts for US and European cloud services providers. This trend is mainly caused by the news reports on access to data by non-German intelligence agencies. US service providers will thus face significant challenges if they want to continue competing in this market. They will need to find smart technical and legal solutions, but could potentially use this as an opportunity to build a brand differentiator. In addition, this publication demonstrates the need for a better understanding between the US and EU on their security needs and interests if serious business interruptions are to be avoided.

Kriterien für die Nutzung von Cloud-Diensten der IT-Wirtschaft durch die Bundesverwaltung

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.