Last month the German Federal Government IT Advisory Committee
("Federal IT Committee") issued new
cloud computing service criteria for all prospective vendors to
German Federal Agencies. Cloud services providers who offer, or are
considering offering, cloud computing services to relevant German
Federal Agencies should plan proactively for these restrictive
requirements and think of strategies to address them. The Federal
IT Committee defines Cloud Services very broadly as any SaaS, PaaS
or IaaS, which is provided by vendors not belonging to the public
administration of the German States (Länder) or the Federal
Under the IT Advisory Committee's criteria, before
purchasing third party cloud services, German Federal Agencies must
first evaluate whether similar services can be obtained from their
own resources, e.g. their own IT department, or Federal or State
owned IT providers. If it is determined that the service needs to
be outsourced, vendors under consideration must meet the critical
criteria summarized below, along with other requirements.
Business sensitive information,
including critical infrastructure information, must be stored in
servers in Germany.
Cloud service providers must sign
vendor contracts agreeing not to disclose sensitive data to, and
ensuring that data is not accessible by, foreign agencies. This
requirement may trigger compliance issues for U.S. providers due to
their obligations under the US Patriot Act.
Data that is subject to professional
secrecy rules must be protected against unauthorized third party
Personal Data (PII) can be
stored/processed in the cloud only when cloud service providers
enter into commissioned data processing agreements that conform to
the requirements of Section 11 of the Federal Data Protection Act
Open Standards must be used to
prevent a "Vendor Lock-in."
Service contracts are subjected to
German law and German courts, and do not include mandatory
preceding alternative dispute resolution.
The Federal Agency must conduct a
risk analysis based on the recommendations of the Federal IT
Security Agency (BSI) and contractually ensure that required
security controls can be met.
The publication of the afore listed criteria represents a very
important, predominantly German trend to localize the data
storage/processing services for the purpose of (re)gaining more
control over such data that will have significant impacts for US
and European cloud services providers. This trend is mainly caused
by the news reports on access to data by non-German intelligence
agencies. US service providers will thus face significant
challenges if they want to continue competing in this market. They
will need to find smart technical and legal solutions, but could
potentially use this as an opportunity to build a brand
differentiator. In addition, this publication demonstrates the need
for a better understanding between the US and EU on their security
needs and interests if serious business interruptions are to be
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).