German Federal "Trusted Cloud" Project

By Alexander Duisberg


German Federal "Trusted Cloud" Project publishes series of 12 papers on the legal framework

The German Ministry of Economic Affairs and Energy has released on April 13, 2015, 12 papers on the legal framework for cloud computing, as part of the Federal "Trusted Cloud" project.

Over three years, a working group of about 30 legal experts – including from the Federal Ministry, various heads of national and regional German data protection authorities, German industry representatives (such as from Deutsche Bank, Deutsche Telekom, SAP as well as also SME companies), academia and a very limited number of attorneys (including Bird & Bird's head of the Software & Services Industry Focus Group, Alexander Duisberg, Munich) – have explored how the legal framework needs to be further developed, to ensure that cloud computing is widely adapted in particular by the German Mittelstand, the heartland of Germany's economy.

One of the principal outcomes, a framework for certifying cloud services, has gone directly into EU process of the EU Privacy Regulation (see Articles 39, 39a of the various drafts). The papers address a wide spectrum of further legal issues, addressing needs for legislative development, as well as providing practical guidance on the current state of the law. The papers are designed to give a balanced view, considering the position of providers and users of cloud computing services. The papers address, inter alia:

  • The German legal framework for cloud computing contracts
  • Licensing issues
  • Open source
  • Liability issues
  • Data protection (including an innovative concept to classify the level of privacy protection required according to the level of data sensitivity)
  • Procedures for the issuance of certificates through private and public institutions
  • A catalogue of possible test criteria measured against the requirements of data protection law
  • Particular issues dealing with health data and Section 203 of the German Criminal Code

All papers can be viewed and downloaded (in German) here.

The initiative is complimented by a pilot-project later this year, where applicants have been invited to submit existing cloud solutions, in order to be tested against the criteria developed by the working group.

While the framework is not directly applicable law as of now, it is a significant indication on how German and European legislation is likely to further define compliance requirements for "trusted cloud services".

The German Federal Data Protection Officer Andrea Vosshoff has congratulated the Federal Ministry of Economic Affairs on this milestone of developing a reliable framework for secure and trustworthy cloud computing.

Iris Gleicke, Parliamentary Secretary of state at the Federal Ministry of Economic Affairs and Energy emphasized that a reliable framework for "trusted cloud computing" is a key driver for the digital transformation of the German Mittelstand, which is the core of Germany's economy.

Bird & Bird's Alexander Duisberg adds: "The composition of the working group with well-known protagonists of data protection authorities including, inter alia, such as Thilo Weichert (Schleswig-Holstein), Thomas Kranig (Bavaria), Ulrich Leppert (Head of the Duesseldorfer Kreis), the broad range of further stakeholders represented in the group (both on the provider and the user side), and the fact that all papers were adopted unanimously, vests these papers with an inherent authority that is difficult to find anywhere else in the field. It is well possible that German government will enact a framework that enables private and public institutions to certify cloud services, even before the EU Privacy Regulation enters into force."