There seems to be a specifically strong sentiment around security & privacy with German companies after the Edward Sonwden leaks. The kneejerk reaction is to mandate that servers should sit within German borders, as that would take any security & privacy concern away. Cloud providers are now starting to follow this customer demand.
Interestingly this reaction is more sentiment driven as there is no legal ground to request this. Especially as more and more German companies are putting this in place as a default policy, regardless of what type of data (privacy sensitive or not…)
Looking at the Federal Data Protection Act (Bundesdatenschutzgesetz in German) (“BDSG”) it states that certain transfer of data (like personal data) outside of the EU needs to be reported and approved and Data controllers must take appropriate technical and organizational measures against unauthorized or unlawful processing and against accidental loss or destruction of, or damage to, personal data. Nothing says servers need to be in Germany.
Looking at other EU countries, Germany seems to be the only country where organizations express such behavior. The only next inline could be Switzerland.
Talking to my industry peers in Germany is a surreal experience on this front. I always like the risk analysis approach to privacy & security, and that leads to interesting conversations on what the benefit would be around hosting the data in your own country. Some know there is no legal need but state they feel safer that way. If we take the NSA paranoia a few levels up then I could ask:
– Does your German datacenter provider use any IBM/HP/Dell/Cisco/… equipment? The answer is mostly yes. So then you would be NSA vulnerable anyway. (German article)
– Is your German datacenter provider actually a German company or is it owned by a non-Germany company? (or has offices outside of Germany). Then it seems the US can mandate data handover.
There are multiple other ‘scare’ scenarios possible for people to get their hands on the data, like accessing the data on laptops that travel across border.
This all focuses on the NSA spying on you, but neglects the fact that the Bundesnachrichtendienst has full local authority to access the German based data… but that is not perceived as an issue.
The real obvious one is the internet connection it self; I would assume non of the German hosted servers are connected to the internet, as that would be the easy road in to the data for government agencies and hackers. I would also assume no travelling employees or remote offices are accessing this data…
But I seem to assume allot… as most companies actually do this, but again it isn’t perceived as a problem.
As data flows free across borders by the nature of ‘the Internet’, my advise to the overly sensitive CIO’s in Germany is that they actually need to take it up one level;
Germany should start with Internet border patrol, executed by the Government. Every packet travelling in & out of Germany should be inspected for sensitive content. Obviously encrypted packets should be dropped and no VPN’s allowed. This is the only way to circumvent the risk your trying to capture by moving servers in to Germany specifically. I think the Bundesnachrichtendienst would appreciate this effort.
We are eagerly waiting the launch of new data regulation from the EU that should unify regulation across Europe. See: http://ec.europa.eu/justice/data-protection/index_en.htm
Hopefully then my German peers will start threating this with some common sense. The EU at least seems to get it:
Protecting your personal data – a fundamental right!
The free flow of personal data – a common good!
My team recently asked if certain server racks in the datacenter could be turned over to a specific countries embassy… so it could be covered under the Vienna Convention on Diplomatic Relations. That would be interesting from a maintenance perspective 🙂