On November 23, 2012, the German Federal Council (Bundesrat or the “Council”) published its comments on the European Commission’s strategy on cloud computing and also submitted them to the Commission.

The Council considers that the strategy in its current form does not deal adequately with several issues unique to cloud computing. These issues include:

  • A lack of clear certification requirements and enforcement mechanisms in the draft General Data Protection Regulation (even though certification is one of the strategy’s cornerstones);
  • In the context of clouds hosted in third countries, the unresolved conflict between European data protection requirements and the legal disclosure and law enforcement requirements in those third countries;
  • An insufficient focus on easy-to-use and ubiquitous encryption technologies in cloud computing; and
  • The uncertainty surrounding how national standards will be reflected in EU-wide technological and organizational security standards.

To address these issues, the Council suggests, among other things,:

  • An international dialogue to resolve conflicts between European data protection norms and the legal requirements of third countries, including the development of an interim solution by relevant data protection authorities while the EU discusses entering into international agreements on this topic;
  • Giving paramount importance in the strategy to encryption technologies which are both customer-friendly and widely deployed;
  • The consideration of national standards in the development of EU-wide technical and organizational security standards; and
  • A parallel assessment of the technological and data protection consequences of cloud computing, which is of particular significance given the structural risks posed by pooling data in the cloud.

The Council’s comments on the European Commission’s strategy follow earlier comments made by European Data Protection Supervisor Peter Hustinx.