First Safe Harbor, now Privacy Shield – the European Court of Justice (ECJ) has overturned the agreement on data protection between the United States and Europe. A ruling with far-reaching consequences, because now companies must take a very close look when choosing their cloud provider. Anyone processing personal data with an overseas provider can no longer rely on the Privacy Shield, which was designed to ensure compliance with European data protection standards outside the EU.
However, correctly assessing the compliance standards of cloud providers is often a real challenge for companies. The C5 criteria catalogue of the German Federal Office for Information Security (BSI), for example, provides orientation. The catalogue lists criteria that cloud providers should fulfill to enable secure data processing in compliance with the GDPR. According to the current version, BSI C5:2020, cloud providers must also demonstrate that they meet two new areas of security criteria. The "Product Safety and Security" section, derived from the EU Cybersecurity Act, which came into force in 2019, takes into account requirements for how users use cloud services instead of only considering the security of the cloud platforms themselves, as it was previously the case.
In addition, with the introduction of the "Dealing with Investigation Requests from Government Agencies" section, cloud providers must now provide transparent proof of how they deal with government requests for the release of data. This is a criterion that US providers are currently unable to meet after the ECJ ruling because they are bound by US law regardless of the location of their data centers.
The Open Telekom Cloud, Telekom's public cloud offering, is subject exclusively to German law. Companies can therefore process data in the Open Telekom Cloud knowing they are in full compliance with GDPR.