Gaia-X: On the way to the Europe Cloud

vom 29.03.2020

04.03.2020 I Author: Henrik Hasenkamp / Editor: Sabine Narloch

The Gaia-X project has to take criticism from different sides. But now the discussion about why American providers dominate the cloud market despite inadequate data protection conditions is receiving traction.

German companies are often accused of being sceptical about the cloud and of being too hesitant in adapting this technology. When asked what is wrong with cloud computing, the answer is always among the most frequently cited: concerns about privacy and data security. In other words, IT decision-makers are very concerned about whether their data is safe in the cloud. Nevertheless, and although the legal situation remains confusing to difficult, many companies entrust their data to American cloud service providers such as Amazon, Google and Microsoft.

With its pan-European cloud, also known under the meaningful project name "Gaia-X", the German government wants to offer an alternative. In their own words, the Federal Ministries of Economics and Energy and of Education and Research want to create "a networked data infrastructure as the cradle of a vital European ecosystem". Together with France, the Federal Government wants to invest in research in this area and create the conditions for an AI-capable, industrial cloud platform. In doing so, it will not act as a provider or operator itself, but will bring on board partners with appropriate cloud expertise. The first test runs are already scheduled for the middle of next year, with live operation scheduled to start at the end of 2020. Not only industry giants such as Deutsche Telekom and SAP are on board: Gaia-X is open to everyone, and small and medium-sized providers in particular are to become a central component of the network.

Still unsatisfactory: the legal situation

The Europe Cloud is to meet the requirements of European data protection regulations, ensure data sovereignty and at the same time be highly interoperable through standardized interfaces. The German government explains what it means by this in its publication "The Gaia-X Project" and provides initial insights into the planned infrastructure. For example, each node is to form an independent unit that can be clearly identified and accessed. A self-description is to be linked to this, containing specifications on the storage location and processing of the data as well as the technologies and performance parameters used. Certified degrees of protection are to ensure data sovereignty, especially when the European Data Protection Basic Regulation (EU-DSGVO) applies.

From the perspective of German and European companies, these considerations are moving in the right direction. The international legal situation is still not easy to understand. However, unclear parameters mean that companies either do not want to rely on cloud technologies at all or ignore this criterion when choosing their service provider. Viewed from a European perspective, US data protection regulations are particularly worrying. Although there are indeed specifications, these are defined more specifically for each industry and are largely based on the voluntary commitment of companies. They are also threatened with sanctions if they do not comply with the self-imposed security level - supervision and auditing is subject to the Federal Trade Commission (FTC), the federal trade body that is anchored in the economy and acts accordingly. Equally problematic are the extensive powers of the U.S. security authorities, which are comparatively free to demand the release of personal data as well. The Cloud Act (Clarifying Lawful Overseas Use of Data Act), signed in 2018, even extends these powers: US cloud service providers can be forced to surrender data even if they store it on servers in Europe.

In Europe, the regulations of the EU DSGVO have been binding for the member states since May 2018. Stricter rules for the collection and processing of personal data are intended to protect the fundamental rights and freedoms of every natural person. In addition, the new Federal Data Protection Act (BDSG-neu) puts into concrete terms some of the opening clauses of the DSGVO, namely those that allow national specifications. The DSGVO is an overarching law and applies to government agencies as well as to all companies. With regard to cloud computing, this means that cloud providers based in Europe must take appropriate measures to comply with the DSGVO. However, they do not assume full responsibility for their clients. The C5 requirements catalogue (Cloud Computing Compliance Controls Catalogue) of the Federal Office for Information Security (BSI) deals with the requirements for cloud computing in particular. It does not create a new standard, but summarizes existing ones, including ISO 27001, the Cloud Controls Matrix of the non-profit organization of the Cloud Security Alliance and the BSI IT-Grundschutz. In 17 subject areas, it defines minimum requirements that professional cloud providers should meet,
including numerous data protection and data security requirements. The C5 catalogue is an excellent checklist for choosing the right provider.

The alternative already exists

So in principle, the often invoked stricter data protection regulations in Europe and especially in Germany actually exist. However, they are only of limited use to companies if the cloud provider has its headquarters in the USA or China, for example - because then the provider is subject to the respective national law and the data of its clients are also subject to the same, even if the data center is located in Europe. This also applies if the cloud provider itself is a German company, for example, but uses the resources of Amazon and Co. for its services. In this context, the discussion about an independent European cloud is more than necessary. The German government's plans are not yet mature enough to allow itself to judge their viability and practical relevance. Moreover, the plans must not be limited to the infrastructure itself, but must soon include the application stack. Because only then can digital business models really develop.

At times, the renewed discussion about the security of cloud offerings gives the impression that there are no alternatives to the American market leaders. That is not true. There are several German providers who make their services available in the German legal area and on the basis of German or European data centres. And these by no means only offer solutions for niche industries: modern infrastructures that meet the requirements such as DSGVO or C5 and can be booked both as IaaS and as a full-service cloud. Medium-sized companies in particular, which are to be supported by the Europe Cloud, especially on their way to digitization, may benefit from individually tailored local solutions.

The original article in german can be found here.

    Back to overview