Cloud StrategyThe decision of the European Court of Justice (ECJ) on the Privacy Shield - Prevent compliance risks.
Validate the cloud strategy.

Due to the omnipresence of the corona pandemic in the public media, the abolition of the Privacy Shield has almost disappeared in the general reporting. Nevertheless, the decision still dramatically affects business relationships between European and US companies. Taking into account the massive growth and adaptation rates of public cloud solutions in recent years, as well as the predominant position of US service providers in this market segment, the full range of the decisions now facing both private and public sector organizations has become glaringly clear. According to the ISG Provider Lens Public Cloud the public cloud market for infrastructure and Software-As-A-Service (SaaS) solutions in Germany grew by 25% in 2019. Three of the four market leaders (AWS, Microsoft, Google, Deutsche Telekom) in the field of public cloud Infrastructure-As-A-Service (IaaS) in Germany are headquartered in the USA. If you factor in the market shares of German and European public cloud providers, the overall picture obviously becomes much more crowded.

Generally speaking, it can be stated that companies in Germany and Europe have heavily relied on US public cloud providers in recent years. This fully included even highly demanding or extremely data sensitive customers who have trusted the assurances of the public cloud providers and the more or less clear contractual situation around the PrivacyShield. As a result, the above-mentioned decision from July 16, 2020, has confronted many German and European companies with serious security or compliance concerns and incidents if specific technical (e.g. an appropriate degree of encryption) or contractual mitigation measures (e.g. standard data protection clauses) are not taken.

In theory, these security or compliance incidents could be remedied relatively easily by integrating standard data protection clauses into the relevant contracts. In such cases, however, the ECJ obliges the data exporter to verify compliance with an appropriate level of data protection. Thus in reality, this obligation leads to massive legal uncertainty and increases the importance of technical mitigation measures. However, since these measures often come along with considerable efforts or additional costs, the question of whether the advantages of using a US cloud provider (e.g. regarding ecosystem, price level, etc.) justify this additional effort need to be thoroughly analyzed and answered on a case-by-case basis.

Bottom line: Taking on and answering this question usually means nothing less than questioning and validating your own cloud strategy. And when it comes to validating something as business critical as a cloud strategy, due to the massive effects related to architecture and ecosystem, as well as the high dynamics of change in politics and markets, it is highly recommended to consult an experienced partner. Our consultants have extensive cloud experience, which they have proven and road tested in numerous, successful projects.