At its conference, the data protection conference of the federal and state governments (DSK) adopted the position paper on “sovereign clouds”, in which it sets the course for further legal disputes with US cloud providers of all kinds. In addition, the DSK calls on the legislature to finally take action in matters of employee data protection and police data analysis, now that the highest court judgments have also required this and thus also confirmed the positions of data protection officials that have been known for a long time. The tenor was that if the legislature had observed this, they would have been spared the embarrassing verdicts. The DSK sees a new need for action with digital wireless water meters.
When are clouds sovereign?
With its position paper, the DSK is not only aimed at those who use clouds from Amazon, Google or Microsoft, but also directly at cloud providers. In doing so, it also paves the way for further disputes about cloud-based services such as ChatGPT.
Although the European Union has declared “digital sovereignty” as a development goal, there is still no legal concept associated with it, and there is also no uniform understanding. Nevertheless, the supervisory authorities feel addressed, since they are confronted with the problem every day when authorities and companies use clouds from countries that do not have an equivalent level of data protection.
According to the data protection conference, the aim is to support compliance with the rights and freedoms of the data subjects. Accordingly, she states: “A ‘sovereign cloud’ only deserves this name if it enables the person responsible to fulfill his data protection obligations effectively, verifiably and permanently.
“The corresponding criteria for implementation are presented in the paper under the topics of “traceability through transparency”, “data sovereignty and controllability”, “openness”, “predictability and reliability” and “regular examination of the established criteria”. Among other things, reviews are a Must, certifications a should.
Court rulings put legislators under pressure
The DSK also reminds the federal government that with the new judgment of the European Court of Justice of March 30, 2023, numerous German regulations on employee data protection must be improved. Last summer, the Federal Ministry of Labor wanted to present the draft of its own employee data protection law after its interdisciplinary advisory board for employee data protection advised it in its final report of January 2022. But that is not the case until today, not least because of the persistent resistance from the employer camp.
The situation is similar when it comes to complex data analysis methods used by the police. The Federal Constitutional Court had formulated requirements in its decisions on automated data analysis by the police in Hamburg and Hesse (1 BvR 1547/19 and 1 BvR 2634/20). It essentially confirmed the demands that the DSK had already made in 2019.
The data protectionists expect the legislators in the federal states to quickly create “a clear legal basis and suitable framework conditions” so that the fundamental rights of the persons concerned are protected. Complex data analyzes based on machine learning are already being carried out.
After the Smart Meter, now the wireless water meter
In the case of radio-based cold water meters, as a precautionary measure, data protectionists miss legal regulations – analogous to the regulations on the use of smart meters for electricity and heat consumption. Here, too, the consumption data that can be called up remotely can be used to draw conclusions about the behavior and lifestyle in households if the data is read out frequently. The specific purposes, the scope of the data, the frequency of retrieval and the deletion periods would have to be regulated by law. Appropriate security measures would have to be implemented according to the state of the art, the DSK states.