Ruling Blocks Use of American Cloud Services
Last updated: 16 August 2022
“To ensure that your data is actually protected, you have to check the entire chain to make sure that there isn’t still a U.S. link somewhere.”
The German Vergabekammer, the official supervisory body for public procurement, has cancelled a cloud tender because it violates European privacy legislation.
Anyone wishing to tender for a public contract cannot use European subsidiaries of American cloud services, even if the cloud servers are located in Europe, and even if data protection clauses are applied. For video hosting, there is now a Dutch answer.
In the Netherlands there is an initiative to build a European cloud for video streaming, which now covers 80% of internet traffic. The European regulator EDPS already used the Dutch platform, after a successful audit.
The winner of a German tender wanted to use the services of a European subsidiary of a well-known American cloud provider.
This was successfully objected to by another provider, which did make investments to store data within the EU, but without any legal or technical link to U.S. providers.
Risk of data sharing
According to the chamber, there is a “latent risk that an unauthorized transfer of personal data may occur.” This is due to the US Cloud Law, which enforces far-reaching access to data, and prevails over private clauses on data protection between parties. An appeal will follow.
The decision could have major implications for the existing cooperation of European customers of US technology providers and their European group companies.
The exclusion of a bidder from a complex procurement process because it uses a subsidiary of a U.S. supplier “may have a significant impact on the future design and implementation of procurement procedures,” according to law firm Gruendelpartner, which studied the ruling.
Data protection is business interest
“Data protection is in your best interest: for example, you don’t want business-sensitive data to end up in the hands of third parties. All that data is in your logs and statistics,” says Stef van der Ziel, director of Dutch streaming company Jet-Stream.
“The ruling confirms our conviction that you can no longer ignore data protection in procurement procedures. It is the law, and also in your own interest, to protect data. Private clauses between parties are insufficient. Working with European suppliers is also insufficient. You have to check the entire chain to make sure that there isn’t an American link somewhere.”
European cloud for video
Jet-Stream is therefore launching its own European streaming cloud, which will allow corporate customers such as broadcasters, publishers, events and businesses to professionally stream live TV and radio, and roll out video services such as Netflix on it, with guarantees that their media and their data are protected and there is no legal and technical link to U.S. suppliers.
“Hosting, live streaming, encoding, statistics and the video player; everything is in the secure cloud, which is Dutch-owned, and located in the European zone. We protect the public and business interests of our customers with Jet-Stream Cloud,” said van der Ziel.
EDPS, the European Data Protection Supervisor who ensures that European institutions comply with their own data protection laws, recently streamed its annual privacy conference via Jet-Stream Cloud. To that end, EDPS commissioned an independent data protection audit on the Jet-Stream platform, with success.
Jet-Stream Cloud will be launched on September 9, during the International Broadcast Convention (IBC), at the RAI, Amsterdam.
In control of your data