The journey to the cloud starts with one key question: which provider is right for you?
That question becomes even more important when you’re working with sensitive data. Many global tech providers run into conflict with strict German data protection laws, making it harder to find a good fit.
Major US hyperscalers like Google, Amazon, and Microsoft Azure do operate data centers in Germany, but their legal obligations don’t stop at the border. As US companies, they’re still subject to American laws, which can directly conflict with the European General Data Protection Regulation (GDPR). That’s a challenge when protecting personal data is your top priority.
Here’s why:
The Patriot Act allows US authorities to access data from American cloud providers for law enforcement, counter-terrorism, or national security.
The CLOUD Act goes a step further. It enables access even if the data is stored outside the US, like in a German data center. Providers may be legally required to hand over that data.
And it’s not just the US. Other countries, including China, have similar laws that allow government access to cloud data.
So what’s the answer? It’s less about politics and more about technology. The key is making sure unauthorized access isn’t technically possible. Strong encryption matters - especially when you control the keys yourself.
Some providers like STACKIT, based right here in Germany, are subject only to German law. That means the Patriot Act and the CLOUD Act don’t apply. For anyone who needs the highest level of legal certainty, that’s a clear advantage.
According to BSI President Claudia Plattner, Germany won’t break its reliance on cloud solutions and AI models from the US anytime soon. US tech companies are up to ten years ahead in some areas.
But full digital independence isn’t the goal. Instead, the focus should be on smart control mechanisms that make working with non-European technologies as secure as possible.
Whether you're in the private sector or a public authority, you need a clear strategy for deciding which technologies to source from outside and how to stay in control of them.
One example is the partnership between the BSI and Google. In February, Google Cloud and the BSI signed an agreement to support the development and delivery of secure cloud solutions for federal, state, and local governments.
A key focus of this partnership is data sovereignty. One promising approach is the Google Sovereign Cloud, where a neutral German trustee manages the encryption keys. In Google Cloud’s case, that trustee is T-Systems, ensuring the keys stay in German hands and outside the reach of the CLOUD Act.
To stay in control of sensitive data, even when working with non-European providers, the following protective measures are essential.
Hyperscalers are aware of this issue and offer specific measures to protect your data.
Encryption plays a key role and it applies to three different states of data:
If you need to use services that require data to be transferred to the US, like an AI model hosted there and encryption isn’t an option, anonymization is a strong alternative. With techniques like k-anonymity, you can modify personal data so it can no longer be linked to an individual.
The most important takeaway is that choosing the right cloud provider starts with a clear, conscious strategy. Instead of focusing only on where a provider is based, start by carefully assessing how your data needs to be protected.
The measures we’ve outline, from sovereign cloud setups to confidential computing and anonymization, show that even highly sensitive data can be kept safe in the cloud. That means cloud adoption is possible, even for critical workloads. But it takes a proactive mindset and consistent implementation of the right technical safeguards. No matter which provider you choose.
Need support with your cloud applications? We’re here to help with a solution designed just for you. Reach out today.