I was recently looking into the data privacy aspect of cloud solutions for a project I am involved with. Quite honestly, for many projects, where the only thing you are holding as private information are things you mirrored from Facebook, I do not really see the point why users should be allowed to fight against your service. But for this particular one, I was looking a bit closer because not only is this really sensitive data but on top the target customer group is highly aware and concerned about this.
Fortunately I just recently had the pleasure to bump into an Commissionaire for this topic, who told me a bunch of things about that. And though I consider myself aware of what is the legal status and what you can and can’t do, he really opened my eyes on certain aspect I surely wasn’t aware. For e.g. did you know, there are parts of society that can go to jail for giving your information away? But more on that later.
So, generally for every German company, German jurisdiction applies, which also includes Data privacy topics. And sure you can exclude a few of them via the Terms of Services but generally they are also simply good guidelines to follow. One of the official rules is, though, that data shall never leave the country. But for almost all data any country in the European Union is arguably acceptable. Outside not so much.
Well that rules out plenty of cloud solutions for the German market generally, like Rackspace or Amazon. Though Amazon has a data centre in Ireland, which technically is EU and therefore fine, they are breaking on a different ruling which states that in doubt the provider needs to be able to point at and be able to overwrite the exact physical copy of the user data. As you are unable to enter the data centre of Amazon and Amazon refuses to give physical access, this is ruled out.
But it can be even harder, so I learnt. There is a bunch of professions in Germany, which hold a so called special secrecy bond with their customers. The obvious ones would be lawyers, doctors and any kind of medical servants. Already the information that a doctor for heart diseases knows you, that you are one of his patience holds enough, that if leaked or given to any other party by that doctor, he could go to jail for it and lose the right to ever execute his job again. And as this law in Germany is state and not federal, it applies per state. A doctor wouldn’t - technically - be allowed to drive a harddrive of his backups from Hamburg to Berlin.
And I was always wondering why exactly those professions in Germany are so incredibly offline and averse adapting to new technology. It isn’t only because they are unwilling - they often aren’t - but simply aren’t allowed to use Cloud-Products. No Mailchimp to send newsletters to your patience (giving a patience list to a provider in the US? jail.), no patient documentation in dropbox, no contract draft via google drive.
But should you care? You are not a lawyer, nor a doctor. Well, then you do not have to fair to go to prison. And then breaking privacy ruling isn’t actually something you could go to jail for and arguably the ruling will catch up with common practice sooner or later, but being the one, someone stolen your whole client list from isn’t a good PR-Story either. But you should definitly know about this when dealing with those groups or - even worse - they being the customers of your upcoming cloud-app. Because if it contains any client information (and an appointment at a doctors place is already enough information), they might simply not be allowed to use it by law.