Data Privacy? Germany Demands Businesses Get It Right
Click here to close
Click here to close
Subscribe here

Data Privacy? Germany Demands Businesses Get It Right

Data Privacy? Germany Demands Businesses Get It Right

Germany and Privacy

Willy Brandt, then chancellor of the now former West Germany, was quoted as having once said, “If I am selling to you, I speak your language. If I am buying, dann müssen Sie Deutsch sprechen.” Perhaps no other quote has come to typify the localization industry. No surprise, either, that it is so fundamentally German—a culture known, at least stereotypically, for its pragmatic and direct approach to business. 

Germany is the largest market in the European Union. According to Federal Statistical Office reports for 2016, the year saw the highest rate of employment since 1991, GDP continued its solid, steady, better-than-average growth, and German consumers spent more. 

While it may seem like a “no brainer” for companies looking to enter the European market to localize for Germany, it’s not without its challenges. Among these are expectations regarding managing, storing, and using German consumer data. How companies approach this in Germany can make the difference between market success and market failure. 

Datenschutz in Germany and the EU

If you are ready to learn your first German word, commit Datenschutz to memory. Few countries care more about data privacy and protection than Germany. And German consumers take very, very seriously the way businesses collect, manage, store, and share their personally identifiable information. Driven by such public sentiment, Germany beefed up its Federal Data Protection Act and has strongly advocated for strict data protection regulations at the EU level. 

Recently, EU data protection policies became even stricter about how data is stored and transferred. For 15 years, the Safe Harbor Privacy Principles effectively permitted US companies to self-certify their compliance with the EU Data Protection Directive. This meant that US companies did not need to set up independent data centers in Europe; they could instead rely on efficient cross-Atlantic data transfer and US data storage. But after an Austrian citizen brought a case against Facebook on the matter, the European Court of Justice ruled in 2015 that these principles were invalid. This decision forced roughly 4,400 companies—including the likes of Amazon, Facebook, Google, and Microsoft—back to the negotiation table. 

Within German borders

As of July 12, 2016, a new data agreement called the EU-US Privacy Shield now gives these companies a legal right to transfer data. It also means that German consumers can rely on even stronger Datenschutz obligations on US companies as well as more clearly defined review and dispute resolution mechanisms.

But even this is not enough for Datenschutz-worried Germans. 

According to a survey by KPMG and Bitkom, the German digital trade association, 83 percent of German companies expect their cloud provider to have their data centers exclusively within German borders, and 74 percent want them at least located somewhere in the EU. 

This data localization requirement seems to fly in the face of the EU strategy to create the Digital Single Market (DSM), i.e., no regulatory barriers to the online sale of goods and services between EU member states. DSM aims to end geo-blocking (think pan-EU sim-ship as a rule), to harmonize copyright rules (think the same content on Netflix across the EU), and to facilitate cross-border e-commerce (like Amazon being able to ship the same products across the EU).

But remember Brandt? German buyers, German rules.

To assuage any concerns by German customers, companies are going to great lengths to meet current German data location requirements. Amazon Web Services (AWS), for example, has built data centers in two EU locations, one of which is Frankfurt, Germany. They even offer their corporate customers the option to store data and run AWS exclusively on German soil. Similarly, in September 2016, Microsoft opened Microsoft Cloud Germany—its first cloud data center in Germany. The company even went so far as to engage T-Systems International, Deutsche Telekom’s subsidiary, as its data trustee. That means that a Germany entity, not Microsoft, controls access to customer data stored on the servers in Germany. 

These may seem like big-ticket decisions, but every company operating in Germany (or wanting to) would do well to understand and comply with the country’s Federal Data Protection Act. They should also be prepared to communicate to their German customers how and why they intend to use and store their personal data. 

And, perhaps needless to say, this communication should be in Deutsch.