The US Cloud Act and the EU GDPR have the potential to become a dangerous mix for European SAP customers. [shutterstock: 550792084, katueng]
Initially, getting out of AWS, MS Azure and Google Cloud Platform was just one of many options for existing SAP customers. However, the US Cloud Act in combination with GDPR is an attack on the freedom of choice of European SAP users.
The jury is still out on the bark being worse than the bite this time.. The combination of the US Cloud Act and GDPR could be a hot challenge for existing SAP customers. The problem can be found in a potentially devastating mix.
Regarding GDPR, the situation is tense, but not hopeless, because there already are numerous service providers available that were able to amass extensive knowledge on the new data protection regulation. With the US Cloud Act, on the other hand, everything is open and possible. No one yet knows how the US government authorities are implementing and applying the Cloud Act in practice. And for existing European SAP customers, the decisive questions arise: Are the US Cloud Act GDPR compatible with each other? Does the General Data Protection Regulation mean that we must avoid every US-based cloud serove provider like the devil avoids holy water in order to not risk getting hit by the draconian penalties of GDPR ? What will become of SAP’s multi-cloud concept with the US cooperations Amazon, Microsoft and Google?
Incidentally, it has been speculated for many years that CEO Bill McDermott could move SAP’s headquarters to the USA following the departure of SAP co-CEO Jim Hagemann Snabe. This year, CFO Luka Mucic casually told us that SAP has reassigned all existing patents to the European headquarters in Walldorf. In light of the US Cloud Act, remaining a one hundred percent European company might be a wise step for SAP indeed for numerous reasons!
There are already numerous SAP partners in the DACH region who warn against any further involvement with AWS, Azure and Google Cloud or at least recommend stopping ongoing projects until clarity on the compatibility between Cloud Act and GDPR has been found.
What do Microsoft and Google say? Actually nothing – obviously in a situation like that, you try to keep your hands still until the problem goes away. There are a few English-language tweets, but they do not provide any substantial information for existing SAP customers. Possible conclusion: Get out of the Google Cloud Platform and Microsoft Azure – even if an on-premise installation has to be reactivated in the medium term.
Furthermore, the danger for a company’s Intellectual Property (IP) seems particularly high in light of the US Cloud Act: with a Hana and S/4 implementation in Google, Azure or AWS, not only the data, but also the business processes are opened up to US authorities. The idea of industrial espionage does not seem too far-fetched and comes to mind immediately.
However, at least Microsoft seems to be aware of the danger, as indicated in the following message: Microsoft has declared a new era in intellectual property rights management in IT development.
As part of Microsoft’s “Shared Innovation” initiative, for example, intellectual property rights to digital products and services developed by customers in partnership with Microsoft will remain completely with the customer. (End of quote) Even if this commitment is only of peripheral help to existing SAP customers, at least we know that Microsoft is not hiding the issue of IP.
The privacy discussion will continue well beyond May 25th. At present, great care is required. Before there are non-public, binding statements from SAP, AWS, Microsoft and Google, one should evaluate a cloud exit as a “Plan B” or move to the secure site of a European provider. However, the local cloud providers are also keeping a very low profile in the ongoing cloud act/GDPR discussion – which may lead the community back to on-premise installations eventually.