Germany: Published Data Protection Commission opinion specifying criteria for sovereign clouds

On 11 May 2023, the German Data Protection Commission (DSK) published an opinion on the criteria for sovereign clouds. According to the DSK, the term "sovereign cloud" cannot be found in the General Data Protection Regulation (EU GDPR) but is used in the market. While the term "sovereign cloud" only becomes legally binding by a contract, a certification or a code of conduct, the DSK outlined criteria that could be used to assess whether the cloud is sovereign or not. The DSK defines "sovereignty" as performing the role in the digital space independently, self-determined, and safely. The criteria include traceability through transparency, data sovereignty and controllability, openness, predictability and reliability and a regular review of the established criteria.