Despite license fees, data traps and loss of sovereignty in German public authorities – is resistance to the use of cloud services coming to an end?

In Germany, some authorities are beginning to opt for cloud services from international providers. At first glance, this move could be seen as an attempt to engage in digitalisation, be flexible and overhaul public administration. The prospect of simplifying processes, reducing hardware costs and always having access to the latest version of software more quickly does seem very attractive. However, behind the façade, this step poses serious risks in terms of cost control, data protection and digital independence.

More and more articles, among which an analysis by IT news platform heise , warn of the dangers of the ‘data trap’. Opaque terms and conditions, complex technical dependency and global legal issues can make it impossible to protect one’s data and manage it oneself in the long run. The scenario of an IT disaster is therefore becoming frighteningly tangible.

For many years, public authorities have lagged behind with modernising their IT ecosystems and putting in place digital public services. In the face of outdated services, obsolete software and a dearth of skilled IT specialists, cloud services offered by international providers seem like a quick and easy fix. However, in reality, what seems to be a state-of-the-art solution at the outset creates a situation of dependency and the hoped-for efficiency gives way to unpredictable expenses. Many authorities also have to continue using older versions of software to ensure connectivity with specialist applications.

The data trap: unpredictable costs and dependency
Costs tend to creep up insidiously. Cloud services hook customers by promising fast hardware and maintenance savings, but in many cases, considerable expenses begin to add up, e.g. for a special security set-up, extended support, more storage or charges for data traffic. Compliance checks and audits also cause additional costs. What seemed cheap at the beginning turns into a real money pit. In the past few years, the licence fees for Azure and M365 have soared markedly – sometimes by as much as 40%. Such price hikes hit the public purse particularly hard as this makes budgeting very difficult.

In many cases, nobody really knows what software is actually used by which public authority and at what price. There are no reliable overviews of programs and costs. Because of this lack of transparency, it becomes difficult to budget, to keep a handle on expenditures and to analyse cost effectiveness.

Legal uncertainty only compounds the issue. Data stored in cloud infrastructure managed by international providers is subject to legislation such as the Cloud Act, the Patriot Act or FISA, which can, under certain conditions, allow US authorities to access the data, often without the authority concerned being informed of this. This directly goes against the EU’s stringent data protection standards, especially the GDPR. While an adequacy decision has been reached on the EU-US Privacy Framework, allowing transatlantic data transfer, it is questionable whether it will stand up in European courts of law in the long run.

Another issue is that being dependent upon an external provider drastically reduces digital agency. Cloud service providers define the scope of features, the cycles of updates and the strategic focus of their services. And if security updates are released late (or not at all), this paralyses public authorities. Some cloud services have experienced serious security breaches and haven’t always communicated adequately, which goes to show how little control customers have in the worst of cases.

The ‘lock-in effect’ is another cause for concern. Once deep integration into the infrastructure of a major cloud provider has been completed, institutions will find it very challenging to change tack, both technically and financially. Proprietary interfaces, closed data formats and high switching costs also prevent any quick adjustments. At the same time, public authorities tend to reduce their own IT workforce, strengthening their reliance on the provider.

Dealing with sensitive administrative data: massive risks in terms of security and data protection
From tax and social security data to healthcare information through to police investigation files: authorities manage all sorts of sensitive data. If any of it were to be compromised by global legal discrepancies, security breaches or an inadequate system architecture, the consequences could be catastrophic, from a loss of confidence in public institutions to threats to national security.

Large providers also tend to try to dominate the market. By offering bundles of products, they may aim to reduce customers’ willingness to switch to alternatives. Competition falls by the wayside, with a knock-on effect on choice, efficiency and flexibility for the public sector.

The alternative: more diversity for increased sovereignty
To mitigate such risks, decision-makers in the public sector should rethink their IT strategies with a view to keeping control of their data and infrastructure.

• On-premise solutions remain a central aspect of this strategy, as systems and data can remain in the public body’s data centre and security measures can be tailored to their needs. In the event of a crisis, services can be restored more quickly without having to wait for assistance from external providers.
• Hybrid models, which connect local systems with selected cloud services, are another option. They ensure nobody has to relinquish control over sensitive data while less critical applications can be scaled up. This balanced model combines flexibility and a high level of security.
• Modern license management also plays an important role: strategies such as ‘BYOL’ (bring your own license) and audited used software can help make considerable savings while protecting digital sovereignty.

The bottom line: digital sovereignty must be a cornerstone of any modern public administration
Using international cloud services in public authorities may seem like a forward-thinking trend. Yet they pose massive risks. Loss of sovereignty, legal uncertainty and skyrocketing costs are no mere details: they are key challenges for sustainable public authorities.

Andreas E. Thyen, Chairman of the Board at LizenzDirekt AG, sums it up aptly: ‘Rashly switching to a (privately owned) cloud-only strategy without any forethought will definitely have a knock-on effect in terms of budgets, data protection and security policy.’

All those who decide not to renounce the cloud entirely must establish a clear strategy: what data must remain in your own data centre? When is a well-managed hybrid approach an option?

IT plans that build on sovereignty and independence, comply with national standards and maintain control over sensitive information are essential for reliable, safe and modern public administration and to ensure trust in the Digital State.