Data traffic from the EU to the US is substantial and ever-growing. This is mainly due to the general trend of shifting data into the cloud, with its major service providers based in the US. The legal basis for these data transfers has needed to be re-established repeatedly, as so far respective agreements have neither been able to constitute a lasting solution nor bring the legal certainty so urgently needed by EU companies. A European approach like the GAIA-X project could provide the sought-after remedy, presenting a valuable alternative to the US hyperscalers. It was launched with great and ambitious goals, with the German government as one of its main drivers. So, what role do they see for GAIA-X?

GAIA-X: Where politically fuelled hopes meet immense tasks

GAIA-X is perhaps the "most ambitious digital project of this decade" - that's how Peter Altmaier, Germany’s Federal Minister for Economic Affairs and Energy, once put it. Such statements framed public discourse and subsequently fuelled high expectations. The GAIA-X project is intended to create a future-oriented data infrastructure in Europe and a "digital ecosystem" in accordance with European values and (data protection) standards. Given the present situation enterprises find themselves in, it is clear that GAIA-X must be more than a mere paper tiger, and it has to go beyond mere political grandstanding: Pressing legal but also economic challenges for European companies must be solved effectively and long-term, particularly those with regard to data protection under the GDPR.

You can read more about the differences between the EU and the USA in data handling and the basic legal problems in data transfer for companies here.


What’s the German federal government’s stance on GAIA-X?

So, what is the federal government's position on this transformative GAIA-X project? In a letter from 20 October 2020, the Federal Ministry for Economic Affairs and Energy responded to a minor interpellation, a parliamentary enquiry, by BÜNDNIS 90/DIE GRÜNEN (The German Green Party). The opposition party had submitted several questions, which included the progress on the project’s implementation. It is important to note in this context that the German government is one of the main drivers of GAIA-X, therefore their actions do carry weight.

In summary, the German government confirmed:

  • GAIA-X is to provide more data sovereignty as part of a European initiative
  • GAIA-X is envisioned as a future global standard
  • They also consider GAIA-X to serve as a remedy for the ECJ’s ruling on the EU-US Privacy Shield because EU providers would be positioned as an alternative to the US hyperscalers

However, the German government also argued:

  • If US companies participated, they would abide by GAIA-X’s rules and standards; relying on this condition in good faith, the German government therefore support the participation of US companies in this project
  • The involvement of non-EU companies is important for GAIA-X to ensure scalability


Optimism for GAIA-X fading as legal contradiction remains

The first three points reflect expectations for the project that have been held from the beginning and don’t come as a surprise. The perspective of the federal government that emerges from the last two points, however, stands in stark contrast to the experiences European enterprises have had with US companies and their data handling. Thus, the government’s latter assertions are hardly more than wishful thinking: Legal agreements that are based on US providers’ promises to comply with European data protection regulations? We’ve been there before. Such agreements (namely the Safe Harbour Agreement and EU-US Privacy Shield) were overturned by the ECJ precisely because they did not deliver what they had promised. So how do the German government get their assurance that promises made by US providers to comply with European regulations in return for participation in GAIA-X are now reliable and robust? The past has shown that unwarranted confidence does not get rewarded. US companies are first and foremost subject to US legislation – and if in conflict with European data protection laws, the former will reign supreme.

It is this pivotal legal issue between the EU and the USA that lies at the very heart of the matter; as long as it remains unsolved, virtually everything revolves around it. Remarkably, the German federal government decided not to address this in their statement – despite the fact that they were specifically asked to do so in the interpellation. It appears that at the decisive political level in Germany there is no convincing or meaningful interest to ensure that data protection in GAIA-X is realised with European standards.

And to top it all off: It is hardly a vote of confidence for the German and European IT industry if the German government, as one of the main drivers of GAIA-X, believe they have to resort to non-EU companies to ensure the project’s scalability.

  • What conclusions can be drawn from the German government's unwillingness to address the fundamental, yet unresolved, legal issue regarding the non-GDPR-compliant handling of data in the USA?
  • Can the proclaimed objective for GAIA-X, as reiterated by the federal government in their response, be successfully realised if US hyperscalers are involved in this project?

You can find out more on the crucial decisions by stakeholders from the European business community, who comprise GAIA-X's Board of Directors, in this blog post.

About this blog

With our software Cryptshare we enable our customers to share e-mails and files of any size securely in an ad-hoc way with a detailed audit trail and a strong ROI.

On our blog we write about email encryption, cybercrime, security gaps, malware, data protection and more. In short, anything about data security.

Follow us