Germany's federal commissioner for data protection and freedom of information, Ulrich Kelber, has cautioned against government plans to use Amazon Web Services.
With Germany's federal police set to use bodycams that upload to AWS, Kelber told Politico that it could expose the data to US state surveillance.
Plans call for 475 federal police departments across Germany to be equipped with with 2,300 camera systems by the end of 2020. The hardware, developed by Motorola Solutions, comes enabled with AWS services.
But, as AWS is a US-based company, it is compelled to follow the CLOUD Act. Past last year by the Trump administration, the act theoretically allows the US government to force American tech companies to provide requested data, whether the data is hosted in US data centers or abroad - as long as it is related to a valid US legal process. Countries that enter into CLOUD Act agreement are also able to request data from US providers.
“For the storage of such sensitive data, we need a cloud provider that is exclusively subject to European data protection law - not a provider that is also subject to the US CLOUD Act,” Kelber told Politico.
“We made that assessment clear as early as last year. And we can’t understand why the German Federal Police does not follow this clear legal assessment."
His concerns over AWS would also apply to other US cloud companies like Google, Microsoft and IBM.
A spokesperson for the German interior ministry defended the choice, saying that AWS "is the only suitable cloud provider because the Motorola software cannot be used on any other cloud infrastructure without significant modifications."
Kelber, a member of the center-left Social Democratic Party (SPD), has no powers to stop the decision, and can only reprimand the police or make compliance visits.
Should the US request data from AWS, whether they will hand it over is a matter of debate. The Clarifying Lawful Overseas Use of Data Act (CLOUD) act was meant to make the process of what can and cannot be shared simpler, but many questions remain outstanding. AWS could theoretically fight the request, citing it contravening local laws, and even GDPR, but that would require AWS to wish to do so.
Further down the line, Germany may shift the data to its own governmental system, 'Bundes-Cloud,' but it is some way off.