Cloud Exit for ERP/ECC 6.0 & S/4

Whether the saying "nothing is as bad as it looks" is true this time around is still up in the air. The combination of the US Cloud Act and DSGVO could be a hot challenge for existing SAP customers.

It's all in the mix: The situation regarding the GDPR is tense, but not hopeless, because there are numerous service providers with knowledge of the GDPR.

With the US Cloud Act, on the other hand, everything is open and possible. No one yet knows how the US government authorities will implement and apply the Cloud Act in practice. And for existing European SAP customers, the all-important questions arise:

• Are the US Cloud Act and the GDPR compatible?
• Does the European General Data Protection Regulation from May 25 mean that you have to avoid any US-based cloud provider like the devil avoids holy water?
• What will become of SAP's multi-cloud concept with US collaborators Amazon, Microsoft and Google?

Side note: For many years, there was speculation that after the departure of SAP co-CEO Jim Hagemann Snabe, sole ruler Bill McDermott might move SAP headquarters to the United States.

This year, CFO Luka Mucic casually told us that SAP has transferred all patents to the European headquarters in Walldorf. A wise move in light of the US Cloud Act, when SAP remains one hundred percent a European company!

Thus, there are SAP partners in Germany who warn against any further involvement in AWS, Azure and Google Cloud, or at least recommend halting ongoing projects until clarity and compatibility between the Cloud Act and DSVGO emerge (see also data protection report on page 22 of this issue with statements from DSAG e. V., AWS and SAP partner QSC).

What do Microsoft and Google say? Nothing really, they are obviously trying to sit out the problem. There are English-language tweets, but they do not have any substantial statements for existing SAP customers.

Possible conclusion: Get out of Google Cloud Platform and Microsoft Azure - even if an on-premise installation has to be reactivated in the medium term.

The risk to one's own Intellectual Property (IP) seems very high based on the regulation US Cloud Act, because with a Hana and S/4 implementation in Google, Azure or AWS, from now on not only the data but also the business processes are open to the US authorities.

The idea of "industrial espionage" doesn't seem too far-fetched. However, Microsoft seems to be aware of a danger, as can be seen in the following message:

Microsoft has declared a new era in the handling of intellectual property rights in IT development. As part of Microsoft's "Shared Innovation" initiative, the intellectual property rights to digital products and services that customers develop in partnership with Microsoft are to remain entirely with the customer. (end of quote)

Even if this commitment is only peripherally helpful for existing SAP customers, at least they know that Microsoft is not ignoring the IP issue.

This data protection discussion will continue after May 25. Currently, great due diligence is called for. Until there are public, binding statements from SAP, AWS, Microsoft and Google, you should evaluate a cloud exit or switch to the secure side of a European provider.

However, on-premise cloud providers are also keeping a very low profile in the ongoing cloud act/DSVGO discussion - possibly leading the community back to on-premise?