Berlin Weighs Possible Hit to U.S. Tech Firms
Draft Web Law Could Exclude Some Companies From Germany's Digital Economy
By CHASE GUMMER
Nov. 2, 2014
BERLIN--German politicians are debating a new Internet-security law that could exclude U.S. technology companies from Germany's digital economy, a sign Berlin is beginning to press its commercial advantage after revelations of spying by the NSA.
The draft law, which is still being hammered out, envisions new requirements like revealing source code or other proprietary data for companies that sell information technology to the German government or to private companies that are part of industries Berlin deems critical to the country's security.
Officials at many U.S. companies say they fear the sweeping language of the provisions will be used to prevent them from competing for technology contracts in Germany, where attitudes toward American companies have deteriorated since disclosures that the U.S. National Security Agency spied on German politicians.
Germany, Europe's largest market for information technology and telecommunications, generates roughly (EUR)138 billion ($173 billion) of business annually in the field, according to the German ministry of economics. The country is an important market for companies such as Oracle Corp., Citrix Systems Inc., International Business Machines Corp. and Microsoft Corp.
"We cannot afford to be open to attacks on our economy," said Gerold Reichenbach, a Social Democrat in the German Parliament and member of Chancellor Angela Merkel 's ruling coalition, defending the bill, which is widely expected to become law. He said the measure would "help prevent espionage, wherever it comes from."
Andreas Povel of the American Chamber of Commerce in Germany said that U.S. technology companies were finishing a position paper critical of the bill and warned that German politicians should think twice about "nationalizing" Internet security because "the country may fall technologically behind."
Politicians here are concerned about what they call "data sovereignty," or the ability of Germans to control digital information in Germany. But several recent government decisions aimed at boosting data sovereignty have also squeezed U.S. technology companies.
In April, after the German government failed to win assurances from Washington it wouldn't spy on its ally, the German Interior Ministry issued a unilateral "no spy" order for public contracts, disqualifying IT companies that pass customer information to third parties or foreign governments.
After Chancellor Merkel discovered her phone had been tapped by the U.S., Berlin tried and failed to get a no-spy agreement with Washington for the intelligence agencies, said Ben Scott, a former State Department official under Hillary Clinton. The unilateral no-spy order "was the only thing that drew blood," he said.
In May, German Economics Minister Sigmar Gabriel said he could imagine breaking up Google Inc. and regulating it like a utility because of its market dominance.
A month later the government said it would end a contract with Verizon Communications Inc. because of concerns about network security, and phase out Verizon's existing government contracts by 2015.
Now the new bill under review would require additional certifications for companies that want to sell IT equipment or software for use in sectors of the economy deemed part of its "critical infrastructure."
This would include "any important area of the economy that can be hacked by a computer--basically everything from energy and transportation to public administration and finance," said Hartmut Pohl, professor of computer science at the Bonn-Rhein-Sieg University of Applied Sciences.
While the bill is at an early stage and has yet to reach Parliament, the draft has raised almost no criticism in Germany.
One representative of a U.S. company in Berlin said Germany's no-spy rule had already stopped the company from competing for government contracts. "The law gives so much authority to the government to regulate vast parts of the digital economy that there's lots of potential for abuse," said the person, a German national.
The German government is also considering requiring that German Internet data be stored locally, to boost data sovereignty. This would pose significant challenges for international tech companies offering cloud-computing services, because their business models are based on moving data freely around the globe.
Amazon.com Inc. said in October that it would open facilities in Germany for its cloud services, giving in to pressure from regulators and clients who fret about data security.
Some tech-industry officials here say the winner could be Deutsche Telekom AG , the privatized former phone monopoly, in which the German government still holds a 32% stake. After the German government cut ties to Verizon in June, industry officials note that Deutsche Telekom, which owns a 67% stake in U.S. cellular service T-Mobile US Inc., picked up the contract.
"Of course, Deutsche Telekom is trying to use the breach of faith since the NSA affair for its own interests," said Konstantin von Notz, a member of Parliament from the opposition Green Party.
Andreas Middel, a spokesman for Deutsche Telekom, said neither his company nor the German government was responsible for the "crisis of trust" and dismissed as "absurd" accusations that the draft aimed to exclude U.S. companies. "In the discussion about the German IT security law we need to remind ourselves of who caused this," he said.
The government earned roughly (EUR)453 million in 2013 from dividends on its Deutsche Telekom stake.
The German Interior Ministry, whose officials wrote the first draft of the new law, has been a leading voice in the internal government debate for tougher technology standards. But IT specialists in other ministries have voiced frustration with the Interior Ministry's efforts to exclude foreign technology companies, officials from several tech companies said.
Interior Ministry spokesman Tobias Plate said his ministry wasn't aware of such criticism.
Some German companies with global operations, like their U.S. peers, say they are worried the government is pushing too hard for a national solution.
"National solutions for cloud computing are the wrong path," said Luka Mucic, chief financial officer of German software company SAP SE. "We must work with international partners like the U.S. and simplify the regulatory framework."
Write to Chase Gummer at Chase.Gummer@wsj.com