The Data Protection Authority in an influential German federal state has recently taken the position that relying solely on the European Union standard data transfer clauses in a cloud computing engagement is not enough to satisfy German data privacy laws – regardless of whether the cloud computing provider is located inside or outside of the EU. The authors consider the implications of this and other stricter data privacy requirements for the outsourcing arrangements of companies operating in Germany.