Data Sovereignty
Data sovereignty is a big issue. It’s the concept that data—especially personally identifiable information (PII)—is governed by the data protection laws and general practices of the country in which it is processed. even inert storage usually counts as processing under data protection legislation. Things become more complicated when the data is processed in another country.
The usual stance is that the country the data is sent to for processing or storage must have a data protection framework in place that is at least as effective as the framework of the original country. The General Data Protection Regulation (GDPR) took this stance and made it law in the EU.
Europe isn’t an isolated case. Many non-European countries have laws relating to data residency and data sovereignty such as Russia, Vietnam, and Indonesia. Data residency and data sovereignty are often confused or conflated into one thing. They’re actually different, allied, concepts.
Data Residency: Data residency is where a country or business specifies that data is stored in a specific geographic location. A business may do this to take advantage of a permissive legal system or attractive tax laws. Data Sovereignty: Data sovereignty builds on top of the geographic demands of data residency. The data is also subject to the laws of the country in which the servers are physically located. This is dictated by legislation rather than business choice.
Geography and Data Privacy
Building data centers to satisfy the geographical requirements of your customers might be a sensible business move, but it doesn’t mean all of your data sovereignty issues have been solved. In 2013 the FBI issued a warrant to Microsoft for emails relating to a case they were pursuing.
Microsoft refused, pointing out that Section 2703 of the Stored Communications Act (SCA) could not compel American companies to produce data stored in servers outside the United States. The emails were stored on servers hosted in Microsoft’s data center in Dublin. Extracting the emails and handing them over would have breached the European Data Protection Directive, the forerunner to the GDPR.
Microsoft argued the request for the emails should be made to the Irish Government using the U.S.-Ireland Mutual Legal Assistance Treaty (MLAT), just as if the data were stored on paper in Ireland. Microsoft lost their case, appealed, and won the appeal.
The U.S. government duly launched its own appeal. While the case was being prepared Congress passed the Clarifying Lawful Overseas Use of Data, or CLOUD act. A new warrant was raised under the CLOUD Act and the previous warrant, cases, and appeals were dropped as a new warrant was issued under the CLOUD act.
Unlike the SCA, the CLOUD act unambiguously compels a U.S. company to hand over data and information in its “possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” That sits in direct opposition to the principles and requirements of the GDPR and it flies in the face of data sovereignty.
We’ve already seen the start of the backlash against this type of broad data gathering. It was the ability of the U.S. government and its security agencies to be able to ask any U.S. company to hand over data that caused the demise of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. A case was brought to the Court of Justice of the European Union that said the privacy of EU citizens couldn’t be upheld if U.S. companies could be compelled to hand over their personal data. The case was upheld and the Privacy Shield agreement was invalidated.
The CLOUD act extends the reach of those data requests to any servers owned by a U.S. company, regardless of where they are in the world. Needless to say, that’s not an attractive option for European organizations bound by the strictures of the GDPR.
RELATED: What Does Schrems 2 Mean For Cloud Computing?
The GAIA-X Initiative
On Oct. 15, 2020, 27 EU member states agreed to work together toward a European cloud federation initiative known as GAIA-X. The initiative is a collaboration between the European Commission, the signed-up member states, and around 100 companies and organizations including Deutsche Telekom AG, Deutsche Bank AG, Siemens, and Bosch.
The objective is to bring the flow and storage of European data under greater European control. Given that dependence on the cloud is only going to increase, this makes sense. GAIA-X understands that the geography of the cloud matters immensely for data sovereignty. A predominantly US-based cloud makes it difficult or even impossible for European individuals and organizations to understand how their data will be safeguarded, managed, and governed.
What started out as a mainly Franco-German project now has a broad European backing and support. It is aiming high. Plans are afoot for a European federated cloud with trusted data flows, storage, and consistent data protection legislation. The realization of the project would require the reuse of existing cloud infrastructure, the adoption of new technologies, and a lot of new interworking.
There will be an “application layer” where users and consumers will interact with services they have subscribed to. The infrastructure layer will consist of interconnected data centers with flexible and dynamic bandwidths. A European cloud has been mooted before. Nothing ever materialized, despite millions of dollars being pumped into projects like CloudWatt. GAIA-X is still in its infancy. Proof of concept ideas are due by the end of 2021. Although the actual design is barely more than a set of ideals, project goals and benefits have been established.
Combining Investment: Pooling private, national, and EU investment to deliver competitive, green, and secure cloud infrastructures and services. Defining a Common Approach: The European “approach to federating cloud capacities” will lay out one set of joint technical solutions and policy norms. This will provide rules and guidelines for data centers that want to join the European cloud. It’s a sort of plug-and-play for data centers. Driving Security and Interoperability: Pushing security and data sovereignty is expected to be a driver in the adoption of the GAIA-X cloud of energy-efficient data centers and services. Europe wants to drive the uptake of the cloud in organizations of all sizes, and in particular small and medium enterprises, start-ups, and the public sector.
The Big Boys Want In Too
Despite this sounding like something that the current cloud giants would see as a threatening competition, AWS, Microsoft, and Google have all joined the project.
Kasper Klynge, Microsoft’s Vice President European Government Affairs has said Microsoft’s “…commitment to privacy is longstanding and unwavering,” and that “…digital sovereignty and self-determination are critical.”
It’d be easy to be cynical and say these organizations are jumping on the bandwagon because they don’t want the negative press if they’re not seen to enthusiastically uphold the principles behind the initiative, or that they can’t afford to be cut out of any opportunities that may arise. They cannot let a project of this size roll by without their engagement if their competitors have a seat at the table. And of course, Europe is a massive market and they don’t want to alienate Europe.
They bring invaluable expertise, experience, and resources to GAIA-X. Let’s hope the many cooks don’t spoil the broth, and that something tangible is actually delivered.