17 May Europe wants to know—what do cloud companies stand for? Chapter 2: Digital Sovereignty
The founding proposition of cloud computing is that the servers which store customer data and execute applications are no longer directly controlled by customers on their own premises. Instead, they are located somewhere else, owned and operated by another company. That indefinite “somewhere else” is what the deliberately vague outlines of the ubiquitous cloud symbol stand for. But this indefiniteness is of course only a convenient fiction. In reality, servers and data are always located within the frontiers of some definite country, subject to the laws of some definite jurisdiction. And because laws change from one jurisdiction to another, cloud computing inevitably raises the question of whose laws will prevail when data crosses borders. When nearly all enterprise computing occurred on premises, digital sovereignty was not an issue, but it is now.
Just as Europe led the world in establishing a strong legal foundation for data privacy with the GDPR, it is now assuming a leadership role in defining new rules for digital sovereignty in the cloud-first era. There are at least two distinct but related tracks that the digital sovereignty discussion in Europe has followed: the first, embodied in negotiations between U.S. and EU authorities, is legal and regulatory; the second, represented by industry-led initiatives such as GAIA-X, is technological and commercial.
The legal and regulatory discussion has been driven chiefly by European concerns about the potential of U.S. government agencies to invoke U.S. laws such as the CLOUD Act to reach into European data held in the datacenters of U.S. cloud providers. Statistics published by the providers show that U.S. demands for data belonging to European enterprises, which can occur during investigations of terrorism, drug smuggling, and other crimes, are in reality exceedingly rare, occurring on average only once or twice per year. But the concern in European capitals and among some European multinational companies about the reach of the U.S. government is real and legitimate.
The issue came to a head in July 2020, when the Court of Justice of the European Union invalidated the U.S.-EU Privacy Shield agreement that had previously regulated trans-Atlantic data transfers. The past two years have seen intense negotiations between the U.S. and the European Commission to develop a so-called “Privacy Shield 2.0”. The goal has been an agreement that can balance the European requirement for strict limits on U.S. data intrusions with the undisputed need in a modern global economy for liberty of data movements between nations and continents. In April of this year the two sides announced the Trans-Atlantic Data Privacy Framework. While debate on this sensitive issue will undoubtedly continue, the new framework should provide a solid foundation for progress and has been rapidly embraced by the cloud industry.
In parallel to these inter-governmental negotiations, the technological and commercial side of the digital sovereignty debate continues unabated but has focused on a somewhat different set of issues. The European cloud market today is a very diverse place, where the global hyperscale providers operate alongside a number of dynamic European players, including Deutsche Telekom, OVHcloud, SAP, Orange, and many smaller players. These providers concede nothing in technological sophistication or commercial agility to their extra-European competitors, and some of them such as OVHcloud have opened datacenters in the U.S. But while the European players have notched strong growth in recent years, more than doubling their revenue between 2017 and 2021, their share of the market trails that of the global hyperscalers. This has led to calls for European governments to step in and do something to boost the European cloud industry.
The GAIA-X initiative launched by France and Germany in 2019 was initially seen by some as an effort to build an “Airbus for the cloud” that would marshal the many tens of billions of euros in capital investment needed to rival the hyperscalers. But today GAIA-X is pursuing a quite different goal: that of reliable, trusted, and transparent data federation between organizations using heterogeneous clouds.
A common scenario today is that companies working together in the same industry struggle to collaborate because they are using multiple cloud services with different features, often hosted in different countries. The GAIA-X vision is to create industry-specific data spaces where companies can share data and collaborate in a safe environment without being locked in by specific vendors. For this purpose GAIA-X is developing a software framework to sit on top of heterogeneous clouds and provide a unified interface with common features. The hope is that the GAIA-X federation services will:
“…guarantee full transparency on the actual service attributes of each cloud offering, such as the location of data, accessibility by external personnel, data usage by third parties, certification level or applicable legal framework. Customers can freely select suitable cloud services according to desired key properties without having to rely on voluntary information from the provider side.”
This is an ambitious goal and opinions differ in the industry about how long the path will be to achieving it. But there is no doubt that nearly everyone who is anyone in the European cloud industry endorses the goals of GAIA-X. From fewer than two dozen mostly French and German members at its launch, the organization has grown to 342 members from dozens of countries, including 20 EU member states along with the United States, China, Japan, and India. All three of the U.S. hyperscalers have declared their enthusiastic support for GAIA-X.
An early product of the GAIA-X project is the open-source Eclipse Data Connector project that enables sovereign, multi-cloud, policy-based B2B data sharing. The project is still in its early stages (see its GitHub repository here), but is being supported by Daimler, BMW, Deutsche Telekom, SAP, Bosch, AWS (the cloud arm of online retail giant Amazon) and Microsoft, among others.
While competitive rivalries among the three U.S. hyperscalers and Europe’s local players are naturally fierce, the GAIA-X ideal of a fair and open terrain on which all market participants who agree to obey a common set of rules can play is powerfully aligned with the interests of European industry.