Opinion The details of cloud data regionalization are rarely the stuff of great drama. When they’ve reached the level of an exe admitting to the Senate that a foreign power can help itself to that nations data, no matter where it lives, things get interesting.
It was the French Senate, Microsoft France’s director of public and legal affairs, and the foreign nation? The USA.
This is a great story, but it’s not really news. Microsoft’s strategy to pacify EU data sovereignty unease has been to offer a special Cloud for Sovereignty service girded with special contractual promises. Topped off with an extra-special pledge of stiff legal resistance if Washington approaches with the can-opener. This is all doubtless true, but as a plausible guarantee of data safety, skepticism is too week a word. It compares poorly to sheltering from an atomic blast by hiding in a fridge.
The trouble with data sovereignty is that of sovereignty itself. The word is a powerful concept that’s easy to grasp, thus ideal as a tool to persuade and motivate. It was a primary war cry for those wanting to leave the EU during the UK Brexit referendum. Take back control, abolish alien interests in our affairs, create a state entirely in our own interests. Sounds great, until reality intrudes. Absent isolationism or invasion, if one sovereign state wants to deal with another, then both have to accept a pragmatic dilution of individual power in the greater interest. Think North Korea, think Putin’s Russia, think the EU.
So it is with data sovereignty. The most succinct definition of the cloud is the most useful here: it’s somebody else’s computer. If that someone else can be compelled by law to let someone you don’t like turn up with a big USB drive and a writ, you do not have data sovereignty. The same goes if you want to be the ones seeking to help yourself to data. The UK government, having used its Brexit-boosted sovereignty last year to sharpen its claws, secretly demanded that Apple put a back door into its encryption services. This has not gone well; Apple did no such thing, and Washington put the boot in. Nothing like the smell of burning rubber in the morning as the sharpest of U-turns gets underway. Stop taking orders, start making orders, indeed.
The power of pragmatism over ideology isn’t going away. It is perfectly possible that after due consideration, the EU will mandate that sensitive data cannot be stored or processed in places where non-EU entities can demand access. This would be a major blow to all US-based hyperscalers, especially where cloud services are inextricably linked to AI strategies, which is all of them. It would also look like a boost for EU-homed cloud providers, although who knows how far this would anger the febrile American administration and what it might do to show that anger.
In any case, if there’s one thing we’ve learned this past decade it’s that things can change rapidly, fundamentally and in unexpected ways. Assume that one or more native EU concerns get all the business, state, corporate and consumer, banned from US-controlled platforms. What are the rules for partnering, investment, changes of ownership, and establishing zones outside the EU? What if they, too, change?
There is in truth no immutable guarantee about someone else’s computer, whether you’re a country or a corner shop. How much this matters to you is part of the great three factor equation of data safety. How much do you need, how much will it constrain your goals, how much cost can you bear.
The ultimate safeguard against legal, invisible, state-sponsored snooping is on-prem services. Will your own data security be as good as that of the hyperscalars, or will you be more vulnerable that way to other threats? What do you lose in scalability and reliability, and what happens if you want to operate in markets with data sovereignty restrictions not to your advantage? If you’re the NSA or GCHQ, the answers are going to be clear. For everyone else, the shifting sands of the international legal, regulatory and power-broking environment mean more uncertainty on the horizon.
In the bleakest view, data sovereignty is used to drive a balkanised world of services, one where national and bloc interests are used as excuses to shut down competition and choice. Through rosier glasses, a strong international framework is built to guarantee data sovereignty by origin irrespective of locality.
Like Microsoft’s claims to defend EU data, you’ll have to judge the credulity of that particular eyewear for yourself.