Mattias Åström peers out of his office window in France, contemplating the intricate network of roads and bridges that have stood for centuries. As the founder and CEO of Evroc, he reflects on the present: foreign companies constructing critical digital infrastructure. The discussion revolves around digital sovereignty, Europe’s capacity to govern its data and technology, a matter of increasing concern.
One primary concern in Europe is its dependence on American companies, particularly for cloud services. Leading players like Amazon and Microsoft dominate this arena. This reliance can lead to complications, especially when European customer data resides in American cloud services, subject to conflicting laws.
The General Data Protection Regulation (GDPR) mandates that EU organizations safeguard personal data, and equivalent data protection laws apply in the UK. In contrast, US laws grant broad authority to intelligence and law enforcement agencies for data access.
A prominent illustration of this conflict emerged in May when Facebook received a record €1.2 billion (£1 billion) fine for inadequate data safeguards for EU-to-US data transfers. However, in July, the European Commission endorsed the new EU-US Data Privacy Framework, which offers adequate protection for personal data sent to the US and allows US firms to participate.
Mr. Åström’s company, Evroc, headquartered in Stockholm, envisions creating Europe’s first “sovereign hyperscale cloud.” This cloud infrastructure would operate fully under European jurisdiction and compete with major US counterparts, including Amazon Web Services (AWS), Microsoft, and Google, who collectively command 65% of the global cloud market, according to Synergy Research Group.
Securing €15 million in seed funding, Evroc plans to establish eight data centers across Europe over the next five years, with the first pilot data center slated for construction in Sweden in the coming year. For Mr. Åström, technological independence from the US is integral to achieving digital sovereignty, ensuring Europe’s resilience in the face of potential conflicts and crises.
Cloud computing firm Ionos has already positioned itself as a European alternative to US tech giants, emphasizing its immunity to the US Cloud Act, which grants US authorities the right to access data stored by cloud companies operating in the US, even if the data resides outside the US. Ionos develops all its software in Europe, and its European servers are segregated from those in the US, fostering trust among its users.
Responding to concerns about digital sovereignty, Amazon Web Services asserted its commitment to safeguarding data and complying with EU laws, highlighting that there have been no data requests to AWS that resulted in the disclosure of data stored outside the US to the US government. They further emphasized their willingness to challenge law enforcement requests that conflict with EU law.
Ionos is one of 377 organizations participating in the Gaia-X project, which seeks to connect cloud service providers in a federated system, allowing data to move while retaining control in the hands of data owners. This collaboration includes the European divisions of Microsoft, Google, and Amazon, indicating a united effort to challenge US tech giants.
Rainer Straeter, head of cloud development and digital ecosystems at Ionos, emphasizes the importance of cooperation among European cloud providers to rival the capabilities of AWS, Google, and Microsoft. He believes that, by sharing an ecosystem, European providers can collectively strengthen their position.
Resilience in infrastructure is a key component of digital sovereignty, given Europe’s history of crises, including the financial crisis of 2007-2009, the Covid-19 pandemic, and the conflict in Ukraine. Federated networks, with their distributed nature, offer greater stability.
Balancing free speech and protecting citizens is another facet of digital sovereignty. The UK’s Online Safety Bill, currently in parliament, seeks to require social media platforms to swiftly remove illegal content, enforce age checks, and prevent children from accessing harmful content. This approach differs from the US, which often prioritizes freedom of expression.
Data laws in the UK and EU apply to citizens even if their data is processed abroad. This means that data stored on US servers but pertaining to UK or EU residents is subject to UK and EU legislation.
Regarding data sovereignty, considering the entire supply chain is vital. Understanding where data is hosted, how it is backed up, and who manages it ensures a more comprehensive assessment of data sovereignty.
Barry Cashman, representing Veritas Technologies, highlights the safeguards provided by the EU-US Data Framework, assuaging concerns about the easy access of corporate data by US authorities.
In conclusion, data localization and digital sovereignty are becoming increasingly critical in Europe. As European companies and governments endeavor to secure their data and technology independence, collaboration and robust infrastructure play pivotal roles in achieving these objectives. Balancing these goals with freedom of expression and effective data governance will define the path forward in the digital age.