FIC 2023 An obstacle course for Europe’s sovereign Cloud

Despite the optimism and willingness displayed by public and private European sovereign Cloud players, there is still many a slip ‘twixt cup and lip for this highly strategic project. This is what emerged from the “Towards a European alternative to US Cloud standards?” roundtable held at FIC 2023 in Lille.

The assessment made by Solange Viegas Dos Reis, head of legal at OVHcloud, was unequivocal: “In 2017, the share of European players in the European Cloud market was 27%. Five years and a market boom later, the same European players represent only 13%.” Americans are head and shoulders above their European competitors in terms of market share and technology.

And the challenges are not just commercial, as explained Hugues Foulon, CEO of Orange Cyberdefense. “One of the main issues for some of our customers is extraterritoriality, as it relates to the Cloud Act and the Patriot Act. It is our duty at Orange not to be naive, to convey the consequences of choices, whatever they may be.”

US legal extraterritoriality? It means you are subject to US jurisdiction upon using American goods or services, whether it’s a measly dollar or a Gmail address. A direct consequence is that any US company Cloud user falls under American law and the confidentiality of his data is no longer guaranteed.

Let’s “not be naive” in the face of challenges from the Cloud

“We’re talking about data protection and its significance, but let’s not forget the right to privacy. And privacy does not only extend to individuals residing in the European Union, but also to legal persons, such as corporations,” explained Peter Sund, the CEO of FISC (Finnish Information Security Cluster, the Finnish cybersecurity interbranch organization).

The Cloud in Europe? A market totally dominated by sometimes intrusive foreign players, whose governments can claim the right to access the data of any citizen or business; the opposite of a “trustworthy Cloud”. A very French expression emphasized Rayna Stamboliyska, uncertainty management specialist for RS Strategy, who was hosting the round table. She then asked speakers “what trust in the Cloud means, and how they implement it on a daily basis in technical, technological and operational terms.”

“This comes down to the fact that the user has freedom of choice thanks to technological interoperability and reversibility. Moreover, data will be protected and will not be used for purposes other than those he has specified,” answered Solange Viegas Dos Reis. Hugues Foulon subscribed to these operational principles, pleading for “pragmatic solutions that make it possible to move forward and gain strategic autonomy. And that’s what we did with ‘Bleu’.” This joint venture between Orange and Capgemini, in partnership with Microsoft, will be operational in 2024 and aim to provide a “trustworthy” and “sovereign” Cloud to public and private players in search of the highest level of security and privacy.

“Schrems II”, Cloud players backed into a corner

The solution has “the advantage of being compliant by design. This was the only way to be compliant with the GDPR,” underlined Bertrand Pailhès, head of IT and innovation at the CNIL (French data protection authority). Indeed the technical aspect alone is not enough; a legal and regulatory framework is also essential in guaranteeing trust in the Cloud. And in this regard the EU seems to have grabbed the bull by the horns. “Europe has included a fairly strong principle everyone agrees on, I think, which is that the protection of Europeans’ data must be guaranteed everywhere, at all times,” said Bertrand Pailhès with satisfaction. The GDPR, which is very protective of personal data, is thus elevated to the rank of a de facto standard which the rest of the world should follow.

This was the sentiment behind the “Schrems II” decision, which the Court of Justice of the European Union (CJEU) rendered on July 16, 2020. Considering personal data protection in the United States wasn’t up to snuff, the CJEU voided the “Privacy Shield”, the data transfer system set up between Washington and Brussels. The problem is that nothing was agreed upon to replace it and that the market is not ready, according to the head of IT and innovation at the CNIL.

“The CJEU’s decision will come into force on July 17. Starting tomorrow, it will be forbidden to transfer data to the United States. There is no transitional period,” lamented Bertrand Pailhès at FIC. “Sometimes it’s completely unrealistic to think that because a judge in Luxemburg has decided the market wasn’t compliant with basic rights, everyone will immediately agree and get up to speed,” he added. And in this case, the regulator must be flexible until enough “alternative solutions (sic) come about.”

Legislative wheeling and dealing

European legislature is thus full of good intentions, but they sometimes clash with reality… Unless they are “regulatory issues that are in some way complete opposites of one another,” pointed out Peter Sund, for whom “it is always difficult to strike a balance” between contradictory objectives. Thus, the protection of personal data may seem at odds with the powers granted to authorities and courts to investigate. He used the example of the series of measures called “a better internet for children”, designed to combat child sexual abuse material.

To do so, the European Commission enables authorities to access images and other material hosted by online service providers, in particular encrypted messaging services. This measure renders useless data encryption, which security in the Cloud relies heavily on. “This runs the risk of spreading confusion and fostering a situation that goes against the Cloud’s objectives,” worried Peter Sund, while acknowledging the importance of the fight against child sexual abuse.

According to Bertrand Pailhès, the United States relied on solid legislation to develop the Cloud: “It was launched ten years ago and is now exhaustive, the industry is highly regulated, and this has in fact allowed the American Cloud ecosystem to grow, as there were clear rules about what was expected of it.”

“Europe must breed champions”

This favorable framework is just one of the expressions of strong political will, agreed Solange Viegas Dos Reis: “when we look at American or Chinese Cloud leaders today, we realize that they solidified their position on their domestic markets thanks to strong government support, with public contracts, and funding and research grants.”

This willpower was long lacking this side of the Atlantic, insofar as the Commission’s liberal principles (no market intervention) held strong. This could change however: “we support the ‘Buy European Act’, which would provide for tangible, financial support, and give all Cloud players the necessary means to grow,” further stated Solange Viegas Dos Reis.

It is indeed time to shake things up, deemed the CEO of Orange Cyberdefense France. “Europe must breed champions in this area,” pleaded Hugues Foulon, who also emphasized that we shouldn’t stop here. The Cloud is not just about datacenters, it also entails rapidly evolving software solutions, cybersecurity, maintenance, in short, an entire environment. And according to him, “Europe is not fully aware of the scale of the training required.” The EU still lacks developers and experts of all sorts. Without these skills, “it will be difficult to operate a strategically autonomous system.”

“We’re going to have a hard time creating an ecosystem as high-performance as those of market leaders, from scratch. I think it is more a matter of decades,” warned Hugues Foulon, who argued for a practical approach, just like with the partnership between “Bleu” and Microsoft. Will it even be possible to one day do without American Big Tech? European professionals want to believe so.