Microsoft, Google, and AWS recently published “sovereign clouds” - aiming to reassure European customers they have control over their data.
But this is nothing more than an illusion – one could say a Trojan Horse at Europe’s digital gates.
Despite their marketing, these providers remain US companies. That means they are subject to the CLOUD Act, which obliges them to hand over data to US authorities. It does not matter whether the servers are in Frankfurt, Paris, or Brussels – European data can be sent to the US at any time, without a court order, and without informing affected customers.
Even advanced technical safeguards can’t change this legal fact. The promised control is a dangerous illusion.
Digital sovereignty doesn’t come from shiny new product names such as these “sovereign clouds”.
Digital sovereignty comes from full legal and technical control. Everything else is nothing more than sovereign washing. Fortunately, Europe has great solutions already.
thanks for the blog post. Very important, almost all business economists don’t seem to know that. We engineers don’t trust general terms and conditions etc
Please distribute this blog post to decision-makers in companies and make it known. “We down there” already know that.
(I tried to Setup Tuta mail account for testing, but got banned after 5min)
The post completely ignores the legal framework for subsidiaries, following the same logic McDonald’s workers in the EU are subject to US laws, because McDonald’s is a US company.
I work professionally with IT integration, from my personal experience, many business owners are well-informed about the issues, but their main focus is not privacy and personal data. Two of the main considerations for business, could they lose access to services and their data, and if subscription prices could explode because of counter-tariffs on US digital services.
This issue seems simple on the face of it, but it also feels so simple that any decision maker in this kind of position would also see this problem and therefore not agree to the offered solution of a sovereign cloud. It makes me think that I’m missing context.
As an example, Microsoft creates a European subsidiary and a datacenter in the EU, run by EU nationals. Your business would still be exposed to the risk of Microsoft being banned from trading with the EU, and that tariffs could be applied to US services, but you can continue to use all your current IT infrastructure.
What is the alternative, you completely abandon all US tech, and switch to FOSS?
Most of the work I do has to do with applications handling enterprise resource planning, this is something every company needs, it handles in and outgoing orders, inventory, finances, taxes, employees, payrolls, and so on. You can’t just switch this type of application, most only runs on Windows, and switching to a different application is very expensive.
On top of this, most companies have custom tailored their IT solution to their business process. It is not uncommon for a business to have spent a decade finetuning a custom build software solution, that would need to be completely rebuild for a different platform, this is extremely expensive.
You also have to factor in all the added cost of having to retrain employees to use different software, and so on.
If you have to consider time and cost, which is the reality for most businesses, the alternative is a lot less attractive.
So it’s worth the risk to work with a big cloud provider even though they’re a US company that may introduce changes to your costing. That seems reasonable.
What I’m wondering is from a data ownership perspective if the idea of a sovereign cloud is just marketing bluster. I don’t think I buy that, even though this is an assumption on my part. Surely the EU and other Fortune 500 companies would understand that the US could just request data and this not give credence to the idea that sovereign clouds are actually sovereign if they are still exposed. Unless the idea of a sovereign cloud is only supposed to refer to the fact that all of the infra and operations are within the country’s jurisdiction, in which case it’s a matter of defining terms.
It’s only the top 1% of European companies that have more than 50 employees, for the majority it’s not the need for scaling enterprise solutions that is the problem. Something like Linux + LibreOffice + Nextcloud + EU e-mail/hosting/backup providers could in theory work as a replacement for big-tech.
The first major issue is going to be the price, I seriously doubt you are going to be able to match the price and quality of the Google and Microsoft products.
The second issue is going to be business specific application, that only are available for Windows.
The laws are meant to slow the system down (in other words, these are meant for the “good times” and for “good allies”). In an adversarial situation, there’s genuine question of whether a US company, even via subsidiaries, can really be truly “independent”. A few examples of worldwide sabotage: Microsoft backdooring Windows for the US or China allegedly rigging Huawei-supplied 5G equipment etc.
But this is nothing more than an illusion – one could say a Trojan Horse at Europe’s digital gates.
Digital sovereignty doesn’t come from shiny new product names such as these “sovereign clouds”.
Digital sovereignty comes from full legal and technical control. Everything else is nothing more than sovereign washing. Fortunately, Europe has great solutions already.
Read the full article: "Sovereign cloud" or "sovereign washing"? A Trojan Horse at Europe's digital gates. | Tuta