Europe Starts to Build Its Own Secure Cloud

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X. The resulting data infrastructure should strengthen both the digital sovereignty for the demand of cloud services and the scalability and competitive position of European cloud providers. In the meantime, US cloud providers like Microsoft Azure change their contracts to align with the EU privacy regulation, GDPR.

"GAIA-X is one of the most important digital projects to defend the leading position of the German and European economy internationally," said the German Research Minister, Anja Karliczek. "GAIA-X will create a secure European space for data storage and processing. This is urgently needed, because power over data in Europe should no longer be in the hands of a few international corporations. With our project, safe roads are being built in Europe in the digital world. This is of central importance for the further development of the economy in Germany and Europe," said Karliczek.

The project envisages the networking of decentralized infrastructure services, in particular cloud and edge entities, to a homogeneous, user-friendly system. For example, companies in the EU could join forces and offer each other server capacity.

However, the new system should definitely not be set up as a competitor to the major US providers such as Amazon, Google or Microsoft, says the German government. Freedom of choice should be created, especially for European SMEs, on which servers and with which security standards sensitive data is stored.

"Europe will gain sovereignty over the secure economic use of data by building its own structures on cloud servers. This is the prerequisite for companies to be more willing to take full advantage of the opportunities offered by digitization. Only those who are sure that they can fully determine how their data will be used will be willing to save their data in data clouds and share them with others," said Karliczek.

An organization for GAIA-X is to be founded in the first half of 2020, and there will be first applications by the end of 2020.

Privacy could empower the EU Cloud
The EU privacy regulation, GDPR, plays a key role when European companies look for a new cloud service. An EU cloud service based on GAIA-X would have some advantages when it comes to privacy. That is especially true when EU-US Privacy Shield cannot fulfill all the obligations asked of it by the EU privacy authorities.

As things stand, the EDPB (European Data Protection Board) still has a number of significant concerns that need to be addressed by both the EU Commission and the US authorities, as the Third Annual Joint Review report shows. The EDPB says that the same concerns will be addressed by the Court of Justice of the European Union in cases that are still pending before it.

EU Investigations into Microsoft services and the new Services Terms\r\nIn April 2019, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between them are fully compliant with data protection rules. The EDPS also considered whether there were appropriate measures in place to mitigate risks to the data protection rights of individuals when EU institutions use Microsoft products and services.

Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. \r\nIn November 2019, Microsoft announced an update to the privacy provisions in the Microsoft Online Services Terms (OST) in the commercial cloud contracts. Through the OST update Microsoft wants to increase its data protection responsibilities for a subset of processing that Microsoft engages in when it provides enterprise services.

In the OST update, Microsoft clarifies that it assumes the role of data controller when it processes data for specified administrative and operational purposes involved in providing the cloud services covered by the contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combating cyber attacks on any Microsoft product or service; and complying with the legal obligations.

The change to assert Microsoft as the controller for this specific set of data uses should serve the customers by providing further clarity about how Microsoft uses data, and about the commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.

EU Cloud together with US cloud providers?
The European data infrastructure project GAIA-X focuses on the requirement of a European solution that is internationally compatible. Non-European partners are also welcome as they share the EU values and goals -- data sovereignty and data availability, says the German government.\r\n"In this context we need to ask ourselves carefully: Where do we have to protect our digital sovereignty, and where do we have to get it back?" said Achim Berg, president of Bitkom, Germany's digital association. GAIA-X should be pursued as a European project from the start. Additionally, its functionality, user experience and costs need to withstand market competition. "If GAIA-X is to be a success, the public sector needs to play a key role," said Berg.

And, for sure, the EU privacy regulation will play a key role, not only for partnering with GAIA-X, but also for offering cloud services in the EU in general. Large cloud providers like Microsoft have already reacted to this requirement of the EU market; others will follow soon.

— Oliver Schonschek, News Analyst, Security Now