Sovereignty and cloud, what's the connection?

le 28/06/2021 par Benjamin Bayart
Tags: Cloud & Platform

The notion of a “sovereign cloud” appeared in French politics around ten years ago, launched by President Sarkozy at a digital G8 meeting in Paris, it was closely linked to the idea of "civilising the Internet". At the time, this notion depicted the Internet as a Wild West, a primitive zone, populated by barbaric natives, the Internet users, and where State presence was dearly needed, to improve and civilise this dodgy place.

These days the term is coming back, but its message has changed. The idea of “civilising the primitive people of the Internet” has gone out of fashion. We now refer to applying European standards and laws to what happens online, and in particular, the European standards on data protection, which are more demanding than the American ones. The question, in sum, is taken more seriously.

The proposition of this paper is to put all this into perspective, over a longer period of time. To look at what ‘sovereign digital technology’ means in Europe, in order to understand where we’re heading to. And from there, to look at the consequences for digital companies, and on how we can create prosperity in the European digital economy.

Personal rights in digital Europe

Over the last ten years, the European legislator has passed several texts that affect digital law. Two of these texts are particularly interesting: the GDPR and the European regulation on net neutrality.

In both cases, the texts related more to the protection of individual rights, than to business law, trade regulation or contract law. These texts establish the protection of citizens and some of their fundamental rights as a principle, and derived from it,  a number of constraints, for the business world.

Indeed, the GDPR establishes the principle that individuals have a non-transferable and inalienable right to have their personal data protected from abuse. This is not a protection, like that against theft, but rather like the right to be protected against physical assault. Someone using your personal data in a way that you don’t consent to, is considered legally similar to assaulting you. That is why it is considered similar to a human right (in other words, a natural person's right), this means that corporations (a.k.a, legal persons) cannot have “personal data”. And derived from the nature of this right is a strong inherent responsibility for companies and legal entities at large, including public authorities, when processing personal data. This is an obligation of means as well as an obligation of results.

On the other hand, the regulation on net neutrality also sets out the fundamental rights of citizens (access to information, ability to disseminate information and opinions, etc.) as foundation stones. Notions from competition law (infringements of net neutrality that aim at distorting the market are sanctioned) further come to support these rights. All this leads to strong regulatory constraints for network operators, and to regular controls associated with these obligations. The role of regulatory authorities, and their independence, was  given a new center: they are no longer only in charge of the telecom market’s economic regulation, but also in charge of the protection of certain fundamental rights. Through this the paradigm of telecom regulation has shifted from economic regulation of markets, protecting consumers, to the protection of society and the fundamental rights of individuals.

This lays the first, fundamental, paradigm with human rights as  a strong reference point to define the digital market in Europe.

The case law of the CJEU

The Court of Justice of the European Union (CJEU, the supreme court in matters of European law, to which all national supreme courts must refer to when it comes to knowing how to apply EU law in a Member State) has in recent years issued decisions that all point, more or less, in the same direction for digital law, the protection of the rights of the individual.

When Europe laid the foundations of personal data protection, long before the GDPR, the American case soon posed a problem: it was not clear if American law protected Europeans as well as European law. An international agreement had therefore been signed between the USA and Europe, which stated that each country was a safe haven for the other, hence the name of this agreement: “Safe Harbor”.

First resounding decisions: in April 2014 the CJEU invalidated the 2006 directive that organises the retention of meta-data by telecom operators (who calls who, when, from which location, etc), on the grounds  that the directive did not comply with the Charter of Fundamental Rights of the Union (it did not protect data, and therefore citizens, sufficiently). Then, in October 2015, it invalidated the Safe Harbor, explaining that American law was not protective enough, and that the international agreement, dating 2000, did not provide any additional protection. And that, therefore, the United States was not a “safe haven” for European data.

The reaction at the European Commission was very strong and it urgently launched the preparation of a new, much more restrictive international agreement. The Commission wanted the free flow of data between the two continents to continue at all costs. A few weeks later and drafted in a hurry (a few weeks for an international agreement is exceptional), a political agreement was reached in February, and in July 2016 the full version of the Privacy Shield was signed, it was intended to be a “protective shield” for European data in the United States of America.

This agreement was immediately attacked in courts, but the procedures took time for the text to reach the CJEU. Barely four years after it was signed, in July 2020, the CJEU invalidated the Privacy Shield, with a formidable argument: US law was not compliant and as the agreement did not modify US law, the processing of personal data of Europeans taking  place under US jurisdiction could not be considered as compliant.

In a second part of its judgment, the CJEU indicates that the standard contractual clauses provided by the European Commission did comply with EU law. This is sometimes mistakenly believed to be the  provision that saved the day for the big American platforms: they could no longer rely on the international agreement, but they just needed to include the right clauses in their contracts, and that was it.

This analysis is too quick: the European texts say, that in regards to international circulation of personal data, the circulation is possible in 3 cases, and 3 cases only:

  1. if the level of protection in the other country complies with European standards, and an international agreement certifies this;
  2. if the level is insufficient (for example, if there are no rules protecting  personal data in that country), but the companies operating the transfer includes standard clauses in their contracts whereby they undertake to guarantee a level of protection similar to the European requirements;
  3. if the data is internal to a company and the company accepts to guarantee a level of protection in line with European standards through its own management rules (this is the case, for example, of the personnel files of multinational companies).

What the CJEU said could be summarised in two independent points:

  1. there is a personal data law in the US, and this law is fundamentally incompatible with EU law;
  2. contractual clauses are fine and may be sufficient in countries that do not have a personal data law.

What the CJEU stated implied that these contractual clauses can not be sufficient for an American company. Unless that company undertakes by contract to violate US law. Yet such a contract would be illegal. (As everyone knows, this is pretty much the definition of a criminal conspiracy, signing a contract by which you commit to violating the law).

The effects of this decision are still unclear, but it is certain that they will be far-reaching. It is now certain that any transfer of personal data under US jurisdiction is incompatible with EU law. The remaining question is whether or not servers operated in Europe by a US company are affected by this ban. It is from here that our topic, the question of cloud, arises.

The bold analyses say that yes, American law applies to American companies, wherever they operate in the world, and in particular in certain texts that organise the interception of content by the American special services (NSA, FBI, CIA, etc). This is, for example, the meaning of the ‘opinion’ issued by the CNIL (national regulatory authority regarding personal data protection in France) in October 2020 in the case of the Health Data Hub (the health data platform, planned to group together all the health data of every French citizen). This is also the sense of the CNAM's decision in February 2021 (CNAM is the french national health insurance) as it refuses to transfer its data to the Health Data Hub as long as its servers are operated by Microsoft, even if these servers are based in Europe.

There is another interesting fact in the European Commission's relative lack of reaction. When the Safe Harbor was repealed, the Commission very quickly jumped on the bandwagon, with a very voluntary posture embodied in the mantra “Data must flow”, and set about preparing the successor to the invalidated act. On the contrary, when the Privacy Shield was repealed, the Commission acknowledged but did not seek to replace the invalidated act. The strategy has clearly changed. The European context has changed. The two regulations on personal data and net neutrality have gained weight. EU had started to think in terms of a European economic strategy, and no longer as an instinctive reaction to a taken decision.

Other CJEU rulings on the retention of meta-data by telecom operators for police and judicial purposes have confirmed this strict reading of the application of the Charter of Fundamental Rights. The fact that the 2006 directive that organises this retention was overturned (the CJEU ruled that it is contrary to the Charter to impose a preventive retention of all the citizens' connection data “just in case”). This prohibition was confirmed in an emergency judgment, a few months later, the Télé 2 judgment, which confirms the prohibition of systematic retention. And then confirmed it a third time in another ruling  end 2020, La Quadrature du Net and others ruling, where the court even gives typologies of data retention, with specific durations and associated missions of general interest, while some twenty EU Member States were asking the CJEU to change its case law on the matter. This forms a strong position. The defence of fundamental rights has become a structuring element of European law, including in the field of digital and economic regulation.

There is a convergence of two lines here. On the one hand, the CJEU is seizing upon the Charter of Fundamental Rights to strengthen the protection of the fundamental rights of Europeans, including in the application of texts that are perceived as rather business-oriented. On the other hand, the European Commission is seizing the defence of European values in the digital environment to draw up an economic and digital strategy.

Recent directives

This strategy is also reflected in the draft texts on digital issues submitted by the European Commission and which are entering the legislative process (a long and somewhat tortuous procedure, but the chosen angle is instructive). These texts all define the angle of European sovereignty over digital issues. And this sovereignty takes as its cornerstone the defence of individual rights, and thus of personal data. The central axis is no longer competition or the opening up of markets but a wider perception of the role of digital legislation for the protection of the human rights of european citizens.

The question of sovereignty has completely changed its angle since the Sarkozy proposals. We have gone from a sovereign’s desire to ensure order in a place that was felt turbulent (“civilizing the Internet users” was the mantra of this approach), to a continental power that intends to enforce its rules, and nothing but its rules, without letting itself be fooled and to protect its economy through the protection of its residents.

We can usefully return to a little elementary macro-economics. One euro of imports means rising unemployment. One euro of exports means lowering unemployment. If you think about it in terms of euros, it looks like this: when you import a garment, only the margin of the importer and the trader are added value in the local economy, if you import the fabric, then the added value of the garment factory goes back into the local economy, if you import the yarn, then the added value of the weaving mill goes back in, if you import the raw material, then the added value of the spinning mill goes back in, and if you grow the cotton, flax or wool locally, then even the added value of the farmer goes back in.

If you think about it in terms of relocation of jobs, you get exactly the same result: a bad, expensive product, but produced locally, leads to a more prosperous economy than a good, cheap, imported product. All economists have known this since at least the end of the 19th century.

It is elementary macro-economics to want the growth linked to digital technology to take, as much as possible,  place  in the European economy.

The jurisprudence of the CJEU, which says in law what all computer scientists have been saying in fact for years (that the rule that applies is that of the United States, and that the “code is law”), comes under the simplest definition of sovereignty. The question is whether the law that prevails, the one that applies first and foremost, is european law or a law decided and voted elsewhere.

What about the sovereign cloud?

The sovereign cloud that President Sarkozy was talking about was a cloud pushed by the State, steered by the Government, even if it was entrusted to private players with large subsidies.

The one that is taking shape here is totally different: it is a cloud whose legal regime is decided in Europe, and not elsewhere, and for which we want a maximum of the corresponding economic activity and ideally part of the associated research, to provide its added value in the European economic area, and not elsewhere.

For digital companies used to dealing with the three major American players in the sector, this is a complication. You have to change your habits, look at other products, other suppliers, other technologies. One has to admit that these giants have developed beautiful products and that they have the means to improve those products regularly. Using something else is not necessarily less good, but it is inevitably less comfortable.

The fact remains that if the digital industry is reluctant, drags its feet, prefers to leave everything on AWS, GCP or Azure, while waiting to see if the CNIL imposes a sanction, then the game is over. The European players who will have made agile choices, cloud, platform elasticity as services, will be in trouble for a while. And Europe's governments can not sanction all companies in a landscape where no other choice is realistic for deploying modern infrastructure.

But if, on the other hand, the digital industry in Europe decides to take a chance, to develop offerings that are perhaps a little less flamboyant, but are, at least economically focused on Europe, and whose legal regime is entirely European, then it could be a winning strategy. It is a boost to economic activity that will make the digital industry in Europe thrive, instead of being confined to the roles of reseller and integrator of US technologies. And above all, the European texts, and the jurisprudence that goes with them, create a hyper-protective and hyper-favourable regulatory environment. Protective of people's rights, since that is how these texts are enshrined in law, but also protectionist for companies, since it is impossible for American or Chinese companies to match the level of protection required.

We are talking about protectionism here. Protectionism is usually done through tariffs, or by imposing regulatory barriers through technical standards (e.g. not the same model of electrical plug, that slows down imports, especially if these standards are changed often). The European approach is apparently to make protectionism through the protection of people's rights. It's a new angle, but basically it's regulatory protectionism. EU is imposing a regulation that the European industry will respect by default and that other industries will find difficult to respect. And we know that regulatory protectionism is effective.

But then, how do you do it?

That's not really the subject of this paper, and it's a vast and complex subject as to how to do it. The fact is that cloud providers in Europe have a lower offering quality. Or to put it another way, the cloud giants are giants. And therefore they have a tremendous capacity to invest in the development of their tools, which allows them to have good tools, which makes them giants, etc. The solution of wanting to create a European giant from scratch is a tricky one with old-fashioned planned economy. It may be possible in theory, but it is not the current European approach of economy at the moment. Hoping that one of the European players will be able to grow sufficiently is also rather illusory, as none of them are the biggest or most advanced in this market, and it is unlikely to dethrone the existing giants in this way.

The most promising approach is probably the ecosystem-approach. Have our cloud providers increasingly use interoperable systems, put their developments in the public domain, and agree to reuse each other's technologies, and conversely accept that their competitors will benefit from their advances. This is not a disconnected ideological position, it is, for example, what is done with Linux, Ansible, or Kubernetes. Everyone uses it. Everyone contributes to it. And nobody has the idea that their little contribution is a gift to the competition. Or more to the point, no one has that idea anymore. It was in vogue in 1998, it is now considered archaic.

Here, we are probably on what economists call a Nash equilibrium. A point of equilibrium where as long as everyone plays a selfish game, everyone remains a loser, stuck in a kind of mediocrity against the giants, whereas if everyone plays a virtuous, collaborative game, then everyone emerges bigger and stronger. Economic theories tell us that the transition from the low point to the high point of the Nash equilibrium can only be done by the intervention of a regulator, because the market alone is incapable of getting out of it. We can consider that the aligned positions of the European Union are an intervention of the regulator. It is up to the players in the world of european digital economy to seize it.

Public procurement must also play a role, because it is a powerful lever to support a solution. But it must be an open solution, which allows the creation of a rich ecosystem, as opposed to the inward-looking attitude that we hear in “sovereignty” when we want to think of it as a narrow digital nationalism.

In conclusion

The subject of the sovereign cloud is indeed a strategic choice for the digital industry in Europe. We can choose a digital economy that is better off in Europe because it has chosen to protect people, and to rely on this regulatory protectionism to progress, rather than trying to fight against it in the hope of joining the same prosperity as the cloud giants.

The first thing we need to do is to stop seeing these protections as a painful constraint, but rather as a tremendous opportunity. And seize the opportunity, collectively, to move forward. It can't all be done at once, it's too big, it’s too complicated. But to procrastinate, to delay, to wait for others to make the first move, is to ensure the dominant position of the American giants and to accept that there cannot be a serious digital economy in Europe.