Cloud computing is at a critical juncture. Millions of companies now use it to store data and run applications and services remotely. This has reduced costs and sped operations. But a new trend threatens the benefits that cloud computing has unlocked.
“Digital sovereignty” describes the many ways governments try to assert more control over the computing environments on which their nations rely. It has long been a concern in supply chains, affecting the kinds of hardware and software available in a given market. Now it’s coming for the cloud.
Governments around the world are passing measures that require companies to host infrastructure and store certain kinds of data in local jurisdictions. Some also require companies that operate within their borders to provide the government with access to data and code stored in the cloud.
This trend, especially when applied unilaterally, erodes the fundamental model of cloud computing, which relies on free movement of data across borders. A cloud user or provider should be able to deploy any application or data set to the cloud at any time or place. And customers should be able to select the provider that can best meet their needs.
If we allow the principle of digital sovereignty to encroach further, cloud service providers will be bound by national interests, and consumers will bear significant costs. Power will be further concentrated in the hands of a few large players. And fragmentation along national lines will make it harder for anyone to solve global problems that rely on interoperable technology.
Pay to play
While the cloud and cloud-based services are theoretically available to any company in the world with internet access, digital sovereignty makes it increasingly difficult for companies in many countries to harness this powerful technology.
In Europe, concern about the dominance of US and Chinese cloud service providers has sparked efforts to create a European cloud. The GAIA-X project, for example, aims to direct European companies toward domestic cloud providers. Moreover, measures like GDPR, with its focus on data governance, give an advantage to European providers that might not otherwise be competitive.
China has long required that cloud infrastructure be hosted in China by local companies. In fact, China’s Cybersecurity Law mandates that certain data be stored on local servers or undergo a security assessment before it’s exported. A Personal Information Protection law, which is still in draft form, goes a step further by stating that China’s data rules can be enforced anywhere in the world if the data at issue describes Chinese citizens. This law would also create a blacklist prohibiting foreign entities from receiving personal data from China.
Now the United States is beginning to advance its own version of digital sovereignty. Secretary of State Mike Pompeo’s Clean Network Initiative would prohibit Chinese cloud companies from storing and processing data on US citizens and businesses. And while the Biden administration will likely roll back many actions taken under President Trump, the prospect of compelling ByteDance to sell TikTok to Oracle or run its US operations through a local partner remains on the table. This could set a dangerous precedent: the US government would be mirroring and legitimizing China’s cloud regulations, which require foreign providers to enter the market only through joint ventures with Chinese companies that own majority shares.
And in South Africa, a 2018 guideline from the South African Reserve Bank set up an approval mechanism for institutions seeking to use cloud computing, indicating that bank supervisors would “not be agreeable” if data were stored in a way that might inhibit their access to it.
If some variation of the TikTok/Oracle deal becomes the norm, it will set the stage for more governments to demand that technology providers sell a stake to a local entity, or operate through one, in exchange for market access.
Advocates of this approach argue that some degree of data sovereignty is inevitable. They say that the global internet still functions in the face of these rules, and companies continue to profit and innovate. But the fact that some companies continue to prosper under these conditions is not a persuasive argument for imposing them in the first place.
A global cloud
The trend toward digital sovereignty has unleashed a digital arms race that slows down innovation and offers no meaningful benefit to customers.
Companies like Amazon and Microsoft may well be able to afford to keep expanding their cloud computing platforms into new countries, but they are the exception. Thousands of smaller companies that provide cloud services on top of these platforms don’t have the financial or technological wherewithal to make their products available in every data center.
In Europe, for example, the GAIA-X project may only strengthen the large incumbents. And in China, the vast majority of foreign software providers have decided not to make their cloud services available there because the hurdles are too formidable. This does both Chinese customers and foreign technology providers a disservice. It also unwinds all the economic and security advantages of a global cloud.
What’s needed is for different countries to collaborate on common standards, agreeing to a set of core principles for the cloud and norms for government access to data stored there.
The OECD, for example, could do this by building on its existing privacy guidelines. The OECD’s Global Partnership on AI is one example of an initiative in a related technology area that brings together many stakeholders to develop policy.
As a starting point, the coalition could focus on a narrow subset of commercial data flows and corresponding use cases (such as those involving internal company personnel information, or cross-border contracts). Recognizing the concerns behind the drive for digital sovereignty—which may include political security, national security, and economic competitiveness—could help lay the groundwork for such an agreement. One approach might be to offer incentives for those companies that participate in such a coalition, but without blocking data flows to those that do not.
Finally, organizations such as the Cloud Security Alliance and the Cloud Native Computing Foundation can help find ways for the private sector to use cloud computing globally without being stymied by the whims of digital sovereignty.
The rules we establish today for governing cloud computing will shape the internet for years to come. To keep the benefits of this powerful technology widely available, let’s stop digital sovereignty from encroaching further still.
Michael Rawding is the founding partner of GeoFusion and the former president of Microsoft Asia. Samm Sacks is a cyber policy fellow at New America and a senior fellow at Yale Law School’s Paul Tsai China Center.
Disclosures: This article references Microsoft, which funds work at New America but did not directly support the research or writing of this article. Microsoft is a client of GeoFusion.