Some sage advice for EU nations attempting to get a handle on the vast volumes of EU citizens’ data being held in US-owned and operated clouds.
Rumor has it that over 90% of Europe’s cloud infrastructure is controlled by US companies. If that’s the case, there’s an awfully large amount of data belonging to European administrations, citizens, and companies that US law enforcement can access thanks to the US Cloud Act.
Concern over this situation has been growing across Europe since well before the new US administration started making it very clear that it doesn’t care about eight decades of civil coexistence between Europe and the US.
Examples of this concern can easily be found on the internet:
- The Dutch Centre of Excellence for Data Sharing and Cloud vigorously promotes the necessity to move towards a European federated cloud infrastructure.
- The Swiss government committed $231 million in 2023 to build a national cloud service designed to keep sensitive governmental data within its borders.
- The official commission that since 1978 safeguards digital privacy and rights of French citizens, in 2024 called for wider European adoption of the French SecNumCloud certification, just to protect European sensitive data stored by companies subject to non-European law.
- The GAIA-X project, started in 2019 by France and Germany, aims to create a federated, secure, and sovereign digital cloud infrastructure for Europe.
- Even the EU Parliament has been working on this front, from warnings by individual MEPs (members of parliament) about the excessive influence of major US tech companies to regulations like the Digital Markets Act.
All in all, it seems there’s enough awareness and efforts underway to achieve cloud independence and real data sovereignty in Europe, doesn’t it?
Not necessarily. These and many other similar initiatives across Europe are well and good, but the question is: are they enough to achieve meaningful cloud independence and data sovereignty in Europe, in ways and at levels that will really matter?
That’s far from certain. The most obvious problem — which would result in a waste of time, money, and good will — would be in not going 100% for free/open source software and, even before that, for establishing truly open digital standards. Sharing and reuse of software, as well as adoption of standards, are essential to make large-scale, multi-faceted projects like these succeed, but so far these different projects and approaches seem to be each going their own way.
The proposed initiatives also seem to have two more serious weak spots.
One thing that worries me is that these initiatives tend to be top-down-only solutions that are not integrated into wider strategies that involve all citizens. While top-down coordination and regulation at the EU level is absolutely necessary, it won’t make a real difference unless it’s coupled with — just to name a few things — citizen participation, serious digital education, and (hopefully) an explicit prohibition against using proprietary, non-EU-compliant systems in certain contexts such as schools, or official political communications. In a worst-case scenario, top-down deployment of European clouds will only replace one controlling exploiter for another.
Even worse is the fact that every proposed project is more or less forbidden to hurt GDP growth, if not explicitly required to contribute to it. This is incompatible with “data sovereignty” as I like it, no matter who does it or which software licenses they use.
I say this because when it comes to digital services, the need to make as much money as possible unavoidably creates another need, which is to collect and process as much data as possible. On one hand, such a need would have serious environmental and geopolitical consequences for a Europe that is already failing to control e-waste and has barely started to make its own microelectronics.
On the sovereignty side, even if it had no material impacts, unrestrained data generation and collection could only happen by tolerating, if not outright encouraging, all-around surveillance or services deliberately designed to be as addictive as TikTok, Facebook or Instagram.
Were it left to the private sector, the end result of deploying European clouds and software services that are designed or required to increase GDP, would end up being a mere replacement of American corporations with European ones that would be just as unaccountable, and have the same effects on public discourse, mental health and privacy.
If governments were in charge, it could be even worst. Even if those clouds and services were managed with the best intentions in the world, by transparent and actually accountable governments that I could vote out of office, I wouldn’t want them to be sovereign over data that shouldn’t exist at all in the first place, or at least, or at least should never be aggregated on any cloud.
Summing up, while 100% European clouds and digital services are urgently needed, they will make Europe a better place only if they are much smaller and much less hungry for data than the clouds and services they will be replacing.
Marco Fioretti is an aspiring polymath and idealist without illusions based in Rome, Italy. Marco met Linux, Free as in Freedom Software, and the Web pre-1.0 back in the ’90s while working as an ASIC/FPGA designer in Italy, Sweden, and Silicon Valley. This led to tech writing, including but not limited to hundreds of Free/Open Source tutorials. Over time, this odd combination of experiences has made Marco think way too much about the intersection of tech, ethics, and common sense, turning him into an independent scholar of “Human/digital studies” who yearns for a world with less, but much better, much more open and much more sensible tech than we have today.
