Mehdi Paryavi is the Chairman and CEO of the International Data Center Authority think tank.
Every day we grow more reliant on technology. And the more we digitize our lives, the more data we produce — health records, financial information, buying habits, and so on. In fact, the amount of data handled by the internet continues to double every three years.
As governments across the developed world accelerate their digitization of public services in tandem — from health records to tax filings — their promise is faster, cheaper and more efficient services for citizens. In practice, however, things are much more complicated.
For example, the U.K. government’s new deal with Google will see vast amounts of public data stored on U.S. servers, while Microsoft recently said it “cannot guarantee” data sovereignty to customers in France — and by extension the rest of the EU — if the U.S. government demanded access.
This situation raises questions that affect every single one of us: Who has access to our digital footprint? Who actually owns this data? Who controls it? And how can people trust governments to protect them from intrusion into their private data?
Within the EU, the 2018 General Data Protection Regulation (GDPR) was enacted to address these very issues. And the measure is generally considered to be a success, having tightened the use of personal data by websites and companies in the U.S. as well as Europe. Legislation like the Data Sovereignty Act, the Data Act and the NIS2 Directive also stipulate EU control of data and prevent unauthorized international access.
But even these seemingly strong measures won’t stop all forms of privacy intrusion. And as the U.K. government seemingly works its way back into a tighter relationship with the EU, its agreement with Google is worth examining.
Announced in early July, the deal states that the U.S. tech giant will provide “free” technology to the U.K. government to modernize its outdated systems. According to the U.K. Secretary of State for Science, Innovation and Technology, more than 25 percent of public sector IT and as much as 70 percent of the so-called legacy systems running parts of the country’s National Health Service and police forces date back three to four decades.
Google wants to fix all this by replacing wheezing, inefficient technology with the latest cloud-based systems, and will provide hundreds of millions of pounds of in-kind services to do its good deeds. In return, it will be able to bid on future public sector IT projects, and benefit from the goodwill and better branding profile this will bring.
But is the U.K. government “dangerously naive” for turning the keys to the data castle over to Google?
One of the major worries here is vendor lock-in — that is, the reliance on a single vendor, which is headquartered in a foreign nation, for such a large and critical amount of the government’s computing systems. There’s also the specter of the U.S. government using its CLOUD Act to spy on and attempt to prosecute U.K. residents.
The CLOUD Act — which stands for the tortured nomenclature, Clarifying Lawful Overseas Use of Data Act — was written to “clarify” the circumstances under which U.S. companies must comply with requests for data from the government. It also created a framework for bilateral agreements with other countries to share data, which seems to counter GDPR protections, as well as the general EU spirit of protecting personal data from prying eyes.
Google has responded to all this by stating that all its technology will be under the control of the U.K. government, and that it will challenge any U.S. government efforts to intrude upon data privacy in the U.K. But is that enough to erase concerns?
Meanwhile, a new deal with Microsoft is raising similar issues within the EU. According to this agreement, Microsoft will invest as much as €5 billion to upgrade public sector IT across the bloc. And just like Google, it stands to benefit from better access to future public sector IT bids and the warm feelings that come from its largesse.
Potential vendor lock-in is, again, an issue here. But more profoundly, recent testimony by Microsoft France’s Director of Public and Legal Affairs Anton Carniaux revealed that the company could not guarantee that data can’t be exposed to the U.S. government by way of the CLOUD Act.
Carniaux’s testimony came after Microsoft outlined what it calls its “diversified” approach to sovereign cloud data centers in the EU. For instance, Microsoft plans to work with local companies Capgemini and Orange in France on a joint venture named “Blue,” which will be designed as a trusted cloud platform. And a similar sovereign cloud is planned in Germany, with SAP and Bertelsmann subsidiary Arvato Systems.
But in all of this, we can’t forget that the data generated by the citizens of these nations is invaluable for Big Tech. In today’s global economy, data is more valuable than gold, and it should be preserved as such.
That’s why at the International Data Center Authority, we advise government leaders to do their best to protect their national interests and the interests of their citizens. We also advise them to create trusted alliances with their economic peers on data and data rights, so there can be bilateral trade that both enables data sovereignty and is financially lucrative.
A nation might have technical challenges with regards to its data center and cloud infrastructure capabilities. It may be faced with financial obstacles in tackling these challenges. But giving up national computing resources to outside parties doesn’t warrant a visionary or long-term solution.
It’s also important to realize that tech giants have a bigger valuation and larger budgets than many nations around the world. Their buying power, lobby and influence are such that they can pull a wide spectrum of strings when negotiating deals. They’re also for-profit entities that will ultimately do what’s best for their stakeholders.
These companies are in constant search of resources like energy, water, land, human capital and friendly regulations. At the same time, they have a mandate to sell their services. And while the in-kind services to be provided by Google and Microsoft will improve the underlying IT infrastructure of many nations and foster goodwill, we can’t forget these companies must conduct a profitable business.
Free services aren’t free forever.
That means that for the world’s technology purveyors, any nation that’s struggling with its national computing capacities but can pay its bills on time is a prime prospect. They’re also interested in any country or region that has key resources but lacks the technological capacity to export advanced computing.
The U.K. and EU member countries meet this distinction, as do dozens of other nations across the world. On more than a few occasions, proud officials have told us that certain major vendors have agreed to talk to them about locating cloud services in their country. But these companies are motivated by creating new revenue and supporting market caps that now reach into the trillions of dollars.
The enormous pressures tech giants face to continue to grow and maintain their wealth shouldn’t be the concern of any government. Rather, it should be to serve their societies and preserve national security, intellectual property and individual privacy.
That’s where data sovereignty comes in.
Data sovereignty is the concept that each country maintains the data of its government, businesses and residents on its own local systems, and protects that information from foreign eyes. Today, data sovereignty is an integral part of national sovereignty. And the governments of the U.K. and the EU must not acquiesce to the wishes of big tech vendors — whether from the U.S. or anywhere else — if doing so weakens data privacy within their countries.
Additionally, it is essential for political leaders to understand that the physical borders of a nation define its data sovereignty. When it comes to digitized data, sovereignty and privacy must be governed by the bounds of cybersecurity and in the realms of the cyber world.
The idea of Google, Microsoft or any other large company having a presence abroad certainly isn’t new. But big tech companies are different from Coca-Cola, McDonald’s and Nike. They’re in the business of acquiring, refining and managing data — which can be extremely profitable.
It’s no surprise to see tech leaders hoping to create as much business as possible in a European economy that now collectively generates $25 trillion annually. But for governments, the privacy rights of their citizens and residents must come first.
Establishing trusted global alliances at the government level, ensuring the privacy and integrity of national data isn’t compromised, and being watchful in signing ambiguous agreements are vital.
Eternal vigilance is the price of maintaining data sovereignty.
www.politico.eu (Article Sourced Website)
#owns #controls #data