We need alternatives to the US cloud now

We need alternatives to the US cloud now

Image:
We need alternatives to the US cloud now

'It should concern us greatly that only a handful of companies dominate this space, and they all originate from one country'

Cloud has become the prerequisite way of doing almost anything these days; whether that be online, on the move, or at our desks.

A recent outage of Microsoft Azure affected users and business around the world (apart from China), who rely on the company's Teams and Outlook. To the uninitiated, it can sometimes be hard to spot when we're actually using a cloud; from the more visible clouds such as online storage, backup, email, etc. to the less visible services powering the likes of Facebook, Instagram and Office applications, clouds really are everywhere.

However, it should concern us greatly that only a handful of companies dominate this space, and they all originate from one country.

If the internet died tomorrow, who would own your data?

The bulk of the clouds we use are provided by the five so-called GAFAM companies: Google, Amazon, Meta (formerly Facebook), Apple and Microsoft. While it is a competitive space, these companies work hard to direct users to their clouds over others and will leverage any competitive advantage they can. Google, Microsoft and Apple, for example, integrate their own clouds directly into their operating systems, making it more difficult for users to choose an alternative.

Whose data is this?

Why should we care? The main problem with the entire sector being dominated by this handful of US companies is that there are serious doubts about how their data protection standards meet those of the EU and UK.

It is important to remember what using a cloud service actually means. The word "using" does not describe the complete reality of the situation. When you use a cloud service, you are effectively giving your data to it. Oftentimes this data is very personal - photographs and videos of our loved ones, a company's entire intellectual property, our thoughts and desires, our creative endeavours. Look at it this way: if the internet died tomorrow, who would own your data?

Emerging doubts

The risks posed by a market dominated by a handful of US companies under one, fairly weak, regulatory framework has not gone unnoticed by regulators. Ofcom, the UK's communications regulator, for example, announced in September 2022 that it would investigate the position of the tech giants in the cloud services market. The authority recognises cloud as a critical component for the delivery of digital services and its central role in effective communication regulation. The proclaimed goal of Ofcom's market study is to understand how the cloud market functions, and if it functions well for consumers.

The European Union's recent Data Act is another step, where the European regulators have criticised the existing options for moving data from one cloud service to another to be far from ideal.

The persisting US data privacy deficit

While UK and European users are theoretically protected by the GPDR, as soon as you upload data to one of the US-based cloud services, it comes under the jurisdiction of different data protection regimes. Storing personal data outside the jurisdiction of the EU's GDPR or its UK equivalent, seriously erodes data privacy.

According to US federal law, enforcement agencies can currently request US companies to pass user data to them, irrespective of whether it is being stored within the US or elsewhere. The user in the UK or the EU receives no formal warning that a foreign country's authorities can access their data, without even specifying a reason, not to mention that absolutely no permission is ever requested from the user.

The EU Commission, US and UK governments are currently struggling to find a new solution for how companies can legally transfer personal data across European and UK borders to the United States. The former Privacy Shield mechanism was declared illegal by the European Court of Justice in 2020. The new Trans-Atlantic Data Privacy Framework (TADPF) now depends on the Executive Order (EO) issued by President Biden in October 2022. This EO imposes some new restrictions on US intelligence activities and offers British and the EU citizens the possibility to call the newly-established "Data Protection Review Court" (DPRC) to investigate and resolve complaints regarding access to their data by US national security authorities.

However, there is not a lot of optimism among data protection organisations such as Max Schrems' nyob or the American Civil Liberties Union (ACLU) that this can somehow close the fundamental gap between the European and the US-American understanding of real data protection. Even if the UK government and the EU Commission decide that the new terms are meeting the high GDPR standards, the new framework will probably be challenged and overruled by courts yet again.

Our data in our hands

Clearly, there is a very bright future for the cloud as both a consumer and business application. There is simply no other kind of data storage that can provide such flexibility and convenience. But as internet users and businesses upload more and more of their most personal and sensitive data, the issue of data protection and safety becomes even more significant. Relying on the most convenient solution becomes, unfortunately, not the wisest choice.

Consumers need real European and UK alternatives to what the US companies have to offer. Changing habits takes time, but users need to become better educated about what is really happening to their data when they share it with a US-based cloud company.

If the cost of the convenience was made more explicit to consumers, I strongly believe they would be more inclined to choose European alternatives.

Jan Oetjen is CEO of GMX and mail.com and chairman of the board of trustees of the European netID Foundation.

Computing's Deskflix: Hybrid & MultiCloud event will explore issues of cloud diversification. Join us online on 22nd February.