With the cloud having become the prerequisite way for doing most things online, the handful of companies that dominate the space hold significant strategic power. In most cases, the clouds in question are provided by a small handful of very large US companies - the household names we all know; Google, Amazon, Meta (formerly Facebook), Apple and Microsoft (collectively known as the “GAFAM” companies).
To the uninitiated, it can sometimes be hard to spot when we’re actually using a cloud; from the more visible clouds such as online storage, backup, email etc. to the less visible services powering the likes of Facebook, Instagram, Office applications, etc., clouds really are everywhere. However, it should greatly concern us that only a handful of companies dominate this space. The main problem with this entire service sector being dominated by US companies alone is that their data protection standards are far lower than those of the EU and UK, where the GDPR gives individuals significantly more protection over their data. Secondly, we should all be concerned about putting all our eggs in the same basket. Think about the recent outage of the Microsoft cloud, which affected users and business around the world, except China.
My data or yours?
It is important to remember what using a cloud service actually means, especially when the word “using” does such a poor job of conveying the full reality of the situation. When you use a cloud service, you are effectively giving your data to it. Oftentimes this data is very personal – photographs and videos of our loved ones, a company’s entire intellectual property, our thoughts and desires, our creative endeavours etc. Look at it this way: if the internet died tomorrow, who would own your data?
Regulatory convergence
Ofcom announced in September 2022 that it would investigate the position of the tech giants in the cloud services market. The authority recognises cloud as a critical component for the delivery of digital services and its central role in effective communication regulation. The proclaimed goal of Ofcom’s market study is to understand how the cloud market functions, and if it functions well for consumers.
For the European Union’s (EU) part, its recent Data Act is another step. The European regulators have criticised the existing options for moving data from one cloud service to another to be far from ideal.
Clearly the risks posed by a market dominated by a handful of US companies under one, fairly weak, regulatory framework has not gone unnoticed by regulators.
European data centres do not guarantee European data protection
Storing personal data outside the jurisdiction of the EU’s General Data Protection Regulation (GDPR), or its UK equivalent, is a risk to data privacy. This is because as soon as you upload data to one of the US-based cloud services, it comes under the jurisdiction of US data protection regimes.
According to US federal law, enforcement agencies can currently request US companies to pass user data to them, irrespective of whether it is being stored within the US or not. The user in the UK or the EU receives no formal warning that a foreign country’s authorities can access their data, without even specifying a reason, not to mention that absolutely no permission is ever requested from the user.
The EU Commission, the US and the UK governments are currently struggling to find a new solution for how companies can legally transfer personal data across European and UK borders to the United States. The former Privacy Shield mechanism was declared illegal by the European Court of Justice in 2020. The new Trans-Atlantic Data Privacy Framework (TADPF) now depends on the Executive Order (EO) issued by President Biden in October 2022. This Executive Order imposes some new restrictions on US intelligence activities and offers British and the EU citizens the possibility to call the newly-established “Data Protection Review Court” (DPRC) to investigate and resolve complaints regarding access to their data by US national security authorities. However, there is not a lot of optimism among data protection organisations such as Max Schrem’s Nyob or the American Civil Liberties Union (ACLU) that this can somehow close the fundamental gap between the European and the US-American understanding of real data protection. Even if the UK government and the EU Commission decide that the new terms are meeting the high GDPR standards, the new framework will probably be challenged and overruled by courts yet again.
Our cloud, our data
As internet users and businesses upload more and more of their most personal and sensitive data to cloud providers, the issue of data protection and safety becomes more significant than ever. Relying on the most convenient solution becomes, unfortunately, not the wisest choice.
Consumers need real European and UK alternatives to what the US GAFAM companies have to offer. Changing habits takes time, but users need to become better educated about what is really happening to their data when they share it with a US-based cloud company. If the cost of the convenience was made more explicit to consumers, I believe they would be more inclined to choose European alternatives.