High noon in the cloud: Gaia-X and the Lawful Overseas Use of Data

Smart Business

High noon in the cloud: Gaia-X and the Lawful Overseas Use of Data

Like a gunslinger from the old Wild West, the US Cloud Act stands on main street and shouts, “Come out if you dare – unarmed and one at a time,” while Europeans stand at the windows and wave white flags. In certain circumstances under the Cloud (Clarifying Lawful Overseas Use of Data) Act, the US courts can demand the surrender of any personal data from American cloud providers, even if the data is stored on European servers and subject to European data protection regulations. In a pitiful display of appeasement, the EU attempted to use Privacy Shield, a data transfer mechanism agreed with the US, to try to protect citizens’ data from exploitation and intelligence agency snooping – which turned out to be absurd because many US companies, and possibly government departments, simply paid lip service to the agreement.

When the Trump administration took over, it placed America first and tightened the provisions of the Patriot Act, which was forged to fight terrorism after 9/11. Since then, American cloud providers in Europe have had to violate one or the other of these acts, and Privacy Shield has been a distraction too many for some.

In the end, it took Austrian data activist Max Schrems to get the European Court of Justice to take down the Privacy Shield. Since then, the situation has not changed much: the gun slinger is still standing on the main street while Europeans sit around the regulars’ table hatching new rules for handling data, data structures, and data analysis.

Privacy is the most unenforced right in Europe.

Max Schrems ,Austrian cyber-activist

Gaia-X, launched as an alternative European cloud, is now only – or after all, depending on your point of view – a set of rules for handling data in the cloud, the first version of which was presented for discussion last year. This should lead to manufacturers having to provide users with details about which European standards have been met. Gaia-X will be analogous with food labeling, where suppliers provide information on shelf life, ingredients, and nutritional values. Gaia-X could at least become more meaningful by listing standards-compliance “contents” – but this will not drive the Cloud gunslinger off the main street. The content of the Cloud Act is unlikely to help Europe to recover its privacy independence.

Gaia-X could counteract a mostly unproven but constantly voiced reservation: the general suspicion that cloud providers are diverting and misusing their customers’ data for their own profit. However, there is a fundamental difference between professional cloud services, such as Deutsche Telekom’s T-Systems or Microsoft Azure, and data platforms, such as Google or Facebook, which see their customers as information suppliers and offer them cloud platform access at no charge in return for the disclosure of personal data.

Amazon is a special case here, because it straddles both worlds with Amazon Web Services (AWS) offering private professional cloud services on the one hand, while the Amazon retail platform allows the greatest possible sharing of consumer data on the other. This almost certainly contributes to the fact that the reservation of data misappropriation is constantly being revived.

Europe is now putting the brakes on the online platforms, under the leadership of the EU Commissioner for the Interior, Thierry Breton. The Digital Services Act is intended to create a basic service law for online platforms. It is formulated to update the provisions of the 20-year-old e-Commerce Directive, which was created under the conditions that prevailed prior to the dot.com bubble when the market-dominating platforms and business models didn’t exist.

Providers are already warning that the new etiquette rules could possibly lead to companies like Google, for example, not being able to display restaurant recommendations on its interactive area maps. This is because the Maps’ recommendations are based on an opaque algorithm that selects businesses according to criteria that are anything but objective – which will not meet the conditions of the Digital Services Act. It’s still early days and this may not be the case as the Act is more likely to be directed against hate speech, fake news, and election influencing.

In the field of artificial intelligence, too, Europeans are trying to map the world anew with ethically motivated sets of rules. The EU is effectively repositioning itself between the western data capitalism of the USA and the eastern data communism of China. It is an attempt to regain a sovereignty lost in the post-war order. This is also how the 14-page strategy paper of the German Social Democrats is being seen in view of other issues such as the ongoing debate about the European role in the North Atlantic Treaty and the proposal of a “28th European Army” alongside the 27 national armed forces.

Europe must first recover from its European nature. The attempts to create frameworks, first in Europe and then worldwide, are examples of this still-young, burgeoning, longing for sovereignty. After all, the General Data Protection Regulation (GDPR) has already turned out to be an export hit and its content has been adapted and adopted in Japan and some Latin American countries.

It’s unlikely the gunslinger will be driven off the main street by all this. Perhaps it’s more likely that the Mandarin will be the one to stand up to him…

Leave a Reply

Your email address will not be published. Required fields are marked *