In many jurisdictions, organizations are now required to store user data in the country where it’s collected and users live, which creates an enormous technical problem. A sovereign cloud might be the solution.
In a spate of announcements over the summer, Red Hat and Accurture said they’d extended their 12-year cloud partnership to pursue more innovations in hybrid cloud. But the smallest part of their announcement—that they’ll collaborate on new products for the sovereign cloud—is one of the most exciting, as it’s an area of data privacy that’s churning with regulation and controversy.
In a statement, Raj Wickramasinghe, emerging platform lead at Accenture, said: “Organizations are increasingly turning to hybrid cloud to help overcome complex challenges around core business functions like customer service and supply chain and to drive growth and innovation. Through our expanded alliance with Red Hat, we can further help clients embrace the cloud continuum to enable greater operational efficiency and drive innovation.”
That sets the stage nicely for the idea of the sovereign cloud, which addresses how multinational organizations handle user data when deploying applications on one of the public cloud providers, like Google, Amazon, or Microsoft. In many jurisdictions, organizations are now required to store user data in the country where it’s collected, and users live, which creates an enormous technical problem: How do you possibly aggregate and analyze user data from multiple or dozens of different data stores?
The sovereign cloud doesn’t relate to those data stores as much as it does the interconnectivity between them—a place where data can flow freely and legally in a way that still enables viable applications for global audiences.
Red Hat and Accenture are adding a layer of open-source technologies and services to their sovereign cloud research and development, making it appealing to regulators and governments in the years to come.
See also: Solving for Sovereign Data with Edge AI
As soon as an organization accepts users from beyond a single country, they must start paying attention to the complex network of data privacy/security regulations. Aside from having their reputation on the line, failure to comply with data regulations can result in massive fines—well-well companies like Amazon, WhatsApp, and Google have all been fined hundreds of millions of dollars for GDPR violations.
The US, UK, and EU already have multiple regulations, with precedent-setting rulings, updates, and new initiatives always on the horizon.
The US has the CLOUD Act, which forces US public cloud providers to hand user data over to a government identity or law enforcement agency if they request it via a warrant, subpoena, or court order. That sounds simple enough, but the data requested might also be stored in another country, which creates conflict with that jurisdiction’s own requirements.
That’s one of the ways the CLOUD Act conflicts with the EU’s General Data Protection Regulation (GDPR), which is perhaps the most well-known regulation, as it’s already caused lots of headaches for developers around storing personally identifiable information (PII) and is why you see so many cookie consent banners on the websites you visit, particularly if they’re based in the EU. Under the GDPR, cloud providers can only disclose personal data for legal requests made under EU law.
With these regulations at odds with one another, it’s not entirely clear what a cloud provider would do, for example, if the Security and Exchange Commission got a court order to hand over user data that’s stored in Germany.
The landscape is dotted with other regulations that make it even harder to track and understand. Schrems II, a legal judgment published in July 2020 for the EU and UK, requires that organizations must individually and manually assess all data that’s to be transferred to a non-EU country. The goal was to ensure the target country adheres to EU standards on data and privacy, but it also destroyed any opens of an open US-EU data highway, known then as EU-US Privacy Shield.
Like the CLOUD Act, the UK’s COPO Act 2019 also allows UK law enforcement to compel non-UK companies to fork over user data.
Staying compliant with these conflicting rules is an enormous challenge for organizations and the public clouds they use to deploy applications and store user data, and an area that’s overdue for concerted R&D.
Organizations can deploy a “homegrown” sovereign cloud today by working with smaller regional storage providers in target jurisdictions or deploying their own on-premises private cloud storage in every country where they do business.
Virtual data spaces are another burgeoning solution to this problem. If multiple trusted organizations partner together on establishing and maintaining the same high standards for storing and sharing data, they can safely share data without running afoul of any US, EU, or UK regulation. User data is never stored centrally in these spaces and only shared between partners when absolutely necessary.
On that front, GAIA-X is developing a federated European data infrastructure through a network that links many public clouds together. The goal is a European public cloud that respects the digital sovereignty of its users based on transparency and openness. Public cloud providers will have to commit to participating, but GAIA-X already has support from BMW, Deutsche Telekom, SAP, Siemens, Scaleway, and others.
As the general public gets more awareness of digital sovereignty and fines continue to stack up, this issue will only get messier, more complicated, and a lot more popular. Considering how Red Hat and Accenture have nothing concrete to announce, they’re likely years away from having a plug-and-play solution, which would do wonders for startups and small- or midsize-businesses who don’t have enterprise-sized wallets.