An ambitious German- and French-lead European Union (EU) initiative could wrestle tighter management, and eventually, control of data from commercial cloud providers.
The project, dubbed as “Gaia-X,” is also intended to offer firewall-like protection for data sources from the EU. The initiative could have repercussions on how DevOps teams from outside of the EU manage data from European users, as well as from operations they might have that are physically based in EU member states.
Without specifically citing U.S. cloud giants such as Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure, German and French government officials said the initiative will allow organizations’ cloud data to benefit from EU sovereignty and security. Bruno Le Maire, France’s minister of the economy and finance (Ministre de l’Économie et des Finances), said during a televised Franco-German conference last week, for example, that Gaia-X would offer significantly more data protection for data stored on cloud services from EU organizations and users.
Despite how General Data Protection Regulation (GDPR) mandates rules EU and international firms with user data from EU member state sources must follow—to avoid the risk of heavy fines and other penalties—the EU still lacks sovereignty in the application of GDPR, Le Maire said. Data stored on a U.S. cloud service provider’s server in the U.S. or overseas, for example, is still accessible by U.S. law enforcement officials in some cases under the Clarifying Lawful Overseas Use of Data (CLOUD) Act.
Without disclosing technical details about the kinds of cloud services Gaia-X might offer, the initiative will adhere to four principles: “openness, interoperability, transparency and trust,” Le Maire said.
“We are not China. We are not the United States—we are European countries with our own values,” Le Maire said. “We have our own economic interests that we want to defend.”
Over 20 organizations will form Gaia-X, including AtosBosch, Deutsche Telekom, SAP and Siemens. A prototype of the service should be available by end of year. While specific cloud services the organization will offer remains undisclosed, government officials announcing Gaia-X said it will offer artificial intelligence (AI)-aided meta analysis of data in such sectors as healthcare and smart city management. The use of AI services for data needs would also meet stringent privacy and ethical programming mandates, the officials said.
In a statement, the German Federal Ministry for Economic Affairs and Energy (Bundesministeriums für Wirtschaft und Energie) said:
“Predominant data silos, a lack of standards and the limited transparency of data infrastructure offers are today major obstacles to the application of artificial intelligence. To overcome these obstacles would be very costly and for this reason, the diverse know-how available in Europe is not pooled and used efficiently.”
Build That Wall
While created to ostensibly protect user data from the European member states and to enforce non-compliance with major penalties, accessibility by governmental authorities outside of the EU, for example, can remain outside of EU control. As mentioned above, for example, data storage that is ostensibly GDPR-compliant yet is on a physical AWS or another cloud provider’s server remains subject to access by U.S. law enforcement in certain circumstances.
GDPR compliance is thus often considered a starting point for EU data sovereignty. In many ways, the EU’s initiative, pending the final details about Gaia-X’s infrastructure and the services it will offer, will serve as a firewall built to protect EU.
Clive Longbottom, an analyst for Quocirca, agreed.
“By creating a total data platform that is GDPR compliant, uses have the choice: build directly on that platform and not have to jump through hoops to prove compliance,” Longbottom said. “Those who choose not to, or due to geographical position, cannot use the platform directly can export data into Gaia-X and only have to prove compliance for that part of the platform outside of the environment. So, yes, EU data can be completely airlocked into Gaia-X – or can just make life a lot easier for users.”
Instead of serving as an alternative to AWS, Gaia-X, based on the information the EU officials have communicated so far, is more of a data handling environment that may just have its own cloud components, Longbottom said.
The idea, based on the available information “is to present an environment where data can be handled firmly within the needs of GDPR,” Longbottom said. “Now, there are fundamental difficulties around this, such as with data caching in the network, but we won’t let inconvenient realities get in the way of political perceptions.”
The Gaia-X is thus “really meant to be a platform for data exchange that meets stringent requirements within the EU,” Longbottom said. “I would hazard that it will include those working outside of the EU that want to deal with countries, companies and entities within the EU, accepting data feeds from pretty much any cloud platform. It will probably be that once the data is accepted into the Gaia-X environment, it will then be deemed to be secure under GDPR—and that will not make it necessarily secure under GDPR end-to-end.”
A main selling point of the project is that once data adheres to Gaia-X compliance, DevOps could, in theory, benefit from more seamless data transfers between parties within the environment, as well as transparency about how and where it is stored.
“Gaia-X is a good idea that will make life easier for EU members to share data across a trusted environment and allow externals to feed data into a known, highly standardized environment where they then do not have to prove GDPR compliance across Gaia-X itself,” Longbottom said.
However, whether or not Gaia-X might one day compete against AWS, GCP or Azure remains to be seen. “If the EU can get more cloud platform vendors to join in and show how their platforms are GDPR compliant from the ground up, more EU companies will want to use such platforms where GDPR compliance is a given,” Longbottom said. “Meanwhile, most will stick with the big public platforms and use Gaia-X as a downstream GDPR data handling environment.”