Sébastien Roques-Shaw, Director of Partnerships, Virtru
Denmark’s data protection agency recently ruled that the Google Workspace suite — which includes Gmail, Google Docs, Calendar, and Google Drive — does not meet the requirements of the European Union’s GDPR data privacy regulations.
Specifically, regulators found that Google’s data processor agreement (terms and conditions) allowed for relevant data to be transferred back to the US for the purpose of providing support, even though it is normally stored in one of Google’s EU data centres. As a result of the ruling, Danish school systems are prohibited from using Google Workspace to educate students, coordinate curriculums with teachers, and share information with parents.
Products like Google Workspace are fundamental to educating students in the modern world. Furthermore, Google Workspace is a robust platform that delivers tremendous value to thousands of schools worldwide, including Sussex Learning Trust, The Kemnal Academies Trust, and world-class universities like Brown University. So, why did Denmark suspend Google Workspace from its schools? Well, it’s a complicated situation that comes down to two simple facts: The era of borderless data is ending and the era of digital sovereignty is beginning.
Considering first the issue of borderless data, for many years, as the internet experienced explosive growth, data itself existed in a world without borders. It was a highly dynamic and lightly regulated environment that enabled hyper-scalers like Google, Amazon and Microsoft to create cloud platforms that delivered infrastructure and application services to billions of people around the world. Eventually, other countries became uncomfortable with the fact that a small number of US-based cloud operators had control over massive amounts of data that originated from inside of their borders. So, they decided to do something about it. And now, the era of borderless data is ending.
Today more than 50 countries are accelerating efforts to control the digital information produced by their citizens, government agencies and corporations. Driven by security and privacy concerns, as well as economic interests and national pride, governments are increasingly setting rules and standards about how data can and cannot move around the globe. The simple goal is to gain sovereignty over data, representing a tectonic shift in the global economy. But this shift did not happen overnight.
Indeed, the era of borderless data began to decline in 2016 when the EU first enacted GDPR data privacy regulations. These new regulations set into motion several years of sausage making which involved the US and its EU counterparts negotiating different “data sharing agreements” under which data could be legally transferred across sovereign borders from the EU to the US without violating the rights of European citizens. Along the way, we witnessed Max Schrems, an Austrian privacy activist, persuade European Courts to strike down the EU-US “safe harbour” in 2015 Schrems. Then, again, in July 2020, we saw Schrems convince the EU court that its successor agreement, the Privacy Shield, was also illegal – Schrems II.
The era of digital sovereignty
Helped in part by GDPR and Schrems, “digital sovereignty” is an idea that has become increasingly popular over the past decade — not only in western democracies, but in most countries around the world. Indeed, in a world that can’t agree on very much, most people seem to agree that citizens of sovereign countries should have ownership over their own data. Simply stated, digital sovereignty is about respecting data – and carefully considering how other people’s information and digital assets are treated. The result is that countries around the world are taking steps to implement “digital borders” designed to enhance privacy and help them govern data as a sovereign asset. These efforts have the following consequences:
- They create distinct legal environments whereby data is capable of being regulated by the country in which it was created, and
- They serve as an incentive for cloud service providers and technology innovators to build new data centres and develop new and innovative controls that make it easier to create clearly defined borders around data.
So are leaders in the technology industry listening? The short answer is yes.
Despite the decision by Danish regulators, Google is actively responding to market demand for enhanced sovereign data controls. One example is the recent introduction of innovative data encryption called Google Workspace Client-side Encryption (CSE), allowing customers to strengthen the confidentiality of their data stored in the Google Cloud while addressing a broad range of data sovereignty and compliance requirements. With CSE, Google gives customers direct control of encryption keys and the identity service of their choice to access those keys. As a result, customer data stored in Google Cloud is indecipherable to Google, yet customers can continue to take advantage of Google’s world-class cloud-based collaboration suite.
In another example of large tech players heeding calls for advanced cloud controls to foster digital sovereignty, Microsoft launched a new service called Microsoft Cloud for Sovereignty. Microsoft states that this new solution will enable governments to operate workloads in the Microsoft Cloud in a manner that provides greater control over data so they can meet specific requirements for data governance, security controls, privacy of citizens, and data residency associated with regulations like GDPR.
Amazon AWS is also responding to the rise of digital sovereignty and market demands for improved data controls. Specifically, in order to help European customers comply with GDPR, Amazon announced last year that it was strengthening commitments to challenge law enforcement requests for customer data that conflict with EU law. Additionally, Amazon launched in July 2021 two new online resources to help customers complete data transfer assessments more easily and comply with GDPR. Collectively, these ‘Privacy Features for AWS Services’ make it easy for AWS customers in other countries to understand whether their use of AWS services involve any type of data transfer.
Open Standards advance Data Sovereignty
Large cloud providers alone cannot enable digital sovereignty without incremental capabilities supplemented by trusted third parties. For example, in the context of Google CSE, the keys that are required to encrypt and decrypt data cannot be managed by Google. Otherwise, Google would have the power to decrypt and inspect the customer’s data. Therefore, in order to separate cloud data storage from data encryption, Google has partnered with a number of key management providers and by working together, they can give organisations confidence that their data is always encrypted and Google itself would never have access.
There are, however, many platforms and methods to enable data sharing, and what the technology industry is really in need of, is an open industry standard — one that can enable organisations to easily share data without sacrificing security, privacy, control or sovereignty.
Trusted Data Format (TDF), an open standard for object-level encryption, could help. TDF embraces both security and innovation, empowering organisations to apply policy controls to data so that it can be shared with others without sacrificing ownership. You alone decide exactly who should be able to access your data, and you alone hold the key – not a cloud provider like Google or Microsoft and certainly not a foreign government.
TDF provides the freedom to collaborate while ensuring you maintain control and meet compliance standards: For example, while we await the final ruling on cross-border data transfers between the EU and the US, the European Data Protection Board (EDPB) “has approved end-to-end encryption as a path to maintain data sovereignty and meet regulatory requirements.”
The benefits of data sovereignty are numerous, and it’s vitally important for organisations to put protections in place that give them more complete control over their data. Even as global data-sharing regulations continue to evolve, organisations that choose to prioritise data sovereignty and privacy will position themselves for success.