Paris, 19th March, 2021

It is time to ensure the immunity of Europe’s cloud service providers to non-EU laws with extraterritorial impact, in order to strengthen our EU data sovereignty!

In its recent Communication on "Europe's Digital Decade: 2030 Digital Targets", the European Commission (EC) rightly emphasized that "today, data produced in Europe is generally stored and processed outside Europe, and its value is also extracted outside Europe. While businesses generating and exploiting data should retain free choice in this regard, this can bring risks in terms of cybersecurity, supply vulnerabilities, switching possibilities as well as unlawful access to data by third countries. EU-based cloud providers have only a small share of the cloud market, which leaves the EU exposed to such risks and limits the investment potential for the European digital industry in the data processing market". This is, to our knowledge, the first time the European Commission is so explicitly highlighting in an official publication potential risks in terms of security and sovereignty for data produced in Europe induced by non-EU laws with extraterritorial impacts.

Being a French and therefore European cloud service provider (CSP) owning and operating data centers exclusively on the EU soil (meaning that our clients' data remain entirely under EU jurisdiction), this is an assessment we do welcome very positively. Complementing this EC analysis, we would like to share with you:

1) Our insights, between market needs and expectations, and shortcomings identified at EU level on this topic thus far

2) A proposed way forward to mitigate, on the short to medium-run, the detrimental extraterritorial impacts of non-EU laws on the security and sovereignty of data produced in Europe.

1) Scaleway's insights

Based on our experience and clients’ feedback, trust in cloud services provision greatly depends on data sovereignty-related considerations. In the meantime, many European companies seem to be ignoring the fact that they may be faced with negative impacts coming from their (not necessarily easily identified) exposure to non-EU extraterritorial laws. Consequently, they can be navigating in full legal uncertainty.

We also encounter situations where there is no way for CSPs’ clients to measure objectively, precisely and transparently, the level of their data’ exposure to non-European extraterritorial laws, be they stored and processed on European soil or not. This lack of transparent, measurable information is not only detrimental to our clients' freedom/sovereignty of choice (they are less easily able to take well-documented decisions of strategic nature), but it also prevents European CSPs which propose sovereign offers (which can be the result of consequential, dedicated investments) to differentiate from their competitors on a crucial aspect for today’s and tomorrow’s cloud adopters in Europe (we notice substantially increasing expectations from customers and prospects, meaning significant growth perspectives for the European cloud ecosystem).

In accordance with these observations:

  • We tend to lack an authoritative EU impact assessment detailing under which conditions European companies can be exposed to extraterritorial jurisdiction when handling certain data, and the legal conflicts it can entail with EU legislations.
  • While being fully supportive of the EU institutions’, Member States and the EU Agency for Cybersecurity’s (ENISA) work on cybersecurity, we do consider that existing cybersecurity approaches, when applied to cloud computing services, omit a fundamental factor: the transparent assessment of CSPs’ immunity (with regard to data processing and storage) to non-European laws with extraterritorial impacts.

2) A proposed way forward

ENISA is currently drafting a cybersecurity certification scheme for cloud service providers, recently submitted to public consultation: in our view, introducing provisions related to immunity to extraterritorial laws with regard to data processing and storage is absolutely necessary in order to make this certification approach a real success: so far, the only objective, even at "high" assurance level of certification, is to provide transparent information in this respect.

Concretely, the introduction of a requirement on data to be stored regionally, in a datacenter that is physically located in the EU and whose owner is an entity itself headquartered in the EU, would be a way to generate the required level of trust in the certified cloud services. Deepening recent recommendations of the European protection data board, we also believe more legal obligations/information should be required, on the whole stack of cloud computing services, from the real-estate all the way up to the software components that make up the cloud, to provide full transparency on the applicable jurisdiction according to data storage, computing and processing conditions.  This is for us the only way to guarantee reasonable certainty concerning the level of immunity to extraterritorial laws for certified CSPs.

Such an evolution could be a true game-changer in Europe. Therefore, we call upon all relevant institutions and agencies to put this matter at the top of their upcoming policy discussions, and to use this EU cybersecurity certification scheme in the making as a leverage to serve the EU institutions’ wider ambitions to strengthen Europe’s digital sovereignty.