Can you provide an example of a situation where lack of compliance led to significant consequences for a company?
I’m not suggesting every organisation has to do everything on their own. In many cases a trade-off could be best: you provide a map and direction, and the cloud provider’s job is to take you there in the most efficient, innovative and secure way possible. If you think the provider is going the wrong way, or doesn’t deliver good enough security, support or pricing, you can switch provider, or even bring things on-premises if necessary. Of course the provider knows this, and therefore has a strong incentive to keep you happy as a customer. That level of autonomy is what digital sovereignty can look like at an organisational level. The more a nation’s businesses and public sector organisations do this, the more digitally sovereign that nation becomes.
During the last few years, in the markets where we operate, we have seen numerous SaaS providers unable to get business from the public sector and other compliance-minded organisations, especially when the SaaS provider has locked itself into a non-compliance cloud infrastructure.
Of course, key to any regulation is its enforcement. EU regulators have stepped up their activity level significantly compared to pre-GDPR days, even if a lot more needs to be done. Still, we’re seeing non-binding guidance and enforcement decisions where regulators have to show their cards at an unprecedented pace. That bodes well for the privacy interest, as organisations can no longer blame difficult to interpret rules as justification for non-compliance. Individuals are also understanding their rights better and exercising them a lot more.
Do you have curtains at home?
Welcome to today’s enlightening conversation on digital sovereignty and privacy. Joining us is Arman Borghem, Regulatory and Compliance Advisor at Cleura, a leading European cloud infrastructure provider. In his role at Cleura, the European cloud infrastructure provider, Arman guides customers through the labyrinth of regulations to enable organisations to harness the power of the cloud while staying secure and compliant with the GDPR and other regulations. In particular, he champions the use of open solutions that catalyse competition and put the customer in control.
The good news is I believe we’re at a turning point. EU legislation like the GDPR, and the DSA and DMA after it, are a counterforce to big tech companies that have used their market power to evade European norms and values.
Another example: the European Commission uses Mastodon, the alternative to X built on the open ActivityPub protocol. This decentralised method of communication can literally withstand nuclear war, not to mention being free from the impulses of an erratic owner/CEO. The EU is wisely providing funding to Mastodon through the Next Generation Internet Initiative.
In your opinion, what are the biggest challenges organizations face in maintaining compliance with international regulations?
If your users truly understood how you’re profiling them and personalising their experience, would they still want you to do it? If not, you might be in a bit of trouble.
How do you foresee the balance between privacy and personalized experiences in digital services evolving in the next decade?
Businesses will realise that profiling users to personalise their experience is a lot more challenging than they may have anticipated. Not necessarily from a technical standpoint, but in terms of explaining to people what data is being collected and how it is being used, as well as obtaining proper consent when that is required. Businesses used to communicate in a marketing context, to persuade, will have to learn how to communicate their intentions honestly and thoroughly.
Best of all, those three companies charge their customers very handsomely for the privilege of being locked in to them, have grown to be among the world’s most valuable companies, lobby to weaken our laws and even attract European capital from pension funds to retail investors, all aiding in weakening Europe’s position and eroding the value derived from our businesses’ digital transformation. As a concept, digital sovereignty allows us to recognise these problems and their threat to our privacy, economic security and political self-determination.
The three biggest cloud providers compete for market share by dangling cloud credits and promises of future innovation in front of businesses who are yet to take the full leap into the cloud.
Let’s have a look at its significance from a European perspective. Imagine a world where an ever greater part of our lives is digitalised and kept with three cloud companies. Those three companies all compete for the market, not on the market. They all handle our data under opaque terms, and expose it to US and possibly other third country jurisdictions, overriding EU law. With little more than a few pen strokes, our data can be accessed by US intelligence services under vague justifications, and trade barriers imposed on a sudden whim could stop those cloud companies from providing their services to us. Without those services, large parts of our society would not function properly, as both businesses and public authorities have grown increasingly dependent on them.
Standards like the ones underpinning the internet, email, and the web have been open for anyone to use and implement, for free, without asking anyone else for permission. That has historically been the foundation for incredible innovation, and the same principles apply today, not least where security is critical.
By Randy Ferguson
This places high requirements on legal specialists, technology specialists, people who understand the business need and top management to all be able to communicate with each other and understand each other’s languages. Otherwise, there will inevitably be failures in compliance, risk taking, practical implementation or value creation. Time, patience and human involvement of these parties in the early stages, to communicate and validate priorities and goals, can go a long way.
You probably do, and yet over the last decade, your digital life was increasingly prodded and analysed for others’ commercial gain. It may also have been exposed to potential abuse by foreign security services, like when we learned the FBI had conducted 278 000 unauthorised searches of an intelligence database. I think to some extent we became complacent. We adapted to and rationalised the status quo.
Privacy is a major concern for many users and businesses. How has the perception of privacy evolved with the advent of digital technologies?
New GDPR fines are pouring in to the GDPR Enforcement Tracker every couple of days. However, a more significant consequence of the regulator coming knocking can be that a company has to make sudden and significant changes to the way it does business.
Could you explain the concept of digital sovereignty and its significance in the global digital economy?
Specialising in the intersection between law and IT, Arman holds a Master of Laws and has a background in software and cloud procurement.
To give one example, agencies in the French, German and other European governments are using end-to-end encrypted chat built on the decentralised Matrix protocol, which is open for any organisation to implement and interoperate with.
I could rattle off a letter soup like DPIAs, ISO 27001 and ITIL as tools to navigate that jungle and implement necessary changes. The truth of the matter is that to make those things function effectively you need people who understand the law, the technology and how the technology is intended to be used by the business, as well as how it may intentionally and unintentionally affect its interested parties (citizens, customers, etc.).
A third example is OpenStack – the open source cloud platform created by NASA and Rackspace in 2010. Today it has hundreds of organisations contributing code, financial support or through other means. The notion that sufficient security requires proprietary clouds has been proven false. OpenStack has de facto become the bedrock of European digital sovereignty when it comes to cloud computing.
These examples give rise to a question every organisation must ask itself: to what extent do we want to drive our digitalisation ourselves, and to what extent do we want to be a passenger? The back seat might seem more comfortable, but who will then be entrusted with the steering wheel? A proprietary cloud provider will step on the gas to take you as far as possible into their proprietary world. But what good is rapid digitalisation if you’re headed in the wrong direction?
Personal data in your organisation should be a necessary evil – only collect and use whatever you truly need, for as long as you need it, but no more.
Can you discuss the importance of privacy by design and how it can be implemented in digital projects?
You’ll be surprised how often initial instincts that personal data is needed are proven wrong. A good question to ask yourself is: what would happen if we did not have this personal data? If the answer is vague, or if there’s a perfectly reasonable way of achieving your goals anyway, congratulations: stop using that personal data and you’re one step closer to achieving privacy by design.
Adding to this, some of these rules will apply directly to an organisation, while others will apply to an organisation’s service providers. Assessing not only your own but also your service providers’ compliance will be a real challenge. Viewing your service providers’ compliance as purely their problem is not enough, as you want to avoid service providers that fail to live up to their legal obligations.
A crucial part of privacy by design is incorporating the privacy perspective from the outset when setting up a business process or creating a digital solution. That involves critically examining how you can achieve your goals with as little personal data as possible, and by using it as little as possible. The less personal data you collect and the fewer things you do with it, the less there is to explain to end users, the less you run the risk of doing something illegal, and the less data is exposed to potential data breaches. Incidentally, your cloud costs for storage and processing will go down too!
The regulatory jungle is only growing thicker.
With regulations like GDPR and CCPA coming into force, do you think we are moving in the right direction towards protecting user privacy?
What do you mean when you say the three big cloud companies compete for the market, not on the market?
Definitely. There’s even talk about a US federal privacy bill now, even though the fundamental right to privacy through the fourth amendment remains essentially weaker than the protection we enjoy in the EU.
How should organizations prepare for future changes in regulations related to digital sovereignty and privacy?
But when they have a customer, especially one that has grown reliant on the provider’s unique bells and whistles, that customer is highly unlikely to leave for another provider – the customer is locked in, sometimes jolted awake to this fact after a while, other times paying ever-increasing cloud bills in a blissful state. Thus, we cannot say there is well-functioning competition on the market, the competition is for the market, meaning it begins and ends where new customers are brought into the fold.
In the era of cloud computing and decentralized technologies, but also increasing digital threats, how can countries maintain their digital sovereignty without stifling innovation and compromising security?
Scandals like the Horizon saga and the Dutch child care benefits scandal have probably also helped us realise the scale of the damage which can be wreaked due to a misplaced trust in technology. We need to remember that human beings are developing and deploying the technology – human beings with all sorts of shortcomings, like naïveté, ego, bias and greed.
A big challenge is to keep track of all the rules coming out of the EU, from NIS2 to DORA, CRA, CSA, the AI Act and so on. On top of that is GDPR case law, but also all the other case law we can look forward to as a result of the other regulations I mentioned.