Data sovereignty in the cloud: a challenge for everyone in Europe
Digital sovereignty can be defined as the ability of a state to control all digital resources, from an economic, social and political point of view — free from third parties or external influences. In short, it fosters freedom of choice and enables us to be less dependent on non-European infrastructures, platforms and internet access points.
Data sovereignty extends this notion to organisations. It determines their ability to protect their data against possible interference, particularly when it comes to data security. It also enables them to act independently, particularly in areas that are strategic for their development. Compliance with European regulations — which limits the possibility of transferring personal data outside the European Union — is a guarantee of data sovereignty.
Today, we face global competition and an exponential growth in the volumes of sensitive and strategic data used in the cloud. A growing number of European organisations have already become aware of the importance of governing their IT systems, and the data they handle. The risks of non-European economic intelligence actions — and interference via uncontrolled dependencies with some of their cloud service providers — are now recognised. These pose a risk both to data protection, and to the ability to develop major UK and European players. This makes it more difficult to compete internationally in the digital arena. By defending data sovereignty, we act to protect freedom of choice for administrations, companies and citizens.
European Cloud: major challenges for Europe, and five scenarios with significant impacts by 2027-2030
In May 2021, KPMG published a white paper based on data and information from a wide variety of sources, including over 250 interactions with public and private decision-makers in Europe. The bottom line is that migration to the cloud has become a mandatory process, and both data security and sovereignty are main concerns for decision-makers. Furthermore, the current paradigm of the European cloud market does not seem to be sustainable. Five scenarios have been identified, with several predictable benefits.
How does OVHcloud ensure that its customers’ data sovereignty is respected?
“At OVHcloud, we believe that the ability to exercise our digital sovereignty is key to ensuring our users’ freedom. This is to keep control over our future, maintain job security, and uphold our European values. These are the challenges of a trusted cloud, which guarantees protection for the sovereignty of strategic data belonging to states, companies and citizens. We will stay true to the original promise of the internet: to make the digital world an area of freedom, autonomy and collective innovation.”
A pure French cloud player, committed to the European digital ecosystem
A sovereign cloud is, above all, a cloud from a provider who agrees not to make any use of its customers’ data. This commitment is built into OVHcloud’s value proposition as a pure player and cloud specialist, with no activities in other areas that can compete with its customers. As part of this, OVHcloud is building a trusted cloud offering to help protect industrial sovereignty.
OVHcloud is heavily involved in the efforts led by European public authorities and professional associations defending digital sovereignty in Europe. OVHcloud is a founding member of the CISPE (Cloud Infrastructure Services Providers in Europe) associations and GAIA-X project, and actively contributes to these European initiatives. Their purpose is to guarantee the security, interoperability, transparency and trust required for fair data use. In 2020, OVHcloud launched the Open Trusted Cloud program, with the aim of co-creating an ecosystem of SaaS and PaaS solutions in an open, reversible and reliable cloud, with all the digital players involved. These initiatives aim to leverage the potential of our European ecosystems, and encourage ethical circles.
European customers protected from interference by overseas authorities
OVHcloud implements technical and organisational measures that aim to protect the data hosted by its EU-based customers against interference from authorities outside of the European Union. Technically, no OVHcloud entity or third-party partner of OVHcloud can operate — and therefore access — the infrastructures hosting the aforementioned data. This rule also applies to non-EU countries that do not have a sufficient level of data protection in line with those in force within the European Union.
For example, the United States is no longer considered a country with an adequate level of protection, since the invalidation of the “Privacy Shield” by the Schrems II judgement of the Court of Justice of the European Union on 16 July 2020. Consequently, the American entities of OVHcloud are not involved in providing services to OVHcloud’s European customers, and do not have the technical ability to access the data hosted by them in OVHcloud’s European datacentres. As a result, these US entities do not have control over the data stored in these datacentres, and cannot respond favourably to requests from US authorities to disclose the data.
Only entities located within the European Union, or in countries whose level of protection has been subject to an adequacy decision by the European Commission — in particular Canada — may, under the terms of service in force, take part in carrying out the services provided to OVHcloud’s European customers, and intervene technically on the infrastructures on which they host their data.
Full compliance with European regulations, freedoms and fundamental rights
Organisationally, the OVHcloud Group is a European group in which European commercial entities — as well as entities that may intervene on OVHcloud’s hosting infrastructures located within the EU and used by its European customers — fall under the exclusive jurisdiction of European Union member states, or states that have been subject to a European Commission adequacy decision. These entities are controlled by OVH Groupe SAS, a company governed by French law, with no dependency links to any entity or organisation subject to the jurisdiction of states that do not provide an adequate level of data protection.
Requests from non-EU authorities (governmental, administrative, judicial or other) may be made for the communication of data hosted by a European OVHcloud customer in a datacentre located within the European Union. In this case, OVHcloud is fully able to oppose such requests, in accordance with its policy for handling requests from authorities, and the provisions of Article 48 of the GDPR, if they are not carried out in accordance with an international agreement — such as a treaty on mutual legal assistance in force between the requesting country and the Member State(s) of the European Union concerned.
Furthermore, for customers wishing to process the data they entrust to OVHcloud exclusively within Europe, OVHcloud is implementing an option whereby only European entities are involved in carrying out the service. This excludes any other entities, including entities located in non-EU countries that are considered by the European Commission to have an adequate level of protection.
Compliant with the strictest security standards and sovereign benchmarks
At OVHcloud, no access to customer data is granted, unless the customer requests it or provides their permission — and when required, such as during support team interventions or maintenance operations. The company guarantees full traceability for these actions, which guarantees data sovereignty.
The SecNumCloud Security Visa, obtained by OVHcloud in early 2021, gives certified cloud service customers the assurance that they will choose solutions with a security and trust level verified by ANSSI (the French National Agency for Information Systems Security). OVHcloud also provides its cloud services to French (UGAP), UK (G-Cloud) and Italian (AgID) administrations, as well as European Commission institutions (DPS 1 MC5). The company is also involved in the ongoing work of the European Network and Information Security Agency (ENISA) on cybersecurity certification for cloud services.
OVHcloud is also working to meet the needs and requirements of Operators of Vital Importance and Operators of Essential Services — who, as part of their based licencing procedures, must conduct risk analysis and implement numerous security rules. In fact, OVHcloud’s documentation, based on the implementation of different standards and benchmarks (ISO 27001, ISO 27701, SecNumCloud, HDS, SOC, CSA Star, PCI-DSS and others), allows customers to conduct their risk analysis by transparently accessing the measures and organisation put in place by OVHcloud to ensure their data is protected.
Extended control of the subcontracting chain and technological dependencies
For more than 20 years, OVHcloud has developed an integrated business model that allows it to fully control its value chain. This covers datacentre construction and management, the design of servers and computing racks in the Croix factory (Hauts-de-France), and the operation of a dark fibre network powered by OVHcloud. With this level of logistical control over the supply chain, it can further ensure sovereignty for data and services. It also limits the technological dependencies on OVHcloud’s subcontractors and providers. The company’s ability to support the development of its customers’ businesses was demonstrated during the healthcare crisis in 2020. Unlike some competitors who are more dependent on their suppliers, OVHcloud has avoided stock disruptions.
OVHcloud is also unique in that it integrates open-source, open and reversible technologies and market standards into its products. These platforms respect customer data sovereignty by design, and are operated end-to-end by OVHcloud without the intervention of external subcontractors. OVHcloud ensures that the software publishers behind the technological building blocks of its solutions offer guaranteed sovereignty.
Subject to specific terms and conditions of service, OVHcloud ensures that the partners involved in maintaining the solution promise to intervene only from EU countries, or with a level of data protection equivalent to that in force within the European Union, and to comply with European regulations. With full control over its products, and the very high integration of third-party services, OVHcloud is able to ensure that its customers’ data sovereignty is fully protected. The goal of all this is to promote a trusted cloud, with full respect for UK and European data sovereignty.