Like it or not, the EU needs American cloud services

Opinion piece (Encompass)
23 March 2023

As industrial competition with the US and China heats up, European businesses need to be more innovative to keep pace. The European Commission recognises that adopting technologies like cloud computing will be important to maintain Europe’s global competitiveness. Cloud technology allows businesses to access computing resources remotely and on demand – which is often more efficient, more secure and more easily scalable as businesses grow.

But the EU’s ambitions for adopting cloud technology run headlong into concerns about Europe’s ‘digital sovereignty’. The largest cloud computing companies – Amazon, Microsoft and Google – are all American. Given the current state of the cloud market, if EU businesses increase their adoption of cloud technology, they will become even more reliant on the largest American tech firms. Some EU member-states are now trying to influence a new European cybersecurity certification scheme, called EUCS. They want only firms headquartered in the EU, and which store European data in Europe, to obtain the highest category of certification. This would disadvantage foreign firms competing for important cloud computing contracts in Europe. Critics, predictably, argue that this is simply a case of European protectionism. They are wrong – the EU’s concerns are legitimate. But approach pushed by some EU member-states would prove costly and counterproductive.

Europe’s concerns are not simply protectionist. Cloud computing companies host vast amounts of Europeans’ personal information and business secrets. If those cloud computing companies are subject to foreign laws, for example by being headquartered in a foreign country, they can be forced to hand over that data to that country’s authorities. These types of foreign laws – passed in recent years by both the US and China – can apply even if the companies hold the data in the EU. EU governments therefore worry that these laws undermine EU nationals’ rights, as set out in laws like the General Data Protection Regulation (GDPR). These concerns are not idiosyncratically European, despite what some critics imply. For example, the US also prohibits firms from disclosing data held in the US to foreign law enforcement authorities, except when Washington has an agreement with the foreign government concerned. China’s Data Security Law similarly limits the transfer of important data outside China.

Even if these concerns are exaggerated, they still impact EU businesses’ decisions. EU surveys shows that EU businesses – particularly in privacy-sensitive countries like Germany – do worry about their cloud providers handing over data to foreign government agencies. This undermines European business confidence in using cloud computing services, suppressing use of the technology. The EU is not wrong to try to improve trust in the cloud sector.

The EU’s concern with digital sovereignty for cloud services is therefore legitimate. But that leaves open the question of how to push its sovereignty agenda. Would disadvantaging foreign firms help or hinder Europe’s digital ambitions and respect for its data protection standards? In fact, the EUCS proposal would be negative for European security, businesses, and for the EU’s own cloud computing ambitions.

First, consider the security implications. The EUCS rules would partially address one security risk: that foreign authorities could access European data. However, this risk should not be exaggerated: US authorities, for example, can only require cloud providers to hand over data in Europe directly in very limited circumstances. Addressing this risk by disadvantaging US firms would weaken Europe’s cybersecurity in many other respects. Cloud computing firms with global scale can adopt cybersecurity measures – such as spreading data across multiple global data centres to reduce the risk of its loss or exposure – which European firms cannot. The EUCS would make data less exposed to US investigators, but could make it more vulnerable to rogue states and cyber criminals who have fewer qualms.

Second, the EUCS proposal would do very little to persuade EU businesses to adopt cloud computing. Those businesses which only want to use European cloud providers already have a number of European cloud firms to choose from. Disadvantaging foreign firms would distort competition – making it harder for leading American firms to compete, and giving European cloud firms an artificial leg-up, which would reduce their incentives to improve their services and drop their prices.

Finally, the EUCS proposal would not even help European cloud firms become globally successful. Instead, they will have incentives to limit their presence in foreign markets. If they invested heavily in the US or other markets, they would risk becoming subject to foreign laws, losing their European security certification, and finding it harder to compete in Europe.

The proposal to disadvantage foreign cloud providers reflects genuine EU concerns. America could help address these worries by amending its laws so that American authorities only access European data only via legal mechanisms agreed with the EU. While that remains unlikely, discriminating against foreign cloud firms will do the EU more harm than good.

Zach Meyers is a senior reserach fellow at the Centre for European Reform.