Microsoft Can't Guarantee Data Sovereignty – OVHcloud Says 'We Told You So'
hubie writes:
French provider seizes on Redmond's admission that US law could override local protections:
European cloud provider OVHcloud has long warned about the risks of relying on foreign tech giants for critical infrastructure - especially when it comes to data sovereignty.
Those warnings seemed to gain fresh credibility in June, when Microsoft admitted it could not guarantee that customer data would remain protected from US government access requests.
"They finally told the truth!" says OVHcloud Chief Legal Officer Solange Viegas Dos Reis. "It's not a surprise," she shrugs, "we already knew that." However, "this reply from Microsoft brought kind of a shock for customers, because they suddenly discover that what they have been taught for a while. 'Oh guys, don't worry, it will not apply to you. Don't worry.' It's false! Because, indeed, the data can be communicated."
Anton Carniaux, director of public and legal affairs at Microsoft France, made the admission during a hearing [source in French] in the country. In answer to whether he could guarantee that data on French citizens could not be transmitted to the US government without the explicit agreement of the French authorities, Carniaux replied: "No, I can't guarantee it," but added that the scenario had "never happened before."
[...] The sovereignty problem, however, is difficult to solve. Almost every vendor and commentator appears to have a different idea of what it means. "One of the issues we have is that, as there is no legal definition of sovereignty, everyone has their own idea of what sovereignty is," Viegas Dos Reis says. "It's becoming quite a marketing concept for some."
She states that there are three key concepts: data sovereignty, technical sovereignty, and operational sovereignty.
Data sovereignty is the simplest to define. It involves compliance with the laws where the data resides, rather than the laws of other countries. It also covers the freedom of choice regarding where that data is stored. Additionally, it involves ethics, such as not training LLMs on the data. Finally, it involves keeping the data secure.
"Technical sovereignty," says Viegas Dos Reis, "is about being able, through ensuring interoperability, you can move your data from one provider to another." Data might be being stored with one cloud provider, but processed by another.
"So interoperability, reversibility, it's about the control of the infrastructure - datacenters, of course - but telecommunications network as well. It's about the control of the choice of the provider you have with the supply chain you have.
"So you control your supply chain, and that means that you control the risk. When you have a risk in one part of the supply chain, you must be able to change it to adapt."
And finally, there is operational sovereignty. Who will have access to the data? It is not difficult to imagine support personnel looking at screens of data in another country to diagnose an issue and inadvertently blow a hole in the most carefully made sovereignty plans.
[...] Concerns about the dominance of cloud hyperscalers are not new. However, worries about competition in the era of AI and fears surrounding the unpredictability of the US regime have led many customers - not just in Europe - to take a long, hard look at their dependencies.
"The sovereignty pitch starts rising in a lot of countries," says Viegas Dos Reis, "because there is this fear of, 'OK, if I'm not digitally sovereign, I expose myself as a country, as a company, and as an individual as well. I expose myself to pressure from a third party.
[...] That said, Viegas Dos Reis acknowledges that a migration from the hyperscalers would be "a very long and complex project." After all, it can be costly to leave a hyperscaler, and the services of one provider are not necessarily matched by another.
That said, Viegas Dos Reis notes that a slow migration does appear to be underway, where companies are considering which workloads need to be where. Some can stay in the public cloud. Some might be on-premises. Others might opt for a European cloud provider.
"Each company should have a clear strategy on the management of its data and of its dependencies, and each company should map the data, map the needs," says Viegas Dos Reis.
"And depending on this mapping, they will say, 'OK, with this kind of data, no problem. I can put it in a cloud that is not immune to a territorial regulation, but another kind of data. Oh, my God, if this data falls into the hands of a foreign government or a competitor, I will have big, big problems.'"
Read more of this story at SoylentNews.