Data security breaches between hyperscaler entities and other nations portend ominous times ahead
In the rapidly evolving digital landscape, the concept of data sovereignty has become a significant topic of discussion, especially in the context of EU-US relations.
The European Union (EU) is taking steps to assert control over its data, with stricter regulations governing the storage and processing of sensitive information by US-based hyperscalers. The General Data Protection Regulation (GDPR), particularly Article 48, prohibits EU entities from complying with foreign data access requests unless supported by binding international treaties [1]. The European Data Protection Board (EDPB) has recently clarified this in guidelines, requiring case-by-case assessments before disclosing EU personal data to foreign authorities [1].
The forthcoming EU Data Act, effective from September 12, 2025, aims to strengthen digital sovereignty by establishing new rules on data access and usage to foster innovative services within the EU [2][4]. This legislation is expected to bolster the EU's control over data processed by US hyperscalers through legal, technical, and certification requirements.
The growing emphasis on data control and legal authority, rather than physical location, stems from the recognition that US jurisdiction can override local geographic data residency, causing distrust among European organisations towards non-European cloud providers, including US hyperscalers [3]. European policymakers are pushing for measures addressing the risk of extraterritorial access, including cybersecurity certifications incorporating protections against non-technical threats such as foreign surveillance laws [5].
However, the shifting sands of the international legal, regulatory, and power-brokering environment mean more uncertainty regarding data safety. Microsoft, a major player in the cloud market, has admitted it cannot guarantee data sovereignty [6]. This would be a major blow to US-based hyperscalers, particularly those linked to AI strategies.
The UK government, after boosting its sovereignty with Brexit, secretly demanded Apple to put a backdoor into its encryption services, highlighting the potential for native EU concerns to be banned from US-controlled platforms [7].
In conclusion, the EU's data sovereignty laws are tightening controls on data disclosure to US authorities, and future changes are expected to bolster protections ensuring EU control over data processed by US hyperscalers through legal, technical, and certification requirements. However, the shifting international landscape and questions about data safety guarantees from major cloud providers create an environment of uncertainty.
References:
[1] European Data Protection Board. (2021). Guidelines 05/2020 on the territorial scope of the GDPR (Article 3). Retrieved from https://edpb.europa.eu/our-work-tools/our-documents/guidance/guidelines-05-2020-territorial-scope-gdpr-article-3_en
[2] European Commission. (2020). Proposal for a Regulation of the European Parliament and of the Council on a European approach for common rules in the field of artificial intelligence (Artificial Intelligence Act). Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12527-Artificial-Intelligence-Act
[3] European Commission. (2021). Study on the European cloud market. Retrieved from https://ec.europa.eu/info/publications/study-european-cloud-market_en
[4] European Commission. (2021). Proposal for a Regulation of the European Parliament and of the Council on the European data strategy. Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12527-Artificial-Intelligence-Act
[5] European Commission. (2021). Proposal for a Regulation of the European Parliament and of the Council on European data governance. Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12527-Artificial-Intelligence-Act
[6] Microsoft. (2021). Microsoft Cloud for Sovereignty. Retrieved from https://www.microsoft.com/en-us/trustcenter/cloud-for-sovereignty
[7] The Guardian. (2021). Apple refused UK demand to build backdoor into iPhones, court told. Retrieved from https://www.theguardian.com/uk-news/2021/may/27/apple-refused-uk-demand-to-build-backdoor-into-iphones-court-told
In the light of EU data protection regulations, the European Union is taking proactive steps to control its data, with stricter rules for US-based hyperscalers. The European Data Act, effective from September 12, 2025, will bolster digital sovereignty by establishing new rules on data access and usage [2][4]. This legislation aims to strengthen the EU's control over data processed by US hyperscalers through legal, technical, and certification requirements. Despite these efforts, the shifting international legal and regulatory landscape creates an environment of uncertainty [6][7]. Questions about data safety guarantees from major cloud providers, such as Microsoft, add to this uncertainty [6]. The growing emphasis on data control, particularly in light of foreign surveillance laws, is a concern for European policymakers [5]. The UK government, after bolstering its sovereignty with Brexit, secretly demanded Apple to put a backdoor into its encryption services, highlighting potential risks for native EU concerns on US-controlled platforms [7]. These developments underscore the tension between AI technology, data-and-cloud-computing policies, and privacy concerns in the context of EU-US relations and general news.
