China has long demanded that cloud infrastructure be hosted in China by local companies. In reality, Chinese cybersecurity law requires that certain data be stored on local servers or undergo a security assessment before being exported. A Personal Information Protection Act, which is still in draft form, goes one step further by stating that China’s data rules can be applied anywhere in the world if the data in question describes Chinese citizens. The law would also create a blacklist prohibiting foreign entities from receiving personal data from China.
Now the United States is starting to advance its own version of digital sovereignty. Secretary of State Mike Pompeo’s Clean network initiative would ban Chinese cloud companies from storing and processing data about US citizens and businesses. And while the Biden administration is likely to reverse many measures taken under President Trump, the prospect of forcing ByteDance to sell TikTok to Oracle or run its US operations through a local partner remains on the table. This could set a dangerous precedent: the U.S. government would mirror and legitimize China’s cloud regulations, which require foreign vendors to enter the market only through joint ventures with Chinese companies holding majority shares.
And in South Africa, a guideline 2018 Reserve Bank of South Africa has put in place an approval mechanism for institutions seeking to use cloud computing, saying bank supervisors would be “unpleasant” if data was stored in such a way as to prevent access.
If a variant of the TikTok / Oracle deal becomes the norm, it will pave the way for more governments to require technology vendors to sell a stake to a local entity, or operate through an entity, in exchange. market access.
Proponents of this approach argue that some degree of data sovereignty is inevitable. They say the global internet still operates under these rules and businesses continue to profit and innovate. But the fact that some companies continue to thrive under these conditions is not a convincing argument for imposing them in the first place.
A global cloud
The trend towards digital sovereignty has sparked a digital arms race that slows down innovation and offers no significant benefit to customers.
Companies like Amazon and Microsoft may well afford to continue expanding their cloud computing platforms to new countries, but they are the exception. Thousands of small businesses that provide cloud services on top of these platforms do not have the financial or technological means to make their products available in every data center.
In Europe, for example, the GAIA-X project can only strengthen the large incumbent operators. And in China, the vast majority of foreign software vendors have decided not to make their cloud services available there because the barriers are too great. It does a disservice to Chinese customers and foreign technology suppliers. It also deploys all the economic and security benefits of a global cloud.
What is needed is for different countries to collaborate on common standards, agreeing on a set of core principles for the cloud and standards for government access to the data stored there.
The OECD, for example, could do this by building on its existing privacy guidelines. the OECD Global Partnership on AI is an example of an initiative in a related technology field that brings together many stakeholders to develop policy.
For starters, the coalition could focus on a small subset of business data flows and corresponding use cases (such as those involving internal company personnel information or cross-border contracts). Recognizing the concerns that underpin the drive for digital sovereignty – which may include political security, national security, and economic competitiveness – could help lay the groundwork for such a deal. One approach could be to offer incentives to companies that participate in such a coalition, but without blocking the flow of data to those that do not.