When European companies use cloud solutions from US companies, they have to deal with the risk that the personal data they process ends up with US authorities. Since 1981, US law has allowed the NSA and others to demand access to company This access has been extended several times since. There are sensible, broad-based European alternatives that could be put in place immediately. Here are 15 cloud services in the EU.
The EU and US have twice reached agreements on data transfers, but both were overturned by the EU Court of Justice in 2015 and 2020 respectively. At the same time, the EU Court of Justice has ruled that a valid agreement cannot be drawn up as long as US law remains unchanged.
The European Data Protection Board points out that Standard Contractual Clauses (SCCs) can be used to ensure that the level of data protection in the US is equivalent to what we have in the EU. This requires the EU controller to carry out a Transfer Impact Assessment (TIA) and then assess what the risk of transfer is and how that risk can be eliminated or mitigated. Similarly, groups can make use of Binding Corporate Rules (BCR).
However, none of these instruments can prevent data transfers to the US, nor can they remove the possibility of access granted to US authorities. However, technical measures such as encryption and pseudonymisation of data will allow data subjects to reduce their risk. Similarly, organisational measures can contribute to better data protection. They include, for example, obligations on the provider to inform the controller of regulatory requirements for access.
Several experts have stated that there are only two possible solutions for US companies: either to out-license their software to EU companies or for the US government to change its legislation. Neither of these solutions seems realistic in the short term.
Applying the data ethics principle on full transparency and control of our own data, we exclude providers in this guide whose subcontractors or investors are registered in the United Stateds. In other words, we want to completely exclude the risk of data being handed over to US authorities.
This guide therefore sets out a number of alternative providers of cloud and data centre solutions in the EU. There are sensible, broad-based alternatives that can be deployed immediately. We also mention a few providers that may not be considered fully mature at the moment, but have the potential to be considered in the foreseeable future.
Use the guide to explore the possibility of choosing a secure cloud provider that does not put your business or organisation at increased risk by sending data to insecure third countries such as the US, which has a large share of the cloud market in Europe.
Leaving the dominant cloud services comes at a price
Cloud providers like Amazon’s AWS and Microsoft’s Azure and MS365 are ahead of their EU competitors in several areas. This is mainly because Amazon in particular invented the way of offering flexible and scalable computing power that we refer to as “cloud”. Secondly, Microsoft and Amazon have been able to build more advanced capabilities because they have a huge customer base and almost unlimited resources to work with.
So leaving Microsoft, Amazon and Google, which can offer more features than the European alternatives, comes at a price. On the other hand, they operate legally and support the building of a vital European cloud infrastructure.
But how do you assess which providers best meet European requirements for data processing and data security? Below, we propose a set of criteria that can be used to assess whether providers and their sub-contractors ensure effective data protection.
It should be noted that using, for example, Chinese AlibabaCloud, which has a data centre in Frankfurt, would of course not be in line with EU requirements either. They may be subject to Chinese law or may send data to China – also China is an unsafe third country from a data protection perspective.
To assess whether a cloud provider is a secure alternative to US providers, we examine the financial ownership of both the provider and its sub-tenants. Where are they legally headquartered? If at any point in the data flow between provider and sub-provider a company subject to US law comes across, or if data flows through a Chinese data centre, then there is a risk and the provider or solution cannot be used without breaching EU requirements.
After looking at the absolute most important criterion, financial and legal ownership, we also looked at a number of other criteria such as functionality, whether they are based on open source technologies, how fast their servers are and documentation.
The secure alternatives we have also assessed in terms of functionality in terms of technologies and services for storing and transmitting data, including different cloud types and container software, the availability of development and deployment environments, as well as their certifications green profile.
The US providers have been in business for much longer than the European al-ternatives, and have only improved as the number of users has increased. This naturally means that they can offer more mature and advanced solutions.
The table below shows that providers in Germany and France in particular can offer solutions that contain the functionalities that are in demand by users.
When it comes to common functions like providing virtual servers, networks and disk space, the EU has a lot of alternatives. Containers, software-based networking, virtual firewalls and load balancers are all available from EU providers. Many can offer to build your entire infrastructure in a public cloud in the security of the EU, but few can provide advanced services such as microservices.
Microservices are relatively new and consist of small “packages” of functionality that you can add to your solution with a few clicks. It could be a special calculator with machine learning (ML) or a component that solves another very specific and advanced task. By using these “building blocks”, you can compose or extend your own solutions while limiting the amount of in-house development. A lot of time can be saved by using this type of service.
More and more companies have seen the benefits of using container software such as Ku-bernetes, also called K8s or “Kates” as well as Docker. By using this kind of software in the cloud, you can put an abstraction layer between the cloud provider’s infrastructure and your application. It also makes you independent of the cloud provider and relatively easy to move from, say, Microsoft Azure to, say, France’s Ikoula or Germany’s First-colo, which offer Kubernetes-as-a-Service. So a first step in planning a move could be to get your applications moved to containers.
All the providers listed can provide basic cloud services. Some can do more and are worthy challengers to the US firms. We look at them in the next sections.
The European Cloud Services
If you look at cloud providers that can offer a range of services, such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform, there are a number of companies in France and Germany that do not share data with authorities in insecure third countries. Also in Sweden and Finland, alternatives exist that should be considered.
Below are the alternatives that we have assessed as safe in terms of not sending data to unsafe third countries for processing:
The vendors in Germany that meet the requirement of not having US ownership or subcontractors, and at the same time have an advanced cloud catalogue with customer-facing console, are primarily Noris Network and Hetzner Cloud.
Hetzner is probably the most obvious alternative to the US providers, as it has a wide range of solutions and provides an API for those who want to build their own cloud management console on top of Hetzner’s equipment. Several European companies already use Hetzner to some extent. They are easy to get started using and have a very high level of service – even when it has to be in English.
Noris Network is a somewhat overlooked provider, but is a definitely interesting alternative on a nine-to-one level with Hetzner. They have a very wide range of features and very high standards of security. Among their customers they count everything from Adidas to Vodaphone.
Deutsche Telekom’s subsidiary, T-Systems, has a well-stocked cloud programme at open-telekom-cloud.com. And first-colo.net is also an interesting acquaintance with a wide range of features, including kubernetes-as-a-service,
Slightly fewer cloud features can be offered by the publicly owned RegioIT.de.
There are also a number of specialist cloud offerings in Germany. Robhost.de offers hosted server solutions with or without e.g. Nextcloud or GitLab and uses only green energy. Another provider of hosted open source solutions is OwnCube, where you can get your own hosted BigBlueButton or Jitsi video solution. Bitpack.io is another interesting niche player in the same area.
Ikoula has a very nice range of cloud services and they also have an easy to use cloud management user interface.
Telecoms company Orange bought an early state-funded cloud startup called Cloudwatt and rebranded it cloud.orange-business.com with good cloud features.
Data4group operates data centres and can offer various forms of hosting/outsourcing.
You can also find a large number of specialised companies in France. For example, there is an outbidder of digital signature and other security products, called OODrive, which is already working internationally.
There is generally a very large choice of smaller suppliers, but few have enough services to make them really attractive. However, in Sweden you will find Elastx.se, a fledgling cloud provider that builds its entire business on open source technologies such as Jelastic and Openstack.
In Finland, Upcloud specialises in the world’s fastest servers and has a track record of really good performance on its equipment. They have their own data centres in four locations around the world and are owned by the Finnish founder. Upcloud has received €18 million in capital from a Dutch private equity fund in 2019 (Connected Capital & Partners). They have a well-run managed cloud console where you can provision servers, networks and storage. And it’s all very fast.
The Danish data centres NNIT, dlx.dk and Motus are also up to something.
While it may seem like a big task to replace your current suppliers with EU alternatives, it pays off in the long run. The burden of security assessments and GDPR work will drop significantly. You no longer have to worry about people or organisations outside your control influencing your day-to-day operations.
Finally, there is the EU’s new mantra; digital sovereignty. Using European cloud providers supports a more technologically and data independent Europe. As long as we do not control key parts of our infrastructure, including networks, electricity, water and data, we cannot claim sovereignty. We are totally dependent on having a well-functioning digital infrastructure in Denmark as well as across the EU.
Johnny Lüchau owns the company yansatech.dk, where he advises on and builds cloud solutions. DataEthics.eu asked him to write this guide.
Translated with the European alternative to Google Translate: DeepL