1. What is digital sovereignty?
Digital sovereignty essentially means acting self-determinedly in the digital space. The French root of the word “sovereignty” means “independence”. Originally, the term was primarily used to refer to the independence and self-determination of states. A sovereign state possesses the power to make its own laws and define its form of government. In the digital environment, however, the concept is not as simple to define and delimit. The independence of cyberspace itself means that governments have hardly any authority in this ecosystem. As a result, digital globalisation was able to occur practically unimpeded. Boundaries and laws were ignored, and influential Internet entities were able to establish their own rules – some of them have even been categorised as “fully digitalised nations”. The Snowden affair surrounding the mass eavesdropping by the NSA that broke in 2013 clearly revealed the risks attached to the lack of control in the digital space. In 2015, the scandal involving Facebook and Cambridge Analytica shed light on the illegitimate use of personal data by multinational corporations. These major companies have demonstrated a rather half-hearted attitude towards confidentiality. The movement for digital sovereignty therefore now aims to take back a part of the power exerted within the digital space. At the European level in particular, digital autonomy has become an important keyword and concept in the meantime. The goal is to develop independent solutions – especially in the cloud – to ensure proper handling of sensitive data.
2. Why is digital sovereignty important?
The question of security in the cloud is no longer the only issue today. What businesses really want is direct control over their data. The pandemic has further increased companies’ dependence on transnational cloud solutions, and it is therefore more important than ever for them to achieve digital independence in order to maintain control over their own data and those of their customers. For the global hyperscalers are subject to regulations that can run contrary to the strategic interests of the enterprises making use of them – and in the worst case, cause them to violate local laws. The often-cited CLOUD Act, for example, allows the US government to access data hosted by domestic companies even if their servers are located outside the United States. As a result, the confidentiality of these data is by no means guaranteed. In light of the fact that more than 90% of the data produced in the Western world are hosted in the USA, such laws represent a threat to the interests of businesses. Digital sovereignty also applies to individuals, however; here the primary focus lies on the protection of privacy. This is particularly important when the data entrusted to providers is sensitive – for example, bank details or health information.
3. How can we help users reclaim their digital sovereignty?
In order to attain digital sovereignty, key technologies and competencies must be mastered. This primarily means escaping the dependence on manufacturers and the associated state of vendor lock-in. An individual person or enterprise cannot accomplish much in this regard, however. Rather, states need to bring the topic back into focus and establish the necessary framework conditions. If we can regulate the movement of persons, goods, services, and capital in the single market today, we must also be capable of regulating the movement of data. This includes the creation of dedicated routes of transport and storage locations that guarantee confidential and secure transfer and processing of our data.
4. Who can help to re-establish digital sovereignty?
Politics and economics need to cooperate more closely in order to create the necessary conditions. Innovation and opportunities for technological development must be promoted and suitable legal frameworks established. We are not alone in our demand for digital sovereignty, and Switzerland certainly has no interest in disconnecting itself from the global web. But stronger collaboration with other countries and interest groups like Gaia-X would certainly help to lay the foundations for the desired developments. There is sadly still a lack of will to follow this path in Switzerland, however.
5. What other trends concerning data and their use in the cloud are currently visible?
The dependence on the worldwide technology infrastructure and especially on the public cloud is raising the question whether it is wise to continue the trends and behaviours of the past decade unreflected. Just imagine one or several of the transatlantic data cables falling subject to the type of attack we recently witnessed with regard to the Nord Stream pipeline. Many companies want to reduce their dependence and are therefore considering abandoning their “Cloud First” approaches in favour of returning to hybrid strategies – but not with the purpose of maintaining legacy systems that are difficult to transfer into the cloud anyway. Rather, the goal is now to ensure that the value of the most important data remains within the company’s control. No differentiation is made between on-premise and off-premise solutions in this regard, however; joint data ecosystems are taken for granted these days. In future, the cloud will not consist exclusively of data centres operated by the major cloud providers as we previously thought. Instead, it will increasingly extend from these large sites to the clients’ own data centres, and even to their edge locations. We will be taking the concepts of the cloud – like its simplicity and scalability along with cloud-native development – and transfer them to edge computing. In this sense, most current organisations are not truly “hybrid”. Fully hybrid scenarios will require strategically important architecture decisions, and the distributed cloud is the new paradigm in this context. The difference lies not just in the question of the hosting location, however – instead, a number of skills as well as a new way of thinking and new operating models are required.
6. What is the significance of the EU project Gaia-X in this context, especially for Switzerland?
Gaia-X is a European initiative in which representatives from industry, politics, and science from Europe and all over the world are cooperating to create a federated and secure data infrastructure. The goal is for businesses and users to collect and exchange data in such a way as to retain control over them. They should be able to decide what happens with their data and where they are stored, maintaining data sovereignty at all times. By now, 350 companies and organisations including the ECB, the European Central Bank, have joined Gaia-X as members. There are various initiatives like the “Sovereign Cloud Stack” (SCS) with the intent of developing nothing short of a European cloud platform for companies and public authorities. We want to employ interoperable cloud services based exclusively on open-source technologies, thereby avoiding vendor lock-in. The various countries are integrated into Gaia-X as so-called Hubs, allowing them to introduce their national requirements and ensure they are met. From the perspective of Gaia-X, Switzerland would certainly be welcome anytime, but the federal government has not requested membership thus far. Meanwhile, the issue of digital sovereignty is being actively discussed, of course – on 1 November 2022, a panel with the advisory committee “Digital Switzerland” took place headed by Federal President Ignazio Cassis. The topic was digital sovereignty and how Switzerland can improve capabilities to act within the digital space. But it seems we will have to wait a while longer for the famous “Swiss Finish”.