China has long required that cloud infrastructure be hosted in China by local companies. In fact, China’s Cybersecurity Law mandates that certain data be stored on local servers or undergo a security assessment before it’s exported. A Personal Information Protection law, which is still in draft form, goes a step further by stating that China’s data rules can be enforced anywhere in the world if the data at issue describes Chinese citizens. This law would also create a blacklist prohibiting foreign entities from receiving personal data from China.
Now the United States is beginning to advance its own version of digital sovereignty. Secretary of State Mike Pompeo’s Clean Network Initiative would prohibit Chinese cloud companies from storing and processing data on US citizens and businesses. And while the Biden administration will likely roll back many actions taken under President Trump, the prospect of compelling ByteDance to sell TikTok to Oracle or run its US operations through a local partner remains on the table. This could set a dangerous precedent: the US government would be mirroring and legitimizing China’s cloud regulations, which require foreign providers to enter the market only through joint ventures with Chinese companies that own majority shares.
And in South Africa, a 2018 guideline from the South African Reserve Bank set up an approval mechanism for institutions seeking to use cloud computing, indicating that bank supervisors would “not be agreeable” if data were stored in a way that might inhibit their access to it.
If some variation of the TikTok/Oracle deal becomes the norm, it will set the stage for more governments to demand that technology providers sell a stake to a local entity, or operate through one, in exchange for market access.
Advocates of this approach argue that some degree of data sovereignty is inevitable. They say that the global internet still functions in the face of these rules, and companies continue to profit and innovate. But the fact that some companies continue to prosper under these conditions is not a persuasive argument for imposing them in the first place.
A global cloud
The trend toward digital sovereignty has unleashed a digital arms race that slows down innovation and offers no meaningful benefit to customers.
Companies like Amazon and Microsoft may well be able to afford to keep expanding their cloud computing platforms into new countries, but they are the exception. Thousands of smaller companies that provide cloud services on top of these platforms don’t have the financial or technological wherewithal to make their products available in every data center.
In Europe, for example, the GAIA-X project may only strengthen the large incumbents. And in China, the vast majority of foreign software providers have decided not to make their cloud services available there because the hurdles are too formidable. This does both Chinese customers and foreign technology providers a disservice. It also unwinds all the economic and security advantages of a global cloud.
What’s needed is for different countries to collaborate on common standards, agreeing to a set of core principles for the cloud and norms for government access to data stored there.
The OECD, for example, could do this by building on its existing privacy guidelines. The OECD’s Global Partnership on AI is one example of an initiative in a related technology area that brings together many stakeholders to develop policy.
As a starting point, the coalition could focus on a narrow subset of commercial data flows and corresponding use cases (such as those involving internal company personnel information, or cross-border contracts). Recognizing the concerns behind the drive for digital sovereignty—which may include political security, national security, and economic competitiveness—could help lay the groundwork for such an agreement. One approach might be to offer incentives for those companies that participate in such a coalition, but without blocking data flows to those that do not.