The GAFAM Cloud Risks: Why Consumers need European Alternatives

The cloud has become the essential way to do almost everything these days, whether online, on the move or at our desks. For the uninitiated, it can sometimes be hard to tell when we are actually using a cloud; from the more visible cloud use cases such as online storage, backup or email, to the less visible cloud services that power the likes of Facebook, Instagram, or Office applications, the cloud is ubiquitous. An outage in Microsoft’s cloud earlier this year affected users and businesses around the world – except in China – who rely on the company’s Teams and Outlook applications. 

However, it is notable that the cloud industry is currently dominated by a select few companies from a single country. The majority of the clouds we use today are provided by the five so-called GAFAM companies: Google, Amazon, Meta (formerly Facebook), Apple and Microsoft. Although it is a competitive space, these companies are prioritizing the use of their own cloud services in various ways and utilizing their competitive advantages. For example, Google, Microsoft, and Apple integrate their own clouds directly into their operating systems, making it more difficult for users to choose an alternative.

Who does the data belong to?

A significant challenge is the persisting mismatch between the U.S. privacy standards and those of the European Union (EU). When you use a cloud service, you are effectively storing your data on servers that are located somewhere else – possibly in another country, or even on another continent. Often this data is very personal: photos and videos of our loved ones, all of a company’s intellectual property, our thoughts and desires, our creative endeavors, and so on. Think of it this way: if the Internet died tomorrow, where in the world would your data be and who would own it?

The risks posed by a market dominated by a handful of US companies under a relatively weak regulatory framework have not gone unnoticed by regulators in the EU and the UK. For example, Ofcom, the UK’s communications regulator, announced in September 2022 that it would investigate the position of tech giants in the cloud services market. The authority recognized cloud as a critical component for the delivery of digital services and its central role in effective communication regulation. The proclaimed goal of Ofcom’s market study is to understand how the cloud market functions, and if it functions well for consumers. The EU’s recent data law is another step, with European regulators criticizing the existing options for moving data from one cloud service to another as far from ideal.

The continuing U.S. privacy deficit

While European users are theoretically protected by the EU’s General Data Protection Regulation (GDPR), once they upload their data to one of the U.S.-based cloud services, it falls under the jurisdiction of different data protection regimes. Storing personal data outside the jurisdiction of the GDPR, or its current UK equivalent, seriously undermines data protection.

U.S. federal law allows law enforcement agencies to request user data from U.S. companies, regardless of whether it is stored in the U.S. or not. The European user will receive no formal warning that a foreign authority can access their data without even giving a reason, let alone asking for their permission.

The EU Commission, the U.S. and UK governments are currently struggling to find a new solution for how companies can legally transfer personal data across European borders to the U.S. The former Privacy Shield mechanism was declared illegal by the European Court of Justice in 2020. The new Trans-Atlantic Data Privacy Framework (TADPF) now depends on the Executive Order (EO) issued by President Biden in October 2022.

This EO does impose some new restrictions on U.S. intelligence activities and offers EU citizens the possibility to appeal to the newly established Data Protection Review Court (DPRC) to investigate and resolve complaints about access to their data by US national security agencies. However, privacy advocates such as Max Schrem’s Nyob and the American Civil Liberties Union (ACLU) are not optimistic that this will somehow bridge the fundamental gap between the European and U.S. understanding of privacy. Even if the EU decides that the new terms meet the high standards of the GDPR, the framework is likely to be challenged and overturned by the courts once again.

In control of our data

It is clear that the cloud has a very bright future both as a consumer and business application. There is simply no other form of data storage that offers such flexibility and convenience. But as Internet users and businesses upload more and more of their most personal and sensitive data, the issue of data protection and security becomes even more important. Relying on the seemingly most convenient solution, unfortunately, is not the wisest choice for the users.

Consumers need European alternatives to what U.S. companies can offer. Changing habits might take time, but users need to be better informed about what really happens to their data when they share it with a U.S.-based cloud company. If the cost of convenience were made clearer, I believe they would be more inclined to choose European alternatives.

As CEO of 1&1 Mail & Media Applications SE, Jan Oetjen is responsible for the mail and portal business of United Internet AG with the leading brands GMX and WEB.DE, the marketer United Internet Media, and the international brand mail.com. He is also Chair of the Board of Trustees of the European netID Foundation, an independent body of the Internet industry that provides and develops the open netID login standard.