THE CLOUD UNDER FOREIGN DOMINATION? 

The Cloud market has almost quadrupled since 2017; what was an emerging technology has become a must-have for businesses, a trend reinforced by the opportunities offered by artificial intelligence or the Internet of Things (IoT). Ultimately, this creates more and more data that must be processed and stored securely. The Cloud, because of the infrastructure and services it offers, is an essential lever for the development of these technologies. 

But the Cloud market is largely dominated by the big American players: Amazon with AWS, Microsoft with Azure, or Google with GCP - the hyperscalers - who share more than two thirds of the cake. 

European private companies, public institutions and consumers are increasingly using Cloud services and applications based directly or indirectly on these foreign players, thus creating a considerable technological dependency on these providers. 

ARE THE EUROPEAN REGULATIONS SUFFICIENTLY PROTECTIVE? 

The problem is that Europe and the US have adopted positions on data protection that are difficult to reconcile ! 

The European Union raised its shield in 2016 with the adoption of its General Data Protection Regulation (GDPR), with a simple objective: to protect the personal data of Europeans. 

Across the Atlantic, the approach is much more aggressive. The passing of the CLOUD Act in 2018, in addition to the FISA Act of 1978, has given the US administration a legal arsenal to get its hands on data stored in the data centres of US companies anywhere in the world. Faced with this threat, the protection afforded by GDPR is no longer sufficient, and the risk of mass or economic spying on our data is real. 

HOW CAN DIGITAL SOVEREIGNTY IN EUROPE BE REGAINED ? 

The European Union has understood the challenges inherent in this risk. The invalidation of the Privacy Shield[1]by the European Union's Court of Justice in 2020 completes the legal boundary separating the two areas of influence. 

At national level, the ban on the use of American Microsoft technologies for hosting the Health Data Hub[2]?and the formal notice issued by the CNIL to three French companies for using Google Analytics perfectly reflect Europe's concern about American market domination. 

A decade ago, France and other European countries had already tried their hand at the "sovereign" Cloud exercise with the Andromeda project, which launched several national initiatives such as Numergy and CloudWatt, but these did not last. 

A new response has been attempted since June 2020 with the European GAIA-X project, launched jointly by France and Germany, and in which many European states are now participating. 

WHAT IS GAIA-X? 

In September 2020, in her first State of the Union address, Ursula Van der Leyen, President of the European Commission, mentions GAIA-X as the project on which the EU's data strategy should be built. 

GAIA-X's ambition is not to create an "Airbus of the Cloud" but to develop a data ecosystem based on the values of openness, transparency and security that will encourage cooperation between the parties involved. 

The aim is therefore to build a trusted Cloud for companies and institutions in order to restore the digital sovereignty of our data and, consequently, of our countries. 

WHAT ARE ITS FOUNDING PRINCIPLES ? 

Two main principles underlie the GAIA-X architecture: the service catalogue and the data space. 

The service catalogue will precisely define the Cloud offerings that will comply with the GAIA-X transparency and compliance principles: each service provider will describe its offerings in this catalogue according to a digital format (framework) validated by the GAIA-X federation. 

Consumers will therefore be able to choose the service best suited to their needs and their level of control over the data processed in complete transparency. 

Data Spaces will offer the possibility for stakeholders to share their data while retaining full ownership. Here too, a portal will be set up to enable the data provider to retain full control over its use (price, duration of validity, etc.). 

Like a mosaic, each shared block of data will encourage the emergence of projects with high added value that will benefit all contributors. 

WHERE DO WE STAND TODAY? 

The GAIA-X service catalogue and architecture principles are published, the first data spaces are under construction, and many European and non-European companies are joining and participating in the construction of GAIA-X. 

The project as it is currently proposed seems, however, to have moved away from the initial intention of favouring European cloud offerings: the leaders of the American and Chinese markets (Alibaba, Amazon, Google, Microsoft) have joined the project and are actively participating in the working groups with a significant strike force. It is difficult not to include these players, as their place in the companies is so important, but this raises questions about the real European sovereignty of the project. It should be noted, however, that only Europeans are decision-makers in the association that is steering this project, the GAIA-X AISBL association. 

AND WHERE IS CREDIT AGRICOLE IN ALL THIS? 

Along with other French banks, Crédit Agricole is a "first day member" of GAIA-X and participates in certain working groups of the "finance" vertical to bring the voice of our businesses to this project. The banking sector is an area that is conducive to the development of trusted Cloud solutions, and issues such as customer authentication, digital data safes and credit risk management can find new and innovative answers in the creation of Cloud services validated at a European level or in a shared data space. 

GAIA-X can also be a booster for data sharing between companies in complementary sectors, such as insurers and car manufacturers, with easier access to data from connected cars in the future, secure sharing for both companies and end customers. 

In the agricultural sector, an initiative bringing together several parties aims to operate a pooled and sovereign data consent and exchange infrastructure dedicated to the agricultural sector, with the capacity to develop new AI algorithms for example.???   

Conclusion

Although criticised by some, GAIA-X appears to be a founding project for the emergence of a new European sovereignty over Cloud computing. It must be acknowledged that it will be very difficult for European companies to reach the level of American or Chinese hyperscalers in terms of infrastructures and platform services at a global level, but by positioning itself in the field of data and local Cloud infrastructures, by specifying the conditions of their security, traceability and therefore data sovereignty at a European level, GAIA-X can enable us to regain control over what is already considered to be the black gold of the coming decades: data. 

In this context, the catalogue of services and data-spaces will probably be a growth vector for industry and research. The first services are expected to be launched during 2022. They will allow us to assess the viability of the project in order to respond to the problem of a free and independent Europe from this point of view. 

[1]?Privacy Shield (2016) :? Agreement for the protection of EU citizens' data that are stored and processed by US-based companies after being transferred there. 

[2]?https://www.cnil.fr/fr/le-conseil-detat-demande-au-health-data-hub-des-garanties-supplementaires