For European enterprises that had high hopes GAIA-X would bring real added value in terms of data protection and digital sovereignty, the project’s current course would likely appear to be disappointing. The last few months have shown that when it comes to ensuring GAIA-X will deliver on its claims in these key areas, there is unfortunately little reason to put much faith in the main drivers of the project. It is uncertain if decision-makers in politics and business will change their minds. In any case, there is plenty of reason for companies not to rely exclusively on GAIA-X as their digital saviour, but to become active themselves. There is plenty they can and should do within their own circles of influence.
Where does GAIA-X stand? – An interim conclusion
The GAIA-X project was launched with great expectations and the initiators were not lacking in ambition in the run-up to the project. However, in the meantime more has come to light about which members are involved. Only a few weeks ago, the German federal government’s stance as one of GAIA-X’s main drivers regarding the general perspective on accepting members had become public. For supporters of the project, their enthusiasm is steadily fading to be replaced by disillusionment which is spreading fast. The developments over the last few months are particularly disconcerting for those companies that are looking for real data protection in accordance with applicable European law and digital sovereignty over their data. What has recently unfolded leaves little hope for the originally proclaimed goals of the project.
- Should the current perspective of the German government that emanates from its statement on GAIA-X continue to persist or even be affirmed in the future, GAIA-X won’t be able to serve as a real remedy to the overturned Privacy Shield, despite all funding and ambitious intentions. The basic legal problem of US hyperscalers’ data handling has been deliberately ignored by German policymakers. This raises the question of how great the will at the political level actually is to effectively enforce their own legislation in the form of GDPR. Moreover, without genuine data protection, GAIA-X would additionally lose an important competitive advantage over the established US providers.
- The economic decision-makers on GAIA-X’s Board of Directors gave the green light to the membership of US company Palantir, which – despite all public pronouncements – has so far by no means distinguished itself through data protection or the protection of privacy.
So, who will ultimately take care or even guarantee that GAIA-X will create a "digital ecosystem" in accordance with European data protection standards that is worthy of its name?
Challenges remain as hopes disappear: What can enterprises do in concrete terms for data protection and digital sovereignty?
Even if GAIA-X falls short of expectations, and at this juncture unfortunately it does indeed look like it will, the challenges for European enterprises will persist. They must therefore become active and make sure they retain or regain control of their data despite the pervasive trend of outsourcing and pushing data into the cloud as much as possible. This is paramount for them to be able to determine who gets access to and insight into their data, and for them to ensure unauthorised third parties are kept on the outside. This matters for real data protection and compliance with GDPR especially in international data transfers, in order to avoid possible fines and it is also in any enterprise’s own vested interest to protect its intellectual property – its data.
Among the top-rated cloud security concerns: data privacy and data sovereignty
Experience has shown that businesses urgently need more independence from providers and platforms for their work. It may be tempting to take advantage of all-inclusive packages from various providers. However, those that go down this path run the real risk of subsequently having to pay dearly for any potential savings as they enter into dependencies that cannot be easily reversed. Any subsequent effort to cut ties and move elsewhere is extremely cost and labour intensive. Any freedom that enterprises have given up can only be regained at a very high price. For this reason, every business must carefully consider surrendering any of their own sovereignty to third parties. They need to be aware of the implications relying on external providers for successfully carrying out what their own work and operations entail. They should retain control of their own data wherever and whenever possible.
GAIA-X or not, enterprises should therefore conduct a risk assessment:
- Where is company data stored and processed? Are there data flows, possibly via third-party providers, that could result in data protection breaches and incur penalty fees? Is there sufficient control over proprietary intellectual property and is it effectively protected?
- What can be run on premises and thus controlled by the enterprise themselves – and what may be impractical or too expensive for doing so?
- Who do you trust with your data and which controlling mechanisms are you willing to pass on to someone else? The trend is clearly to move towards the cloud – and US providers are leading the way. However, to put it simply: The cloud is ultimately just someone else's server. Enterprises need to be aware of this fact and therefore carefully contemplate their options.
- Is the software they use effective and is it applied by the users? Can this create dependencies that may lead to a lock-in?
The degree to which enterprises become potential targets of third parties depends on the individual company as well as their respective business field. Hence the needs for protection must be balanced with this in mind. Experience has clearly shown that the approach of using short term price as the most determinative measure for decisions pertaining to IT is unfortunately still very common. All too often, this is to the detriment of security – and may indeed cost enterprises very dearly in the end. It is high time to seriously reconsider and revise this approach. Outside an enterprise’s own firewall data is particularly at risk. For the secure exchange of data, it is necessary for companies to use a secure communication solution both for compliance with GDPR and the protection of intellectual property, and it makes financial sense.
Enterprises that highly value data protection and data control currently seem to have no choice but to run as much on premises as they can reasonably handle. This option is particularly important to consider when purchasing business critical IT solutions; after all, businesses must be able to equip themselves with solutions perfectly tailored to their individual requirements and wishes. This way, they oversee their decision-making processes and they can most effectively determine:
- Where their data is stored
- What happens to it
- and who has access to it.
Ultimately, the further design in GAIA-X’s implementation will determine whether the project will go beyond a mere declaration of intent and really deliver data protection according to European standards. GAIA-X presents an alternative, but time will tell if it will be more attractive or secure and offer enterprises real added value. GAIA-X’s offerings will only be accepted in the long term if businesses really benefit from the project with improved compliance, high levels of security and at a fair price. Only if it successfully moves European enterprises forward to a new level of competitive readiness will GAIA-X itself become a success story.
In view of recent developments, however, doubts are warranted. It is certainly possible that the GAIA-X project will bear fruit in a few years, having served as an incubator for more European service providers in software and hardware. It would also be desirable if GAIA-X uses its potential as a platform to realise future opportunities for AI or quantum computing. However, European enterprises don’t have time to wait or hope for a change of course for GAIA-X; their current challenges need to be overcome now. They should therefore take action themselves to ensure that they are in charge and can decide what happens to their data.