Journal article Open Access
Luca BOLOGNINI; Enrico PELINO
The race to create local cloud solutions has become a constant in the digital development programs of member States. Italy is promoting the establishment of the so-called "national cloud", and Germany and France have been working for some time on the Gaia-X project. At European level, the development of cloud computing is taking a strategic role, at least for the immediate future. The declared objective is to free us from solutions that today are almost entirely dependent on infrastructures made available by international providers. Contributing to the debate - more by superimposition than composition - there are broadly geopolitical motivations, aspirations to global technological predominance and concerns associated with personal data protection for third party interference due to the extraterritorial application of foreign legislation. The recent "Schrems II" ruling by the Court of Justice of the European Union, and previously, but with less impact in the broader public, the results of the joint EDPB (European Data Protection Board)-EDPS (European Data Protection Supervisor) study on the United States' Cloud Act, have forced the question of the international acquisition of personal data flows (and non-personal, we may add) and the associated assurances.
This paper intends to offer an analysis of the subject, aimed above all at unravelling the multiple levels of the questions raised, which touch not only on legal but on political matters and give an initial, reasoned census of the various bodies of applicable law. Above and beyond hard-hitting declarations, we need to determine to what point the independence of a local European cloud is effectively possible or desirable compared to non-EU providers and, in more concrete terms, to what point an autonomous solution is economically and technically practicable in terms of services that are essential for the States, and that enable the exercise of other fundamental rights and freedoms, for individuals, and therefore must not be susceptible to impairment or interruption. We also have to understand to what point it would be opportune in terms of security, even if this, at first glance, may seem counter-intuitive. In this sense, at least in the overall assessment, we have to consider the high levels of service stability and the existence of high-tech measures to contrast cybercrime that the major international providers can ensure, levels it would be inadvisable to forgo if it were possible to keep the benefits, thereby significantly reducing the associated risks. Indeed, the protection of processed data from external interference must also be measured on a different, but nonetheless significant, level to that of any potential "extraterritorial" threat, represented by criminal activity and security breaches. Another factor that must be considered is the availability of solutions, already entirely actual and "in the hands" of users, which offer immediate protection, such as encryption or the segregation of strategic data sets. In other words, if there are possible measures that significantly reduce the extraterritorial risk and that retain the advantages in terms of contrasting cybercrime, these must be duly included in the overall assessment.
Our analysis will also shed light on inconsistencies in terms of data protection within the European Union, and misalignments between national efforts toward localization and the principle of the free circulation of data. In short, we intend to offer a more articulate, less obvious outline of the subjects we are dealing with, which cannot be reduced (if not at the cost of excessive simplification) to the simple contraposition of E.U. versus non-EU, but which reveal lateral synergies and joint misalignments on fronts apparently united; rather, it would be better to think in terms of the creation of a shared ecosystem that draws the most significant advantage from the solutions available today and acknowledges the need to adopt concrete forms of protection. This does not in any way mean evading the serious, but not immediately solvable extraterritorial questions, but preferably using them, if anything, as a mechanism for obtaining a critical reconsideration of the shortcomings and lack of legal harmonization that emerge even within the European Union. Nor does it mean embarking on a path toward domestic solutions that offer little, or at least less protection than those currently available, but instead maintaining high levels of protection against unlawful activity through more advanced technological solutions, and at the same time identifying legal instruments which assure greater national control of the infrastructures and data, and reduce risk to a legally acceptable level.