This rise of the splinternet? Knowledge sovereignty dangers and responses
When US president Trump carried out sanctions towards the Worldwide Prison Court docket (ICC) in February 2025, it wasn’t lengthy earlier than ICC chief prosecutor Karim Khan discovered himself locked out of his Microsoft 365 e-mail account.
This despatched digital sovereignty-shaped shock waves throughout Europe and raised fears that US cloud hyperscalers may wield a “kill change” towards clients that fall foul of US political imperatives. Many noticed it as one other instance of the US’s “America First” insurance policies hitting house, this time within the digital area and towards an organisation’s important data infrastructure.
For the ICC, it pushed the organisation emigrate to German provider ZenDiS’s openDesk, which offers workplace productiveness instruments primarily based on open supply, GDPR-compliant know-how.
For a lot of others within the UK and Europe, it pushed the query of digital sovereignty to the fore. In response to the ICC-Microsoft affair, for instance, Dutch lawmakers petitioned their authorities to maneuver to 30% Dutch or European cloud providers by 2029.
On this article, we take a look at information sovereignty by way of the dangers – political, authorized and financial – with particular reference to the huge penetration of US hyperscalers within the UK and European markets. We additionally hear from voices involved about US hyperscaler penetration into the general public sector, important providers and the cloud economic system, and reveal huge penetration of the UK public sector by the hyperscalers.
That is the primary article in a collection, with the subsequent trying extra deeply at campaigner considerations and state-level responses round information sovereignty.
What’s information/digital sovereignty?
To debate information sovereignty in any respect, we have to arrive at a working definition or a set of definitions. The thought of knowledge sovereignty comes from the broader political notion of sovereignty as utilized to states, the place it means the solely held energy to control a rustic.
In terms of information, we will lengthen that concept to imply full management over information and functions to present us an idea of knowledge sovereignty or digital sovereignty. That would apply to enterprises and their must retain information in particular jurisdictions to fulfill authorized and regulatory necessities.
What are the dangers to nation states round information sovereignty?
The dangers to nation states round information sovereignty fall below three primary classes:
- Dangers of political interference from overseas states;
- Authorized interference when the legal guidelines of 1 state have an effect on information held in one other;
- Problems with financial sovereignty, the place the diploma of overseas firm management over information in an economic system is taken into account a danger.
The political danger and the hyperscaler ‘kill change’
The ICC-Microsoft affair reveals that information sovereignty isn’t simply theoretical. It’s a reside danger, says Liberal Democrat spokesperson for science, innovation and know-how, Tim Clement-Jones.
“If you happen to see that sort of danger, the place a hyperscaler like Microsoft could be pressured to withdraw a service, you must take a look at the truth that we’re so closely embedded – we’ve acquired Microsoft, AWS and Google throughout authorities,” he says. “The place are the choice UK suppliers?”
US president Trump and his unpredictable and/or focused decision-making have been a serious driver round information sovereignty, not least as a result of a lot cloud functionality deployed throughout the globe is US-owned, specifically by the three primary hyperscalers – AWS, Microsoft and Google Cloud.
The authorized danger and ‘jurisdictional overreach’
Then there are considerations round authorized interference. That is the place the legal guidelines of 1 nation apply to information held in techniques which will even be topic to the legal guidelines of one other. That is known as “jurisdictional overreach”.
Dangers of that sort round information sovereignty are exemplified by the US Cloud Act and Chinese language Nationwide Intelligence Legislation (NIL), which each create conditions the place the legal guidelines of 1 nation immediately battle with the legal guidelines of one other, the place the info is protected.
The US Clarifying Lawful Abroad Use of Knowledge (Cloud) Act was handed in 2018, and empowers US legislation enforcement businesses to compel US-based know-how firms to offer information to them, wherever that information is saved, inside or outdoors the US. That requirement immediately impacts privateness legal guidelines elsewhere, such because the EU’s GDPR, which prohibits switch of knowledge to a 3rd nation.
In the meantime, the Chinese language NIL mandates help and cooperation with Chinese language state intelligence work and might apply to Chinese language firms and residents wherever they’re. Just like the US Cloud Act, GDPR makes it unimaginable to adjust to this in Europe as a result of the NIL would possibly require an organization handy over information on clients in Europe, once more contravening switch of knowledge abroad.
The financial danger: turning into a ‘digital colony’
There’s some extent the place worries about overseas political interference and information sovereignty develop into entwined with problems with financial sovereignty. The priority is that UK and European states don’t have the homegrown capability to supply cloud and software program providers because the US giants do, and that could be a danger to the financial wellbeing of these nations.
Axel Voss, German Christian Democrat MEP within the European Parliament, is a eager advocate of constructing elevated European financial sovereignty within the digital realm, saying that he believes Europe dangers turning into a digital colony of the US or China.
“It reveals up when Europe’s day by day digital life and more and more our vital infrastructure runs on non-European {hardware}, software program, cloud providers and platforms,” says Voss. “Which means the subsequent technological wave could be formed by actors who don’t share our values or requirements. That creates systemic dangers for prosperity, privateness and safety, and it could go away Europeans feeling that democratic establishments have ‘misplaced management’ over the digital surroundings.
“The most important dangers are strategic lock-in and unilateral dependencies. If core collaboration instruments, id, storage, cloud and AI are managed elsewhere, Europe’s administrations and corporations lose actual freedom of alternative and bargaining energy.”
That dependency can generally come to mild in stunning methods. Final 12 months, it was revealed that Scottish police forces that use Microsoft 365 don’t know what nation their information could also be saved in – and Microsoft wouldn’t inform them.
Clement-Jones says: “Their information could be held everywhere in the world in any datacentre run by Microsoft. The very first thing that comes into my thoughts is actually, that’s loopy. How can they try this? How do they justify that? Absolutely an organisation just like the police power goes to demand bodily sovereignty.”
The size of hyperscaler penetration: the UK public sector
US hyperscale cloud suppliers have near-universal penetration throughout the UK public sector and account for almost all of know-how spending. Within the monetary 12 months 2023/2024, 95% of central and native public sector organisations within the UK spent funds on hyperscale cloud providers. When software program providers that run on hyperscale cloud – akin to software program as a service (SaaS) – are included, that share rises to 99%.
That is the case for greater than 1,100 public sector our bodies, together with authorities departments, councils, police forces and NHS organisations, in keeping with information that comes from analyst Tussell. The general public sector procurement specialist publishes its Tech Titans listing yearly of the highest 150 tech suppliers by spend acquired from the UK public sector, and breaks that down by division. Within the monetary 12 months 2023/24, these firms have been paid round £17.7bn of public sector funds, which was 84% of whole spend.
Within the information, it’s doable to determine an precise hyperscaler in just one case – AWS is current below its personal title. However for essentially the most half, cloud provision comes by way of resellers of the three key US-owned public clouds, AWS, Microsoft Azure and Google Cloud, with Oracle and IBM additionally counted as hyperscalers for this evaluation. Distinguished cloud resellers to the UK public sector are Bytes, Capgemini and Softcat, however the listing extends to round 30 such suppliers.
It’s also doable to confirm suppliers as resellers of hyperscaler cloud provision as a result of they publish details about their accreditations, akin to AWS Premier Tier Companies Accomplice, Azure Professional Managed Service Supplier, or Google Cloud Premier Accomplice. That’s not to say that they’re solely suppliers of cloud connectivity, as they typically present consultancy too.
Out of the £17.7bn whole Tech Titans spend, greater than half – 55% or £9.9bn – was spent on hyperscale cloud both immediately or by way of cloud resellers in monetary 12 months (FY) 2023/2024. Past direct or reseller provision of hyperscale cloud connectivity, suppliers that supply providers that use hyperscale cloud – e.g. SaaS – may also be recognized, or at the least dominated out as suppliers of cloud connectivity. Including these to direct hyperscale and cloud resellers, they accounted for 86% of whole Tech Titans spend, with £15.3bn going their means.
Out of twenty-two authorities departments within the information, 21 spent funds on hyperscale cloud in some kind in that 12 months, with 13 of them spending 50% or extra of their tech funds on hyperscale cloud immediately or by way of cloud resellers.
The highest 5 public sector spenders on hyperscale cloud have been: Ministry of Defence (£1.09bn), HM Income & Customs (£1.01bn), the Residence Workplace (£775m), Division for Work and Pensions (£622m), and NHS England (£442m).
Out of 64 police forces and different police businesses within the information, 55 spent funds on hyperscale cloud, which rose to 59 if providers that use hyperscale cloud have been included. The Metropolitan Police spent £354m on hyperscale cloud.
Out of 271 NHS organisations within the information, 270 spent funds on hyperscale cloud in 2023/24.
Conclusion: UK digital infrastructure depending on overseas tech
The Tussell/Pc Weekly information highlights how deeply embedded US cloud infrastructure has develop into throughout the UK public sector – a actuality that complicates efforts by European policymakers to advertise “sovereign cloud” options.
When almost each authorities division and myriad native and different businesses depends on a handful of offshore entities, the road between equipped providers and nationwide sovereignty blurs. As among the campaigners we spoke to warn, the chance is now not nearly the place information sits, however whether or not a nation state has full management – sovereignty – over its personal vital features.
To right this case doubtlessly requires a radical shift in technique. Within the subsequent function on this collection, we take a look at how governments and campaigners within the UK and Europe have responded.
