Governments are erecting borders for data

SOMEWHERE DEEP in the bowels of Microsoft’s campus in Redmond near Seattle, a jumble of more than 100 buildings, there is a special kind of room. The size of a school gym, its walls are covered with big screens. One shows the “health” of the firm’s cloud-computing services, collectively called Azure. Another displays people’s “sentiment” about the system, as expressed on social media. A third one, a large map of the world, tells visitors how many “denial-of-service” (DOS) attacks, which amount to flooding a customer’s online presence with bits to shut it down, are currently being dealt with. The counters on this Thursday morning in early December show 80 in Asia, 171 in Europe and 425 in the Americas.

It would be fair to assume that the room is a NOC, a “network operations centre”, to manage Azure. But nothing gets controlled here; that happens elsewhere. Instead, the room, called the Cloud Collaboration Centre (CCC), serves two other purposes. One is, in the words of Anja Ziegler, who manages the location, to “put a face on the cloud”—giving customers an idea what Azure and the mirror worlds it powers are about. But more important, the room serves as a place for Microsoft employees to discuss how to reshape the cloud in response to legal changes in the data economy.

One of the first projects to be tackled in the CCC was how to make Azure compatible with the General Data Protection Regulation (GDPR), the EU’s tough privacy law that went into effect in 2018. The room has only become busier since: privacy and other data-related legislation is multiplying around the world. Sometimes virtual borders need to be erected, so that data do not leave or enter a certain country. Or a new data centre needs to be built to give the digital stuff a local home. If this trend holds, Microsoft may soon have to upgrade the CCC’s world map—to show the planet’s many different data zones, rather than just DOS attacks.

The CCC is thus a place where another tension of the data economy is playing out. Data were supposed to float freely around the world to where they are most efficiently crunched. But flows are increasingly blocked by governments which seek to protect their country’s people, sovereignty and economy. And these first rustlings of digital protectionism, predicts Ian Hogarth, a noted British entrepreneur and writer, could turn into fully fledged “AI nationalism”, as countries go beyond just defending their data assets and try to build a data economy of their own.

Just as with the internet itself, there were not supposed to be any trade-offs in the cloud. The “cosmopolitan ideal” was that the free flow of data would make the world if not a better place, at least a more efficient one, observes Andrew Woods of the University of Arizona, who is writing a book about data sovereignty. It would allow digital stuff to end up in data centres located in places near many users, with lots of connectivity and where land and energy are cheap and the air cool and dry. (Cloud data centres can be several football fields large and consume huge amounts of energy, about half of which is used for cooling.)

Whose cosmopolitan ideal?

In practice this has meant that the biggest clouds have risen over America, which so far has set the rules of the data economy. It not only boasts the biggest and most innovative tech companies, but plenty of potential customers, fibre-optic cables, cheap power and land to build cavernous data centres. To get an impression of the concentration of computing power in America, one need only drive a few hours east of Microsoft’s campus to Quincy, Washington, a town with a population of not even 8,000. This is home to two dozen large data centres, many operated by Microsoft.

As long as computing clouds were small, this uneven distribution did not matter much. But, starting with the intelligence leaks by the American security expert Edward Snowden in 2013 which revealed widespread snooping by America’s spy agencies, governments have begun to understand the importance of this global infrastructure—and, by extension, the data economy. Citizens’ privacy is not the only worry. Data may also reveal things about a country’s defences. If digital evidence is stored abroad, law enforcement might be inhibited. Data should be kept close, some governments think, lest other countries benefit from them.

As a result, in recent years virtual borders have been going up in the digital cloud. The GDPR allows personal data to leave the EU only if firms have appropriate safeguards in place or if the destination country has “an adequate level of protection”. India blocks payment information from leaving the country and may soon require that certain types of personal data never leave the country. Russia requires that data be processed and stored on servers within its territory. China blocks most international data flows. And the EU is discussing creation of a single market in data, like the one it already has for goods.

These growing and unco-ordinated efforts to regain data sovereignty have already triggered debates at the highest level of international diplomacy. In July the G20, a group of 20 developing and rich countries, launched the “Osaka Track”, named after the Japanese city where the decision was taken. The idea, which Abe Shinzo, Japan’s prime minister, floated early last year is to come up with some global rules for “data governance”, guided by the rather fuzzy concept of “free flow of data with trust”.

It is still unclear where all this will lead. What will the world map in Microsoft’s cloud centre look like a decade hence? Will it resemble today’s global maps, showing as many data zones as there are countries? Or will it display a few digital trade zones (known as “data spheres”) or something completely different?

The need to export data from the EU has pushed some to stricter data-protection rules

The first possibility is rather unlikely. To prevent all data from flowing, countries would essentially have to cut their connection to the internet: it would be the only way to ensure that data really stays put. Russia may be willing to accept the huge economic costs of such a digital secession. But most countries will probably shy away from the drawbacks of even less draconian measures. An overly protectionist country could see cloud-computing providers refuse to serve their market because it is too small. Building a domestic cloud is both tricky and expensive.

The second scenario is far more likely. In fact, this is already happening. Coalitions for different types of data have begun to form. The GDPR’s adequacy requirement effectively created one: the need to export personal data from the EU pushed a dozen countries, including America and Japan, to agree to strict data-protection rules. America has started a similar club with the Cloud Act, a bill passed in 2018 to allow the government to negotiate reciprocity agreements with other countries. If these allow American law enforcement to access data stored in partner territory more rapidly than is possible today, agencies in those countries can get easier reciprocal access, too. Britain has already signed such an agreement; the EU is expected to do so soon.

Although the Osaka Track talks are meant to come up with global rules, they could end up creating another data coalition. The initiative started life as a proposal by the Japanese government to form an alliance with America and the EU to promote the free flow of data between members and to limit access by countries which indulge in data protectionism, notably China. If that is still the agenda, it could push China and others to create their own data club, warns Justin Sherman of New America, a think-tank. In an early sign of what this may mean, India and a few other developing countries have refused to sign up to the Osaka Track.

The third possible future of the global data sphere is again less likely, but the most intriguing. Somewhat unexpectedly, it is rooted in Germany and comes by the name of GAIA-X, referring to the goddess of Earth in Greek mythology, with the X being a placeholder for future specialisation (GAIA-Health, GAIA-Mobility). Rightly feeling that the country is behind in cloud computing and risks losing control of its data economy, the German government first considered building something like an “Airbus Cloud”, like a repeat of Europe’s successful aeroplane consortium. Realising that this would probably fail, however, the government has settled on another approach. It hopes to assemble what the Federal Ministry for Economic Affairs calls a “federated data infrastructure”, essentially a club of clouds whose members have to comply with a set of rules and standards.

The main aim is still one of industrial policy: seeding the formation of an “über-cloud”, a legal-cum-software layer that would insulate German firms and government agencies from the power of big foreign clouds by minimising “lock-in”. Although details have yet to be worked out, it would probably allow firms to move data and computing workloads between rival clouds more easily. GAIA-X could be a tool to implement granular national data policy, instead of resorting to crude digital protectionism. It could help solve the problem of American or Chinese firms dominating the global data infrastructure. The project also includes an initiative called “International Data Spaces” to make data-sharing between firms and across borders easier.

Yet it is not clear how the German government intends to will this über-cloud into existence, says Stefan Heumann of the Stiftung Neue Verantwortung, a think-tank in Berlin—nor how it does not end up being a lowest common denominator or held up by lengthy negotiations. The plan is to have a “proof of concept” ready by the second quarter of this year, but don’t hold your breath.

Still, the idea may gain momentum. The German government intends to push the concept when it takes over the presidency of the European Council later this year. France has already signalled support; other countries are expected to join. And some 100 firms and organisations have already joined the effort, including the big cloud providers. The only notable exception, until recently, had been Microsoft. This was a surprise: Azure is the most compatible with Germany’s vision. Whether because it has always had many governments as customers or the fact that it does not make money by hoarding data, from the start Microsoft has built its cloud for a world with a data space fragmented along national lines.

If the vision of GAIA-X comes to pass, how will Microsoft display this on the screens of its CCC? Rather than showing a few data “blocs” in bright colours—China red, America blue, for instance, as during the cold war—it may need lots of shades and other graphic tricks to represent the new diversity of the data world.■

Correction (February 24th 2020): Quincy is a few hours east of Microsoft’s campus, not a few hours west as we originally wrote.