Sovereign washing in the context of public cloud services

The geopolitical turmoil of recent years, trade nationalism, and all manner of security concerns have driven demand for digital sovereignty solutions, and the market growth for sovereign cloud services has been exponential, with enterprises trying to safeguard their valuable customer data.

However, while most cloud computing providers offering these sovereign solutions are based in the US, it is European companies that are demanding these types of solutions. European organisations are among the most respectful of data privacy on earth, with legislation designed to protect consumer data against powerful, profit-driven multinationals, particularly in specific industry sectors such as healthcare and life sciences.

As a result, a new term has been coined: “sovereign washing”.

Demand for digital transformation projects including local access to GenAI solutions is growing. The public cloud has helped businesses improve their performance and has many benefits. But in these uncertain times, special care must be taken when it comes to sensitive data.

Like in other instances of “washing”, the term is used to describe the way many large tech companies promote their offerings as “sovereign cloud”, “digital sovereignty”, and so on for marketing purposes when in fact, they are not actually fulfilling demands regarding true data control and security. The use of terms such as “local”, “sovereign”, “compliance”, and “national” are used as throwaway lines in PR collateral, but they have no real meaning.

The sovereign washing trend

The trend of sovereign washing became most apparent when Anton Carniaux, Microsoft France’s director of public and legal affairs, declared under oath during a French Senate inquiry into the role of public procurement in promoting digital sovereignty, that he could not guarantee that French citizen data would never be transmitted to US authorities without explicit French authorisation.

It then became apparent that US legislation, specifically the US Cloud Act, means that companies headquartered in the US can be made to hand over data to the US authorities regardless of where the data is stored.

When US based hyperscalers such as Microsoft Azure, AWS and Google Cloud claim to offer digital sovereignty solutions, their services remain subject to US law. Sometimes, these companies partner with local companies to try to find a compromise. The term emphasises the growing importance of undertaking due diligence when it comes to claims of “digital sovereignty” solutions to find out whether companies are truly committed to the principles of data autonomy and control.