Inspiration blog - cloud sovereignty

Cloud sovereignty is a hot topic in this context. Everyone is talking about it, but often with their own interpretation. In light of 15 years of rCloud, we saw this as the perfect moment to bring clarity. That’s why we asked legal expert Erik Valgaeren to clearly position the various cloud models within the sovereignty landscape.

As a lawyer specializing in IT legislation, Erik Valgaeren knows how important it is to involve your legal team early on in shaping your cloud strategy. “Once you’ve signed a contract with an external cloud provider, it’s usually too late to implement the necessary compliance measures,” he says. “Yet despite the growing importance of IT legislation each year, many companies still fail to integrate this crucial parameter into their management dashboards.” A negligent approach that is not without consequences: from fines for non-compliance to financial losses and reputational damage in the event of incidents.

The sovereign cloud: a commercial solution to legal risk?

One possible solution to the growing compliance challenges is cloud sovereignty. A sovereign cloud is a cloud environment in which data is stored on local servers, in accordance with local legislation and protected against access by third parties. Because the sovereign cloud offers a high degree of control and autonomy, companies can better guarantee the sovereignty and security of their data. They decide who can access the data, who may use it, and where it is stored.

“Cloud sovereignty essentially comes down to the degree of control you have over your cloud,” Erik Valgaeren explains. “That, in turn, determines how much control you have over your data and the processes that handle that data. Think of it as a fortress built around your data. How strong is that fortress? To what extent is it invulnerable or impenetrable?”

Legal key 1: GDPR 

In the cloud strategy outlined by the European Union, sovereignty and control stand alongside innovation and digital autonomy. “The regulations necessary to achieve those strategic goals are also a way to raise a shield and better protect our data and systems against, for instance, hyperscalers operating across borders,” Erik Valgaeren explains. “And that protection is necessary.” U.S. hyperscalers too often assume that what is permitted in their home market is automatically permitted abroad. That is simply not the case.

Arguably the best-known European regulation designed to help build a strong fortress around local data is the GDPR. This privacy regulation, in effect since 2018, standardizes the rules for processing personal data by companies and government bodies within the EU. But GDPR also applies to organizations outside the EU that process the personal data of EU citizens. “And although most people are now familiar with the concept, they are far less acquainted with the implications and requirements of GDPR compliance.”

Adequate data protection

The GDPR prohibits the transfer of personal data outside the European Economic Area (EEA), which includes all 27 EU member states, plus Iceland, Liechtenstein, and Norway. “That said, several instruments and mechanisms exist that still allow the transfer of data from an EU member state to a third country,” Erik Valgaeren notes.

As an example, he cites the adequacy decision: a European Commission decision that recognizes a third country as having an essentially equivalent level of data protection. This means you may transfer data to a company in that third country without needing to provide additional safeguards or meet further conditions. In other words, the transfer is comparable to a data transfer within the EU.

The United States, for example, has negotiated its own Data Privacy Framework (DPF) with the EU. This framework provides safeguards for the proper handling of EU citizens’ personal data by U.S. companies, in line with GDPR principles. The question, of course, is whether this new mechanism will remain in place under the current Trump administration.

Impact assessment and data processing agreement

Before transferring personal data to an entity with adequacy status or located in an adequate country, you must first conduct a formal assessment of the impact of that transfer on the protection of personal data. Additionally, as a data controller, you are always required to conclude a Data Processing Agreement (DPA) with all (sub)processors of that data. “Companies often overlook these conditions,” says Erik Valgaeren. “Or they meet only one or two conditions, when in fact all three are required: adequacy status, impact assessment, and a data processing agreement.”

At the same time, the concept of ‘data transfer’ is interpreted broadly. “Suppose you store customer data in a data center in Belgium but also back it up in a data center outside the EU. Or you use a helpdesk located outside the EU that accesses personal data stored in Belgium to support your customers. Both cases qualify as data transfers. If the third country where your backup or helpdesk resides lacks adequacy status or if any requirement is unmet, you are still in breach.”

Legal key 2: sector-specific legislation

Many sectors also provide for customized or specific regulations regarding the storage, processing, and broader protection of sensitive data. Erik Valgaeren cites the medical sector, particularly hospitals, as an example. “Until a few years ago, all patient records and other medical data had to be stored within the hospital itself. That meant hospitals could not move such data to the cloud, not even a local cloud. To keep pace with technological and outsourcing developments, that requirement has since been relaxed. Today, the data must be stored by the hospital, but not necessarily within its premises.”

Other sectors, such as telecommunications, may only require that certain data be stored within the EU. But as an employer—regardless of your sector—you are still legally obliged to store all social documents of your employees, such as contracts and payslips, at a location in Belgium. “Even when implementing a cloud strategy, it is vital to be fully aware of your sector-specific regulations,” says Erik Valgaeren.

Legal key 3: extraterritorial reach of foreign laws

To protect our data from actors based outside the EU, it may not be enough to require that the data remain physically within the EU. Even such a legal requirement offers no absolute protection, as foreign laws may still apply within the EU and undermine existing obligations.

A clear example of such a law is the U.S. CLOUD Act (Clarifying Lawful Overseas Use of Data Act). This law allows the U.S. federal government to access data stored outside the United States. The CLOUD Act applies not only to U.S. companies but also to the European subsidiaries of those companies. As a result, the U.S. government can compel American technology firms—through a subpoena or court order—to provide user data, even if those data are stored on European soil.

“Not only are American companies—the few that may qualify—limited in their ability to contest such a government request, they can also be subject to a gag order,” Erik Valgaeren emphasizes. This prevents them from warning their European customers about a data transfer that would be illegal under EU law, even if their contract includes a clause to that effect. “That’s also something to factor into the cloud strategy you design.” As a solution, Erik Valgaeren advocates the use of European alternatives to U.S. cloud and IT services.

Multifactorial risk assessment

“In the end, it all comes down to risk assessment,” Erik Valgaeren concludes. The outcome depends on several factors that must be considered sequentially. “Start by examining the data category: are you dealing with sensitive and/or personal data, or non-personal data? Then immediately incorporate legal considerations into your analysis, such as GDPR, sector-specific regulations, and foreign laws. Next comes the security aspect, including options for encryption, anonymization, or pseudonymization of data. Only after that should commercial considerations follow, such as functionalities, tools, and service levels. Lastly, interoperability and standardization are also factors to take into account.”

“In the strategy you develop for the cloud, you must leave room for all these considerations. By selecting the right legal keys, you can reinforce the fortress around your data and sufficiently safeguard your cloud kingdom,” Erik Valgaeren concludes.

rCloud: a proven sovereign datacenter for a sovereign cloud?

Is it important for you to retain full control over your data and IT infrastructure? Are you legally required to do so due to the sector or region in which you operate?

The rCloud in the Inetum Datacenter has all the features and qualities to serve as a sovereign cloud:

• Guaranteed data residency: your data remains 100% within national borders
• Local operations: trusted, certified staff in Belgium and Portugal manage your entire cloud environment
• Regulatory compliance, aligned with current data protection laws and sector-specific rules
• Autonomous infrastructure, fully owned by Inetum, with no external involvement or oversight
• Security by design: your cloud environment is designed and built according to sovereign cybersecurity standards

Would you like more information about our sovereign cloud solution or schedule a guided tour of our rCloud? Email us at info.belgium@inetum.com.