29/07/2020

Click here to view this briefing in PDF format

Gaia-X: the basics

Gaia-X will not be a cloud storage service in and of itself.  Instead, it will be a new EU cloud services platform that joins up cloud services from multiple providers. Cloud services on the Gaia-X platform will also be required to apply the same standards in areas such as data protection and information security.  These key features of Gaia-X will help cloud service customers to more readily identify available cloud services and more easily share data and move between different cloud service providers.

At present, Gaia-X is being spearheaded by France and Germany with the input from local companies that are involved in the cloud services industry (e.g. Deutsche Telekom, Orange and Siemens) but it is envisaged that it will develop into a pan-EU project involving stakeholders from across EU. In recent years, EU businesses have largely been stuck watching on from the side-lines as demand for cloud services has exploded and US and Chinese companies (e.g. Amazon, Microsoft, Google and Alibaba) have established themselves as the leading cloud service providers across the EU.  France and Germany hope that Gaia-X will help other cloud service providers (particularly EU cloud service providers) play a more prominent role in the EU’s cloud services industry by making these providers more visible to cloud service customers and allowing them to offer customers enhanced capabilities to share and transfer data across the different cloud services on the Gaia-X platform.

Gaia-X is also seen as a key component of the EU’s wider strategy to develop a digital single market and to boost the EU’s ‘digital sovereignty’. The prominence of a small number of large providers in the cloud services industry is seen by the EU as increasing the risk of ‘vendor lock-in’ whereby cloud service customers are hindered from switching provider. The intention is that Gaia-X will help to reduce the risk of ‘vendor lock-in’ in the cloud services industry by increasing the pool of viable cloud service providers for customers to pick from and by raising awareness of these providers. The EU also views the growing importance of cloud services to EU businesses and their growing storage of large volumes of business critical and sensitive information with cloud service providers outside of the EU as having the potential to create security risks for EU business and member states. It is hoped that by promoting EU cloud service providers, Gaia-X will help to reduce this risk.

Another trumpeted advantage of Gaia-X is that compliance with EU rules around data protection and information security will be at the heart of the standards applied to cloud service providers that participate in Gaia-X and that such rules will be integral to the design of Gaia-X.  Gaia-X will also help to eliminate challenges faced by EU cloud service customers in ensuring that any transfer of personal data to cloud service providers based outside of the EU complies with GDPR restrictions around international data transfers. The recent judgment of the CJEU in the Schrems II case (see our briefing on the Schrems II here) indicates that these challenges are only likely to grow. By switching to an EU-based cloud service provider on the Gaia-X platform, an EU cloud service customer could avoid the difficulties that the GDPR and Schrems II present around transferring personal data outside of the EU and avail of cloud services that are focussed on GDPR compliance.

 

Gaia-X: the challenges

Gaia-X is certainly an admirable initiative but the challenges it faces to establish a viable EU alternative to the leading US and Chinese cloud service providers are considerable. In simple terms, Gaia-X will need to attract customers to the cloud services available on its platform in order to succeed. This means that the cloud services available on Gaia-X will need to offer quality, scalability, security and cost efficiency that rivals the US and Chinses market leaders. Doing so, will be a considerable challenge given the scale and sophistication of these market leaders and simply enhancing the visibility, interconnectivity and compliance profile of EU cloud services is unlikely to be sufficient to entice large amounts of customers away from these market leaders.

Participation in Gaia-X is also open to any cloud services provider that undertakes to adhere to the project’s strict principles which include compliance with EU data protection laws and with the principles of openness, transparency and free market access across the EU.  Put differently, participation in Gaia-X is not limited to EU-based cloud service providers and indeed, Amazon and Google had some involvement in the initial stages of Gaia-X.  This means that the market leaders in cloud services could in fact, decide to participate in Gaia-X and use it as a route to consolidate and further expand their market leading position in the provision of cloud services across the EU.  As a result, there is a risk that Gaia-X may not in practice, act effectively to promote EU cloud service providers as an alternative to the existing market leaders.

 

Conclusion

The launch of Gaia-X has been heralded as a significant step forward in the EU’s pursuit of a digital single market and it has the potential to significantly enhance the cloud service offering available to businesses across the EU. However, considerable work is required before Gaia-X can start to deliver on its objectives and potential. The first step will be for the prototype of Gaia-X that is currently under development to demonstrate the feasibility of the platform. This prototype is expected to be ready towards the end of this year while the official launch of Gaia-X is expected in 2021.

EU businesses would be wise to stay apprised of Gaia-X’s progress and the opportunities that it may present to them (particularly in light of the Schrems II case).  Nonetheless, EU businesses should bear in mind that robust contractual arrangements and internal policies and procedures will remain crucial to ensuring that cloud solutions are aligned with EU requirements around data protection and information security, regardless of whether or not such solutions are based on the Gaia-X platform.      

We would like to thank Sonam Gaitonde for her contribution to this article.