The government has been deliberating for some time about migrating critical systems and data to Microsoft, a public cloud provider. This erodes the government's so-called data sovereignty, argues Machiel van der Wal, winner of the Internet Thesis Prize recently awarded by law firm Brinkhof. According to his research, under U.S. law, U.S. intelligence agencies can access confidential documents from the Dutch government, even if that data is stored in Europe, for example. PONT | Data & Privacy sat down with Van der Wal and Anke Strijbos, jury member and attorney at Brinkhof, to discuss this topical issue.
Digital infrastructure is all-important for the functioning of the modern world, including governments. The debate about data sovereignty plays a crucial role in this: who has the right and power to manage and protect data? This issue touches not only fundamental rights such as privacy, but also national security and economic independence. The winning research of Machiel van der Wal, awarded the Internet Thesis Award 2024, brings these aspects together in a thorough analysis of the data sovereignty of the Dutch government.
Van der Wal combined his expertise in technical and legal disciplines during his masters at TU Delft and the Institute for Information Law (IViR). Inspired by current debates surrounding the Government Cloud Policy and the EU Cloud Certification Scheme, he examined - under the guidance of Dr. K. Irion - in his thesis how the government can maintain control over its data when migrating to public clouds.
A major focus of Van der Wal's research concerns the Government-wide Cloud Policy of the Dutch government. "The government stores data in public clouds of private providers, which often fall under the jurisdiction of third countries such as the United States," he explains. This carries risks: based on laws such as the U.S. CLOUD Act, providers may be required to share data with the U.S. government, regardless of where that data is physically stored. Van der Wal: "Technical measures to prevent this, such as encryption, are sometimes possible, but depend on the specific type of cloud service and the method of encryption. Moreover, the implementation of these often lies with the cloud provider. Contractual measures between the cloud provider and the customer have no external effect, so it cannot prevent an order or its implementation by itself."
Although the Statewide Cloud Policy excludes the most sensitive state secrets from public clouds, other types of data, such as government emails, remain vulnerable. "The implementation framework does provide guidelines, but these are not concrete enough to make a clear risk assessment," Van der Wal said. He therefore argues for stricter requirements, inspired by countries such as France, where data sovereignty weighs more heavily in cloud policy. Van der Wal: "The Netherlands could do this by storing government emails in such a way that they only fall under Dutch jurisdiction. This would protect a large part of Dutch government communications, which are potentially very sensitive."
The Internet Thesis Prize was established by law firm Brinkhof to encourage legal students to find innovative solutions to the challenges of the digital society. "The prize provides a stage for young talent and encourages in-depth analysis of current legal issues," said Anke Strijbos, jury member and attorney at Brinkhof.
According to Strijbos, van der Wal's thesis stands out because of its multidimensional approach. "Data sovereignty is a complex and urgent topic that touches on technology, policy and law. Van der Wal's work offers valuable insights for both law and practice."
Strijbos emphasizes the importance of data sovereignty: "Data sovereignty is essential because it determines the extent to which a country has control over the data of its citizens and government. In an era when data are valuable sources of information, power and economic strength, it is important that governments can decide how and where this data is managed, stored and protected. Data sovereignty also prevents foreign actors from directly or indirectly influencing vital data and can help ensure the privacy and fundamental rights of citizens. It also promotes national security and helps countries guard against digital threats and economic dependence."
