AVG: Dutch CIOs vs. US cloud providers

AVG: Dutch CIOs vs. US cloud providers

15-04-2021 15:11:47


An article recently appeared on fd.nl in which the chairman and director of the CIO Platform Nederland indicates that their members are unable to comply with the privacy law because their cloud suppliers do  not comply with the GDPR. 130 Chief Information Officers from the largest Dutch companies and institutions have united in the CIO Platform. According to the article, the cloud suppliers these 130 organizations  do business with are Google, Amazon and Microsoft. The CIOs believe that it is not they who are to blame for their non-compliance with the GDPR, but that their cloud providers are. But is that  really the case or can an important part of the blame be found looking in the mirror?

It cannot come as a surprise that American tech companies have different ethics in the field of privacy and personal data than we do in Europe. We have known for at least ten years that Google and privacy  does not mix well, haven't we? It is well known that privacy is a complicated topic for an advertising company. We also all know about the privacy scandals Amazon has faced. The members of the CIO Platform  will probably have asked their voice assistant the question: "Alexa, are you invading my privacy?".

Personal data customers

You can expect companies that have made a business model of the sale and analysis of personal data that they have the same attitude towards personal data within other branches of the company.  Nevertheless, the CIOs of the largest Dutch organizations choose to entrust these IT companies with the personal data of their employees and customers. Incidentally, without informing those customers (and presumably also  without informing the employees) that they have their personal data processed by a company that they know does not comply with the privacy law.

The CIOs complain that they are not in a good bargaining position with the three US hyperscalers, but no one is forcing them to do business with these parties. Vote with your wallet, dear CIOs. The 130  members of the Platform have a combined turnover of several tens of billions of euros, if not more. If Amazon, Google and Microsoft turn their noses up at that, then there are all kinds of European cloud suppliers who want to be of service to these 130, who do care about the GDPR and where they do have a say in the processing agreement.

Vendor lock-in

However, the director of the Platform believes that voting with your wallet is 'extremely expensive and time-consuming'. It sure is, if you want to get out of the hyperscaler ecosystem, but that too should come  as no surprise. Undoubtedly, many of the 130 were warned of vendor lock-in when they were about to sign the contract for their cloud services. They have been warned about the unclear pricing mechanisms that  Microsoft and Amazon utilize. Someone told them it's cheap to bring data into those clouds, but it's extremely expensive to get data out of them. They've heard of Amazon's tech tricks to prevent you from exporting your data to a competing service.

European tech industry

Shifting the responsibility for compliance with the GDPR to the AP and competition authorities, as is done in the FD article, is too easy. Government bodies do have a role to play in this, as do cloud suppliers. But  also the customers of those cloud suppliers, because those customers ultimately determine with their wallets whether they continue to depend on American hyperscalers or whether they give the European tech  industry a chance.

By: Wido Potters