T-Systems and Google Cloud building 'sovereign cloud services' for Germany

Google Cloud and T-Systems are to create what the companies call a "sovereign cloud offering" for Germany, though details are sketchy and it may not be digital sovereignty as the term is normally understood.

The project involves T-Systems playing a role in managing "a large spectrum of next-generation cloud solutions and infrastructure… powered by Google Cloud," the European integrator-cum consultancy said.

What does that mean in practice? Key questions include the physical location both of data and the applications that process that data, and management and control of the software that is running. We've asked the duo to respond.

The service is scheduled to be available by mid-2022, the pair said, and is aimed at German enterprises, public sector and healthcare organisations.

The Register was also told that: "T-Systems will manage a set of sovereignty controls and measures, including encryption and identity management. In addition, T-Systems will exercise a control function over relevant parts of the German Google Cloud infrastructure. Any physical or virtual access to facilities in Germany (such as routine maintenance and upgrades) will be under the supervision of T-Systems and Google Cloud."

Will some data on occasion be processed outside Germany? What is the scope of T-System's control over the systems? Those things are not clearly stated, but it does say that there will be "full public cloud scale as well as version and feature parity to global network," so what is on offer may be a mini-Google Cloud running entirely in Germany, or some sort of hybrid solution.

Google's EMEA veep Adaire Fox-Martin, appointed in August, said: "T-Systems will operate and independently control key parts of the Google Cloud infrastructure" for its German customers, leaving open the question of whether other "key parts" will not be under such control.

Fox-Martin described the project as "Cloud on Europe's Terms."

That may be a stretch. The French think tank Foundation pour L'Innovation Politique says in its paper on digital sovereignty that the concept was first defined in 2011 by Pierre Bellanger, a French executive, as "control of our present and destiny as manifested and guided by the use of technology and computer networks." Running on systems programmed and controlled by a US corporation is unlikely to conform to that definition.

• Cutting the ties: European hosting provider OVHCloud to offer Google Anthos, no Google account needed
• UK promises big data law shake-up... while also keeping the EU happy, of course. What could go wrong?
• Zoom incompatible with GDPR, claims data protection watchdog for the German city of Hamburg
• Dutch education IT crisis averted as Google agrees to 'major privacy improvements'

The EU's paper [PDF] on Digital Sovereignty for Europe talks about "Europe's ability to act independently in the digital world" and criticises "global tech-driven players which do not always obey European rules and fundamental values, and which put data appropriation and valuation at the heart of their strategy" – a description which could well be applied to Google and its advertising business. The paper calls for "investing in digital capacities, infrastructure and technologies" which is unlikely to mean a datacentre or two stuffed with Google software.

Google has its own definition of sovereignty, which as you would expect is more amenable to the cloud giant's approach. It describes data sovereignty as "keep all control over encryption and access to your data"; operational sovereignty as "visibility and control over provider operations"; and software sovereignty as "you can run workloads without dependence on provider's software."

This last point is difficult to unpack. Removing dependence on a provider's software suggests using only open source solutions; but Google Cloud Platform is not open source as a whole, even though it has strong elements of open source, such as the core Kubernetes software in Google Kubernetes Engine, and heavy use of the Linux operating system.

Most Google services though are not entirely open source, and have Google-specific APIs, making avoidance of lock-in challenging.

Sachiko Muto, CEO of Brussels-based think tank OpenForum Europe told us that: "It is a positive sign that companies are adapting their offerings in recognition of the legitimate right of Europe to set its own terms. For users to be sovereign they should also be able to specify terms that are in addition to those defined by the vendor. Where such offerings are also fully open source they enable the user to scrutinize the claims made by the vendor. Open source thus enhances user control and alleviates lock-in.

"There are many definitions of digital sovereignty/independence/autonomy floating around. It would be preferred if the EU clearly adopted a definition and elaborated the principles that support it."

The EU has its own Gaia-X project for a European cloud which is a quite different thing, using federated services and mandated standards to ensure openness. Getting Gaia-X off the ground is hard though, whereas an existing commercial operator like Google can make its systems available immediately.

The T-System/Google project likely does tick some desirable boxes in terms of management and compliance, but it will not tick all of them, nor will it enable the European software industry to keep pace with the US cloud giants in public cloud technology. ®