Who actually owns your data? A question that sounds simple, but which should make us question our dependence on American cloud giants – and why we continue to hand over control.
I ended up at a seminar in Almedalen last week. The title might not have sounded particularly exciting – “From trust to evidence – How do current and future regulations affect the playing field for public sector IT?” – but what was said there has got me thinking. A lot.
The seminar was organised by Open Source Sweden and Digitalist Cloud. The keynote speaker was Björn Lundell, a professor at the University of Skövde, and the discussion centred on something most of us probably take for granted: that we can trust our data to remain ours. But according to Lundell – and the other experts in the room – the situation is a little more complicated than that.
Europe’s invisible dependence
Björn Lundell began by pointing out that Europe has actively chosen to rely on American cloud services such as Microsoft 365 and AWS. Not because of a lack of alternatives, but primarily for the sake of convenience and habit. “We have created a self-imposed dependency,” he argues. And it is no small dependency: one of Björn’s slides shows that 92 per cent of Europe’s data is stored in the US – a figure that really ought to make us pause and start discussing the seriousness of this issue.
But it’s not just about where the data is stored. It’s about control. Lundell explained that many organisations sign agreements that they neither read nor can even access in full. One of the participants compared it to moving out of a flat – but not being allowed to take your belongings with you. “Can I export my data in a portable format? Otherwise, I don’t actually own my data,” was one of the key questions raised during the seminar. A question which, according to Björn Lundell, far too few people ask themselves.
The security risks we don’t talk about
One of the most surprising revelations came when Lundell mentioned that Microsoft 365’s and AWS’s encryption does not always work as it should. Even the providers themselves admit to these shortcomings. And this isn’t just a technical detail – it concerns your organisation’s security and sovereignty as much as Europe’s.
Lundell points out that, despite being aware of the risks, we continue to rely on solutions that may force us to share our data with US authorities – without us even realising it.
AI, updates and the invisible responsibility
Tomas Persson, moderator and representative of Digitalist, raised another important point: “It’s not enough to simply click ‘update’ when our systems prompt us for updates – we need to know exactly what we’re letting in with that update”. With AI on the rise, and tasks and coding increasingly being handed over to AI agents, we must remember that the responsibility for quality and security still lies with us humans.
Also speaking at the seminar was Göran Westerlund, who is Head of Digitalisation at Alingsås Municipality and sits on the board of Sambruk – an association for local authorities wishing to collaborate on the digitalisation of the public sector. In Alingsås, a conscious decision has been made: open source is the first choice.
“These choices are not an IT issue; they are a management issue.”
What can we learn?
The seminar left me with the feeling that this is much more than a technical issue. It’s about control, responsibility and the future. And it’s easy to think that this only applies to large organisations or public authorities. But as more and more of our operations move to the cloud, it affects us all.
So here are a few thoughts I’m taking away with me – and which I hope might give you food for thought too:
- Ask yourself: If you wanted to switch cloud services today, could you take all your data with you? And in what format?
- Demand transparency: Ask your providers for full contracts (which also cover subcontractors) and ask them to show how data can be exported.
- Think long-term: “The usual response when discussing exit strategies is that it’s too early – but perhaps it’s actually too late”, said Björn Lundell at the seminar.
- Prioritise openness: Open-source solutions can be a way to avoid vendor lock-in and retain control.
A call to action from Almedalen
What was said at this seminar is too important to ignore. As mentioned: Digital sovereignty is not an IT issue. It is a management issue. If we do not start asking these questions now, we risk realising – too late – that we have already lost control.