- The Dutch government’s increasing reliance on American cloud servers raises concerns about data security and national autonomy.
- The Groenlinks-PvdA party is leading an effort to halt the migration of government data to Microsoft platforms.
- The use of American cloud servers raises the risk of espionage, with US laws allowing government access to data even on servers located in Europe.
- Microsoft emphasizes its commitment to privacy and security, adhering to GDPR and storing data within the EU.
- A crucial vote in the House of Representatives and a potential plenary debate may shape the future of Dutch data policy.
The Dutch government’s increasing reliance on American cloud servers has sparked a wave of apprehension, with the Groenlinks-PvdA party spearheading an effort to halt the trend. A crucial vote on the issue is set for this week in the House of Representatives, triggered by “serious signals” that the central government’s Shared Service Center ICT (SCC-ICT) plans to migrate to a Microsoft environment. This move could potentially place the data of seven ministries and 50,000 civil servants directly into American hands.
“This was the last straw,” declared Barbara Kathmann, an MP for Groenlinks-PvdA. A previous investigation by the NOS revealed that numerous government organizations, including the Senate and House of Representatives, already entrust their email servers to Microsoft. The potential shift of entire ministerial digital environments to American platforms represents a new escalation.
Kathmann emphasizes that this trend could erode a significant portion of Dutch state autonomy, with “potentially disastrous consequences.” According to her, a comprehensive migration is already underway, hidden from public view.
Fears of espionage, loss of autonomy
The think tank Clingendael previously raised alarm bells over the espionage risks inherent in this growing reliance on American cloud infrastructure. US legislation grants the government access to cloud servers located within its borders, even if the physical servers reside in Europe. The historical interest of American intelligence agencies in European politicians, highlighted by the 2021 revelation of NSA surveillance on former German Chancellor Angela Merkel with Danish assistance, has further fueled concerns.
“The fact that the American government is using this against us is not science fiction,” asserted Kathmann, who sees a disconnect between the government’s stated goals of strategic autonomy and its actions in this domain.
Bert Hubert, former supervisor of the Dutch intelligence service who resigned in 2022 over privacy concerns, echoed these fears, warning that the Dutch cloud sector may be stifled if the government solely relies on foreign partners. “We are losing all experience in this area,” noted Hubert, highlighting the frequent absence of an exit strategy in outsourcing agreements, despite it being a mandatory requirement under the government’s own cloud service regulations.
Microsoft’s response
Microsoft, in response to the concerns, emphasized its high standards for privacy and security in its cloud services, including adherence to GDPR and the development of the Microsoft EU Data Boundary for data storage and processing within the EU. The company maintains that its services meet all information security conditions and that it actively challenges both EU and non-EU law enforcement requests for data, complying with GDPR principles whenever possible.
Groenlinks-PvdA MP Kathmann plans to question the cabinet in a plenary debate about the potential outsourcing of ministerial digital services. Her long-term goal is to challenge the default outsourcing of digital services to “big tech,” aiming for a more balanced approach. She believes urgent action is necessary to “prevent decisions from being made that cannot be reversed.”
The impending House of Representatives vote on this issue could mark a turning point in the ongoing debate over data sovereignty and national autonomy in the digital age.