Data sovereignty and Lidl's cloud
This week, the article that caught my interest was from last Saturday's Financial Times, writing that the Schwarz Group (owner of Lidl) has a cloud computing division. From that article:
Starting with a system built for internal use in 2021, Lidl owner Schwarz Group now offers cloud computing and cyber security services to corporate customers.
Its IT unit, Schwarz Digits — which became a standalone operating division in 2023 — has signed up clients including Germany’s biggest software group SAP, the country’s most successful football club Bayern Munich and the port of Hamburg. Last year, the unit generated €1.9bn in annual sales and it employs 7,500 staff.
Annoyingly, the Schwarz group is private, meaning that the FT article covers the information included in the press packs, and there's not much else to know.
In context, though, the total Schwarz Group revenue was €167.2bn in 2023, so this unit (called Schwartz Digital) is 1.1% of overall group revenue. I would guess, but I cannot verify that most of this revenue is internal to the group and comes from their other divisions. As another point of reference, AWS's global revenue in 2023 was $90.8bn, so this private cloud has over 2% of that revenue.
Why does this exist?
I thought this might be an exciting story, but it turns out it's not really. The group decided to set up their own data centre infrastructure, which complies with Germany's very strict data sovereignty laws. Once they'd done that, they realised that others could benefit from the same thing, so they started selling it. That's a pretty typical story, reminiscent of (for example) the origins of AWS.
The result is a small cloud computing division within the group that owns Lidl, which makes for an eye-catching headline because no one associates Lidl with cloud computing. The only unusual factor here is that those data sovereignty rules in Germany have been at least partly responsible for other businesses (such as SAP) taking an interest in this. But this was a catalyst for me to think about data sovereignty rules in the EU.
What is data sovereignty?
From Wikipedia:
Data sovereignty is the idea that data are subject to the laws and governance structures of the nation where they are collected.
The EU has the General Data Protection Regulation (GDPR), an attempt to homogenize data protection policy across the EU. This was well-meaning, and I generally support the intention of giving consumers greater control over their data and privacy. Of course, it has had unintended consequences, such as the cookie banners now smeared across the internet without achieving anything. Still, unintended consequences have since become (somewhat ironically) one of the most predictable parts of EU tech regulation.
However, while the goal was homogeneity, GDPR left member states the flexibility to interpret and specify certain aspects of the regulation for their specific context. Again, this seems sensible on the face of it, except that it somewhat negates any possibility of homogeneity. In making its own adjustments, Germany ended up with some of the most restrictive policies.
Regardless of what you think the 'right' data protection laws are, this is a bad outcome. We got an onerous, EU-wide data protection regulation in the form of the GDPR, which didn't even achieve the goal of homogeneity. One of the EU's goals was to make doing business across the continent more straightforward, and this hasn't happened wherever there is regional variation.
Therefore, Lidl's owners seem to have decided that the safest way to store and process their data was to build their own cloud, complying with the stringent rules in Europe and Germany.
AWS' European Sovereign Cloud
This raises the obvious question: Is it impossible to do this in the public cloud? Rather than look at all three providers, I decided to focus on AWS, which is the biggest and most full-featured of the cloud providers (and the one I know best).
This led me to AWS' European Sovereign Cloud, a new, completely independent public cloud for Europe, first announced in October 2023. The first region will be launched in Germany before the end of 2025. I'm nearly a year late in writing about this.
Existing AWS infrastructure lets you specify a region where your applications and data would run. In Europe, these regions are Ireland, Frankfurt, London, Paris, Stockholm, Milan, Zurich and Spain. This should meet data sovereignty requirements for all but the most sensitive and highly regulated industries. This new sovereign cloud, however, offers some additional functionality:
- Only EU residents within the EU will have control of operations and support.
- Metadata, such as roles, permissions, resource labels, and configurations, will be guaranteed to stay within the EU.
- Billing and usage metering will be handled within the region.
The target audience here is EU governments and highly regulated industries that want to benefit from the cloud but can't because of strict data sovereignty requirements. But I imagine anyone who wants to be especially cautious could use this cloud.
So AWS have a decent data sovereignty story that will improve over time. The fact that the Schwarz group didn't want to make use of this could be because:
- They wanted to do this in-house:
- This is fine. As a private company, they can and should do what they want.
- They knew current public cloud provisions wouldn't meet their data needs and didn't want to wait:
- I would argue that this is a bad outcome. Suppose a company has no choice but to build its own cloud to comply with data regulations. In that case, this will lock in the competitive position of companies with the resources to do so and exclude everyone else.
- Everyone without these resources has to wait until at least 2025, and who knows what competitive positioning they may have lost by that point?
- They weren't sure if AWS would be compliant with the beyond-GDPR peculiarities of German data laws:
- Uncertainty is another bad outcome. Even some of the biggest and best-resourced companies in the world struggle to understand precisely what they need to do to comply with some EU laws, which again disadvantages everyone else with fewer resources.
Avoiding further fragmentation
One of the great things about technology is that while upfront costs can be substantial, the marginal costs of adding users are effectively zero. That's why, for example, when Google built its search engine in the US, most people in the world could use it. Google didn't have to decide whether a search engine in Luxembourg was worth running because they could do it 'for free'. Now, of course, the reality is that Google does have to build more infrastructure when they add a large number of new users, and if a big chunk of those users are in Europe, then some of that infrastructure will be there, too. However, they can prove the revenue before investing and build a few large data centres to serve the whole continent (rather than one per country), at least theoretically.
Having a European Sovereign Cloud doesn't feel like a bad level of fragmentation; the EU has a different view on data protection than other parts of the world and should be able to enforce that while still benefiting from cloud computing and other technological changes. AWS feels it's worth their effort to invest a reasonable amount of money in satisfying this need, so the EU market is clearly 'big enough'.
However, the EU needs to be increasingly careful as it forces more fragmentation in the tech market. Those 'zero marginal costs' start to become significantly non-zero when a new upfront investment is required to enter smaller and smaller markets. AWS and others aren't likely to want to run many sub-scale data centres across the EU. The more fragmented the market is, the more difficult it is to justify the investment needed to enter each new market. Homogeneity across the EU seems like the minimum to make it an attractive market. Even with that, the costs of entering that market must be in line with the benefits of doing so (something it seems they forgot with the DMA).