The Dutch government must take steps “as soon as possible” to safeguard the nation’s digital sovereignty, the country’s data protection body warned on Wednesday.
The trigger for the alarm is the fate of DigiD, a digital identity service, widely used in the Netherlands, that’s set to be acquired by a US company – sparking widespread concern and debate locally about heavy reliance on US technology, not only in the public sector.
There are no exit strategies for this scenario – where an important tech provider is bought up by overseas company – per the watchdog.
The Dutch data protection watchdog, the Autoriteit Persoonsgegevens (AP), seized on European Data Protection Day on Wednesday to lay out its view of the risks of high dependence on a handful of overseas cloud and IT providers, also highlighting a problematic lack of mitigation measures in existing public contracts.
In a letter addressed to the Dutch economy minister that it also made public, the AP sketched a looming nightmare scenario – of “major societal disruption” – if the government fails to protect “vital processes” such as its communication with its own citizens, like through DigiD.
All together now
The AP’s letter attacks the Dutch government for treating the issue of digital autonomy as an academic exercise, rather than a pressing concern, in a recent strategy on the topic.
The watchdog urges the government to centralise a policy response, instead of leaving it for public bodies to unilaterally decide how they want to deal with tech sovereignty risks. This should include clear sovereignty criteria applied to companies when awarding government contracts, it suggests.
It recommends sticking to sovereign cloud criteria that the Commission set out back in October and is already applying to some of its own cloud services procurement.
“The AP recommends considering a minimum [sovereignty] score and including this as a kick-out criterion,” the letter reads.
It also suggests that the government should include clauses in its IT contracts that would allow it to immediately void the agreement if a company is sold to an overseas buyer in the future – as well as pointing out that public services should be designed to facilitate switching providers if the worst happens.
Finally, the data protectors urge the government to invest in “scalable” European alternatives – specifically suggesting the need for a government cloud that’s completely in Dutch hands.
The Dutch economy ministry told Euractiv it could not comment on the letter.
(nl)
