Cloud Security: Who Really Controls Your Data?

The Cloud Explained: More Than Just Storage

For many people, the cloud remains a mysterious concept. 'How does it actually work?', 'Where does our data go?', and 'Who can access our personal information?' are common questions that have gained new urgency following recent developments in the cloud industry.

At its core, cloud computing means storing data or running applications on remote servers rather than on your own device. As Mark de Reuver, professor of digital platforms at TU Delft, explains: 'The cloud is used by most people to store their data somewhere, think of Google Drive.' But it's also used for applications: 'Some people use Microsoft Word in the cloud, or services like Gmail.'

The term 'cloud' originated from early network diagrams where complex internet infrastructure was represented by a cloud symbol. Today, it represents the vast, interconnected network of data centers that store and process our digital information.

Encryption and Access: Who Holds the Keys?

While cloud providers typically encrypt user data, the crucial question is who controls the encryption keys. Professor de Reuver clarifies: 'In principle, only you as the owner have access to your files in the cloud. But the provider of the cloud service can sometimes also have access.' He adds a critical point: 'The keys are often in the hands of the company, especially with consumer services like Gmail. This way, if there's really something going on, they can still gain access.'

This arrangement means that while your data is protected from unauthorized access, the service provider retains technical access capabilities. This becomes particularly relevant when governments request data access through legal channels. 'What could happen,' explains de Reuver, 'is that a government says: 'We would like to have that information from that 'suspicious' person.' In that case, an official request can be made to the administrator to gain access.'

The Solvinity Acquisition: A Dutch Security Concern

The recent acquisition of Dutch cloud company Solvinity by American tech giant Kyndryl has raised significant concerns about data sovereignty and security. Solvinity provides critical infrastructure for Dutch government services including DigiD and MijnOverheid, making this acquisition particularly sensitive.

Professor de Reuver highlights the core concern: 'Where there is a lot of concern is that if the data were to end up in the US, the American government would gain access to your information in this way.' He explains that it's not just about where data centers are physically located, but also about the jurisdiction of the cloud provider's home country.

The Dutch government was reportedly caught off guard by the acquisition, with Amsterdam officials expressing being 'unpleasantly surprised' by the development. The concern extends beyond data privacy to include potential operational risks. 'The fear lies in the theoretical scenario that the American government could say: 'Just turn off DigiD, because we are no longer good friends with the Netherlands or Europe.' de Reuver notes, while acknowledging this is 'mainly a theoretical risk and unlikely in practice.'

European Alternatives and Digital Sovereignty

For those concerned about data sovereignty, European alternatives are emerging. NextCloud, a German company, offers an open-source cloud solution that's gaining attention. 'What is interesting about it,' says de Reuver about NextCloud, 'is that they do everything open source.' This transparency allows users to verify security and privacy practices directly.

NextCloud recently launched Nextcloud Workspace in partnership with German data center provider Ionos, creating a European alternative to Microsoft 365 and Google Workspace. The service is hosted exclusively in Germany, ensuring protection from US legal exposure under laws like the Cloud Act.

Other resources for finding European cloud alternatives include European Alternatives and PublicSpaces, which provide comprehensive lists of privacy-focused services.

EU Regulations: Making Cloud Switching Easier

The European Union is actively working to reduce cloud provider lock-in through new regulations. The EU Data Act, which became applicable in September 2025, introduces new switching requirements for cloud service providers. These rules aim to make it easier for customers to switch between providers or move to their own infrastructure.

Professor de Reuver explains the current market dynamics: 'If you look at the cloud now, the entire market is dominated by about three players: Google, Amazon and Microsoft. These companies like it when you stay with them. They therefore create specific services and ways of storing, making it difficult to go from one cloud service to another.'

The new EU regulations address this by requiring standardized data formats and interoperability between cloud services. This represents a significant step toward creating a more competitive and flexible cloud market in Europe.

Practical Considerations for Users

For individual users concerned about cloud privacy, several practical steps can be taken. First, understand where your data is physically stored and under which jurisdiction it falls. Many services now offer region-specific storage options.

Second, consider using end-to-end encrypted services where you control the encryption keys. While this requires more technical knowledge, it provides greater privacy assurance.

Finally, stay informed about privacy policies and terms of service. As de Reuver reminds us: 'It is of course the case that another company manages your data, but that does not mean that they are allowed to look at your information just like that.' However, the technical capability for access exists, making transparency and trust crucial factors in choosing cloud providers.

The cloud revolution has transformed how we store and access data, but it has also created new questions about privacy, security, and sovereignty. As the Solvinity acquisition demonstrates, these are not just theoretical concerns but real-world issues with significant implications for both individuals and governments.