Gaia-X – A Revolution for the Financial Industry?
Problems with International Data Protection
Following Clive Humbys inflationarily used phrase ” data is the new oil”, the Economist describes the dominant market position of the companies that can show the highest market capitalization already in May 2017 (1): The four GAFA companies (Google, Amazon, Facebook, Apple) and Microsoft. These five companies also have in common that their business models are all heavily dependent on data. In 2021, the above companies continue to be found at the top of the market cap ranking (2). The only change to the ranking is a newcomer at #3: Aramco – ironically, actually an oil company. But back to the topic at hand, the data-driven tech companies are not only interested in using data, but also make their money by providing cloud infrastructure (Infrastructure as a Service (IaaS) or Platform as a Service (Paas)) to other companies. From the customer’s point of view, cloud solutions have the advantage that they are faster and, due to their scalability, also more flexible and cheaper compared to on-premise solutions. The most well-known cloud infrastructures are probably Amazon Web Services (AWS), Google Cloud, Microsoft Azure and IBM’s Red Hat, all of which have one thing in common: The companies are headquartered in the US and are thus subject to the (decidedly lax) US data protection “law”. The liberal principle here is that a company can determine the level of data protection for itself. In addition, since the USA Patriot Act of 2001 or the CLOUD Act of 2018, US authorities can access data of American companies without a court order (even if this data is not hosted in the USA). Previous approaches such as the “Safe Harbor” scheme and the “EU-US Privacy Shield” aimed at getting US companies to voluntarily comply with European data protection standards. There were also commitments by the American tech companies, which, however, have been legally caught between two stools since the CLOUD Act came into force at the latest: They cannot keep the agreements with European policymakers without at the same time coming into conflict with U.S. legislation. Incidentally, data protection at Chinese cloud providers such as Alibaba is regulated analogously: The Chinese government also has the right to inspect the data if it is stored with a Chinese cloud provider. The current data protection situation – especially for European financial institutions with sensitive data – is therefore difficult.
Gaia-X – A Real Alternative?
A real alternative could be the Gaia-X project founded by the European Union. Gaia-X is an initiative to build a standardized, decentralized data infrastructure according to European (data protection) ideas. The focus is on data sovereignty, i.e. the control or self-control of a private user or a company over its data, by ensuring openness, transparency and trust in order to guarantee data security and data protection. Via Gaia-X, it should be possible for companies (and private individuals) to exchange their data in a secure framework, whereby the respective data sets can be restricted by “data contracts”: For example, some data sets can only be viewed but not copied, or are restricted in the number of times they can be used. Thus, interests and rights such as intellectual property can be protected and the question “Who owns the data?” seems to be clarified. Due to the simple connection of all private and public clouds, Gaia-X is provider-neutral, which additionally reflects the idea of openness and its social claim. Gaia-X is therefore only a cloud in that the service offers access to many different external cloud services and processes data from these services. However, the focus is on setting the Gaia-X standard (e.g., ensuring data sovereignty) (3). Accumulating this vast treasure trove of data should make it possible to train AI algorithms, as these often require vast amounts of training data that a single company often cannot provide. In addition, new data-driven business models and various innovations can emerge: In a first step, companies get an overview of what external data has been created in other contexts. In the second step, this data can be purchased or rented based on data contracts and thus combined with internal company data.
Based on the above values, from a technical perspective, Gaia-X is a network of centralized and decentralized cloud and edge services designed to provide data to users. As shown in Figure 2, Gaia-X consists of three networked layers: The infrastructure ecosystem (bottom in red), the data ecosystem (top in blue), and the federated service (middle, green) as the link between the first two elements. The infrastructure ecosystem is primarily responsible for data storage and processing (e.g., ensuring computing power). This includes building secure interfaces to external clouds. The data ecosystem is the user interface where users produce, provide or consume the data directly or indirectly (4). The data ecosystem can be further subdivided into so-called Gaia-X hubs, where domain-specific hubs are subdivided into country-specific hubs. A hub pursues the goal of networking relevant stakeholders within a country and, one level below, specific industries, developing use cases, and communicating user requirements for service development and, if applicable, associated legislation to the project (5). Almost every European country has a country-specific hub (so far), which is then subdivided into domain-specific hubs in Germany, for example, such as mobility, Industry 4.0/SMEs, but also the financial sector (6) – more on the financial sector later.
The federated service sits on top of the two previously mentioned layers, connecting them and ensuring interoperability between all users – from startups to corporations and from academia to policymakers. Moreover, the federated service realizes compliance with Gaia-X’s principles and requirements: data sovereignty, data security, traceability, openness, interconnectivity, interoperability, decentralized distribution, and trust protection:
- Data sovereignty: As a user, I have control over who can use my data, when, how and for how long.
- Data security: The security of data, in particular data storage, is to be guaranteed by Gaia-X, inter alia through traceability and openness.
- Traceability: Security mechanisms, such as the assignment of IP addresses, are intended to ensure that all of a user’s activities – and thus data security – on Gaia-X are tracked. Thus, for example, compliance with data contracts can be ensured. If a user is only authorized to view a data set, but attempts to copy it, such cases can be detected via traceability.
- Openness: Gaia-X is an open data infrastructure that grants access to all (registered) users (companies, researchers, government agencies, private individuals) as well as all providers (Amazon Web Services, Microsoft Azure, Google Cloud, smaller European services, etc.) through secure interfaces. The main aim of the project is to make the use of European cloud providers more attractive and thus offer an alternative to hyperscalers (for more information, see interconnectivity and interoperability). For companies that use Gaia-X but whose data is stored with one of the American or Chinese cloud providers, the only change for the time being is that all cloud providers must commit to the Gaia-X data sovereignty standard. However, a final legal decision on this is not yet available. The openness is also reflected in the open source approach, in which the source code is generally available transparently and can be further developed accordingly.
- Interconnectivity: In order to be able to build a decentralised infrastructure, the Gaia-X infrastructure must ensure interconnectivity between the interconnection hubs. What is particularly important here is that it should be possible to store data across several providers in a decentralised manner, which on the one hand makes data storage more secure, but on the other hand should above all enable European providers to jointly provide storage capacities on the scale of American services (7).
- Interoperability: The principle of interoperability ensures that different applications run without interfering with each other. Only through interoperability is the networked use of multiple services possible. This point is also about creating a counterweight to the hyperscalers, among other things. On the one hand, interoperability prevents lock-in with a particular provider, as data can be transferred from one provider to another without any problems. On the other hand, it should also make it possible to obtain analytics services from different providers (7). Whether the services of European providers will be able to keep up with those of Google, Amazon, Microsoft and Co. is another question.
- Decentralized distribution: A decentralized data infrastructure not only reflects European federalism, but also brings other benefits: a European, decentralized investment structure promotes the development of a wide variety of technologies, which, in turn connected to Gaia-X, can develop their full power. It would be possible, for example, for France to invest more in server infrastructure and for the Netherlands to use its financial resources more for the development of algorithms. Thus, investments are decentralized, but both investments ultimately benefit Gaia-X.
- Trust protection: Gaia-X provides a safe space for data. This secure space is created by defining and adhering to rules that must be followed through a technical implementation (e.g. technical traceability of user activities).
Besides many obvious advantages such as the creation of a counterweight to the hyperscalers (Google, Amazon, Microsoft, Alibaba, etc.) and the enforcement of European data protection, Gaia-X also shows some weaknesses: These very hyperscalers have about 10 years of technical advantage and thus a lot of experience ahead of Europe. Furthermore, Gaia-X also differs from the hyperscalers’ cloud services in terms of financial resources: Gaia-X is said to cost a total of 5-10 billion euros, whereas the hyperscalers invest 50 billion euros per month (8). However, the hyperscalers are participating in the Gaia-X project – not out of love for the data, but in order to participate in discussions in the relevant working groups and to influence the design. For example, they are involved in shaping the rules for switching providers (9). So far, the cost-benefit ratio of the hyperscalers’ participation in Gaia-X is unclear: on the one hand, Gaia-X relies on the knowledge and experience of the technology groups, and on the other hand, Gaia-X strongly attacks their cloud business model, which could cause the hyperscalers to lose some European companies as customers in the long term. In order to exclude too much influence of the hyperscalers, they are allowed to participate in the discussions in the working groups, but are not entitled to vote in the final votes. Only companies or individuals on the board of directors are entitled to vote, and they can only be elected to the board if the company’s headquarters are in Europe and it upholds the goals and values of European data sovereignty (3). However, many of the board members are customers or even partners of the technology giants, which means that some influence on board decisions cannot be ruled out (9).
Aside from the involvement of American tech companies, however, there are other challenges attributed to the rapid growth and sheer number of members, with now over 300. For one thing, among so many participants, there is disagreement on fundamental issues among, which repeatedly delays the overall work and pushes back deadlines. Interestingly, one of these unresolved fundamental issues is the rather important question, given the original objectives, of whether there should be the possibility for users to request that their data be stored and processed within Europe. Another problem is the communication of the work progress to the members, which is perceived as insufficient. So there is definitely still some room for improvement if Gaia-X is to achieve its goals in the foreseeable future – if not at all. (9)
It is precisely these challenges, in particular the participation of hyperscalers, that led to the creation of Euclidia (European Cloud Industrial Association) in June this year (10). The 23 founding members of Euclidia therefore include a number of companies belonging to the Gaia-X initiative (11). Euclidia aims to make Europe digitally independent and European cloud innovations globally competitive (12). Unlike Gaia-X, only providers of cloud software or hardware that are based and majority owned in Europe can join (11). Euclidia presents the differences to Gaia-X on its website as follows:
|BOARD MEMBERS||CEOs of European companies that create original cloud technology, mostly SMEs||Mostly managers of large European companies or reseach organisations that use or run cloud through strategic partnerships with AWS, Azure or Google|
|MEMBERS||European based companies with European based shareholders that create original cloud technology||Mostly cloud users and cloud providers from any country|
|MAIN GOAL||Accelerate the adoption of cloud technology created in Europe||Develop compliance policies for cloud providers|
Gaia-X is thus by no means the only project striving for European data sovereignty. Which of the two projects will be able to present concrete achievements first remains to be seen.
Data Spaces in Other Industries: CARUSO
Compared to other industries that are several steps ahead in data sharing, the financial industry is still struggling. A flagship project of the automotive industry is CARUSO: launched by Daimler AG, CARUSO is a mobility data sharing platform (13). Daimler AG has started to share aggregated vehicle data with interested companies with the consent of the vehicle owners (14). An exemplary use case is “pay-as-you-drive”, where the mileage of connected vehicles can be reported directly to insurers, which can then be used for innovative insurance services. For example, the insurance policy can be individually adapted to the driving behavior. Another use case is vehicle status, which can be monitored through predictive maintenance, enabling the need for repairs to be identified in good time and repairs to be carried out directly (15).
The project’s data infrastructure is comparable to that of Gaia-X: The focus is on a secure, standardized mode of operation through which data can be shared or bought and sold on the data marketplace without resistance. Starting with data from Daimler AG, other well-known car manufacturers and mobility service providers have now joined in, making their data available: Audi, BMW, Ford, Mini, Porsche and VW. Automobile manufacturers can upload their data, which can then be processed by external providers to deliver a wide range of solutions. Access to vehicle data can not only improve the quality or safety of vehicles, but also create new data-driven business models. From a technical point of view, it would be possible to dock CARUSO as an external cloud to Gaia-X to store mobility data according to European data sovereignty standards.
Sharing Data in the Financial Industry
Back to Gaia-X with a look at the financial sector: Among the now more than 300 members of the Gaia-X initiative, only a few financial and insurance service providers can be found so far (a complete list of members can be found here (16). Well-known companies are BNP Paribas, CNP Assurances, Crédit Agricole and Deutsche Bank. However, Gaia-X is not yet a finished cloud alternative; accordingly, there are only a few concrete use cases so far:
- Financial Big Data Cluster (17): The FBDC has set itself the goal of building a large, networked pool of financial data to combat money laundering and market manipulation. The technical background is that a lot of data is needed to detect deviations from patterns. Money laundering, for example, is just as much a deviation from average customer behaviour and can be better identified if more data is available from many customers.
- Sustainable Finance (18): Based on large amounts of data, pattern recognition is also applied here through the use of artificial intelligence in order to check exploratively which sustainable factors have an effect on risk minimization.
Due to the stage of development of the Gaia-X initiative just mentioned (there is no concrete offering on the market yet), 13 European financial institutions have joined forces to form the “European Cloud User Coalition” (19). These include Commerzbank as the initiator and other well-known representatives such as the German stock exchange, ING and UniCredit. The goals of the alliance are basically the same as those of the Gaia-X initiative: Data sovereignty with European data protection must prevail in the cloud and dependence on American providers is to be reduced. In addition, however, the alliance calls for European data protection to be fulfilled in cooperation with American cloud providers as well. In particular, a standardization of contracts between European financial institutions and American cloud providers is demanded. It remains to be assumed that the European Cloud User Coalition does not want to wait for Gaia-X, as Gaia-X will not reach market maturity until 2022. In contrast, Commerzbank wants to outsource 80% of its applications to the cloud by 2023 (19).
Conclusion and Outlook
The goal of the European credit institutions is clear: A data infrastructure in accordance with the principles and goals of the Gaia-X initiative must emerge. It only remains to be seen which path is the faster one. Option 1: There is a change in the US data protection law towards a stricter handling and without the US authorities having access to European companies and thus to personal data of European citizens. Option 2: Gaia-X reaches market maturity with a concrete offering and can attract financial institutions as customers. Option 3: With the help of government funding and support, Euclidia reaches its aim of making European cloud services competitive and attractive to European companies. The advantage with Gaia-X would be that financial service providers can still get involved until market maturity and can influence requirements in their favour, so that they only have to adapt their own systems marginally at best. If banks want to create a short-term transitional solution and remain dependent on U.S. privacy law, joining the European Cloud User Coalition is worth pursuing. A short-term agreement between the EU and the US that weakens or suspends the relevant provisions of the CLOUD Act is conceivable and desirable. In perspective, Gaia-X is to be seen as a real alternative to the American providers and primarily serves the development of and compliance with European data sovereignty and European data protection.
(1) The Economist. 2017. „The world’s most valuable resource is no longer oil, but data“, May 6, 2017. https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data.
(2) Szmigiera, M. 2021. „The 100 largest companies in the world by market capitalization in 2021“. Statista. September 10, 2021. https://www.statista.com/statistics/263264/top-companies-in-the-world-by-market-capitalization/.
(3) Frauenhofer Gesellschaft. o. J. „GAIA-X – Sichere Dateninfrastruktur für Europa“. Frauenhofer Podcast: Forschung erleben – Zukunft hören. Retrieved on November 4, 2021. https://open.spotify.com/episode/31lOaDR4mzeQvfwMy21lps.
(4) „Gaia-X Architecture Document“. 2021. GAIA-X, European Association for Data and Cloud, AISBL. https://www.gaia-x.eu/sites/default/files/2021-05/Gaia-X_Architecture_Document_2103.pdf.
(5) „Hubs“. o. J. Gaia-X. Retrieved on November 4, 2021. https://www.gaia-x.eu/who-we-are/hubs.
(6) „Der deutsche Gaia-X Hub“. o. J. Bundesministerium für Wirtschaft und Energie. Retrieved on November 4, 2021. https://www.bmwi.de/Redaktion/DE/Dossier/gaia-x.html.
(7) Rehberg, Jesko. 2021. „GAIA-X: A Pitch towards Europe? Will Europe’s ambitious data- and cloud–infrastructure project keep its promises?“ Towards Data Science. March 25, 2021. https://towardsdatascience.com/gaia-x-a-pitch-towards-europe-6c0e7fa36370.
(8) „Hyperscaler mischen groß mit“. o. J. Golem.de. Retrieved on November 12, 2021. https://www.golem.de/news/gaia-x-hat-die-gross-angekuendigte-cloud-initiative-eine-zukunft-2109-159284-2.html.
(9) Goujard, Clothilde, und Laurens Cerulus. 2021. „Inside Gaia-X: How Chaos and Infighting Are Killing Europe’s Grand Cloud Project“. POLITICO, October 26, 2021. https://www.politico.eu/article/chaos-and-infighting-are-killing-europes-grand-cloud-project/.
(10) „Backgound: European tech innovation“. o. J. Euclidia. Retrieved on November 4, 2021. https://www.euclidia.eu/background/.
(11) „FAQ“. o. J. Euclidia. Retrieved on November 4, 2021. https://www.euclidia.eu/faq/.
(12) „23 European Cloud Technology Companies form the European Cloud Industrial Alliance (EUCLIDIA)“. 2021. Euclidia. July 8, 2021. https://www.euclidia.eu/publications/EUCLIDIA-Press.Release.Launch.Announcement.
(13) „From Connected Cars to Connected Business“. o. J. CARUSO. Retrieved on November 4, 2021. https://www.caruso-dataplace.com/.
(14) Pütter, Christiane. 2019. „Connected Car: Daimler vermarktet Daten über Caruso“. CIO.de. December 18, 2019. https://www.cio.de/a/daimler-vermarktet-daten-ueber-caruso,3623980.
(15)„Daimler stellt fahrzeuggenerierte Daten auf Datenmarktplatz Caruso bereit“. 2019. AutomobilKONSTRUKTION. December 19, 2019. https://automobilkonstruktion.industrie.de/allgemein/daimler-stellt-fahrzeuggenerierte-daten-auf-datenmarktplatz-caruso-bereit/.
(16) „Member list. Gaia-X European Association for Data and Cloud AISBL“. 2021. GAIA-X, European Association for Data and Cloud, AISBL. https://www.gaia-x.eu/sites/default/files/2021-06/Gaia-X_Member-Association_2021-06-09.pdf.
(17) „Financial Big Data Cluster (FBDC)“. o. J. Federal Ministry for Economic Affairs and Energy. Retrieved on November 4, 2021. https://www.bmwi.de/Redaktion/EN/Artikel/Digital-World/GAIA-X-Use-Cases/financial-big-data-cluster-fbdc.html.
(18) „Sustainable Finance“. o. J. Data-Infrastructure.Eu. Retrieved on November 4, 2021. https://www.data-infrastructure.eu/GAIAX/Redaktion/EN/Artikel/UseCases/sustainable-finance.html.
(19) Mußler, Hanno. 2021. „Europäisches Banken-Bündnis: Gemeinsam gegen Amerikas Cloud-Macht“. FAZ.NET, January 27, 2021. https://www.faz.net/aktuell/finanzen/finanzmarkt/eu-banken-buendnis-gemeinsam-gegen-cloud-macht-aus-den-usa-17167408.html.