Op woensdag 9 oktober 2024 is de Brinkhof Internetscriptieprijs uitgereikt aan
Machiel van der Wal.
Zijn scriptie, geschreven ter afsluiting van de master Informatierecht en onder begeleiding van Kristina Irion, werd als winnaar uitgeroepen en beloond met een prijs van 2000 euro.
Van harte gefeliciteerd Machiel!
Abstract:
The Dutch government’s use of public cloud services from hyperscalers is rising. This potentially offers benefits regarding features and cost-efficiency. The question, however, arises whether government data is adequately protected from the jurisdiction of third countries such as the US. In other words, whether government data sovereignty is protected. This concern became especially imminent after the 2022 Dutch national cloud policy, which proved controversial in the scholarly and policy debate. This thesis provides a systematic analysis of how the Dutch legal and policy framework on hosting government data in a public cloud protects the data sovereignty of the Dutch government. US jurisdiction is identified as a risk to government data sovereignty when data is stored using US hyperscalers or their subsidiaries. This allows the US to compel these cloud service providers via legislation such as the CLOUD Act (law enforcement) and FISA section 702 (intelligence agencies) to hand over government data. This matters because it would impact the confidentiality of sensitive government data and the state’s integrity. This risk cannot always be sufficiently mitigated, and the research shows that a ‘sovereign cloud’ cannot be a business proposition for these hyperscalers. Evaluative legal research shows that the Dutch legal and policy framework for hosting government data in the cloud takes a risk-based approach. State secrets cannot be stored in a public cloud. This effectively guarantees data sovereignty for state secrets. A risk assessment should be made for all other types of government data. The prescribed risk assessment includes criteria relevant to data sovereignty, potentially offering protection. However, how the risk to government data sovereignty should be weighed is unclear. One way to better protect government data sovereignty is to introduce data sovereignty requirements for additional sensitive data types. This would require the Netherlands to deviate from the current market-oriented risk-based approach, which, as this research shows, is also apparent in its stance in the European Cloud Certification Scheme discussion.
De jury bestond uit Suzanne Teijgeler, Joris van Hoboken en Anke Strijbos.
Uit het jury rapport:
“De scriptie biedt een scherpe en degelijke analyse van datasoevereiniteit. De scriptie belicht niet alleen juridische, maar ook beleidsmatige en technische aspecten van dit complexe on-derwerp. De scriptie bevat een uitstekend onderbouwd betoog over waarom datasoevereiniteit zo belangrijk is en hoe Neder-lands beleid zich hiertoe verhoudt, en maakt ook indruk door de visie op de politieke context die eruit spreekt.
Zijn scriptie getuigt van een uitzonderlijke diepgang en kennis van zowel de juridische als technische aspecten van het onderwerp.”