Sovereignty vs. Who Actually Owns Your Data?
Hello Data & AI Leaders,
In a recent chat with a Deep Tech expert, we discussed how realistic is data sovereignty in Europe? As many of you reading this know, most components are owned by non-German, even non-EU vendors. We came to the conclusion that while Germany may have data centers, we are limited in our choices for European providers of tools and storage.
Instead, the question we should be asking is, who actually owns our data?
☁️ The Illusion of Sovereignty in the Cloud
As privacy advocate Max Schrems recently explained in this article, the promise of the cloud was control, transparency and affordability.
But now? According to Schrems:
“The promise of the cloud was that everything would be much cheaper, but it turns out that it functions as a monopoly.”
„If you want to host your [data] somewhere you can trust, Europe is probably the most stable place you have right now.”
He’s right – and he’s being polite. The reality is, we’ve poured billions into physical infrastructure here in Germany, but we haven’t cracked the core challenge yet: ownership of the stack. Innovation happens at the layer above the data centre – in APIs, AI models, ML frameworks, and software-defined networks. And most of those still run on American (or Chinese) terms.
🤖 Security & Sovereignty are linked
🌍 Even if your DCs are in Germany, the layers above often aren’t. Hardware, cloud services, AI tools may be built outside, owned by foreign firms. That creates risk, from supply-chain insecurity to regulatory exposure to geo-political instability. It’s not enough to say your data is “in Germany.” Who owns the software? The firmware? The APIs? Who gets updates? Who controls vulnerability patches? All those layers matter.
What KMUs Can Do: Tools & Strategy
1️⃣ Define ownership boundaries: Map out all components: hardware, cloud providers, SaaS tools, AI models. Ask: who owns them? who maintains them? where is data stored and processed?
2️⃣ Choose tech partners with transparency: Vendors who disclose firmware will give you options for audits and also support exit strategies. Prefer European or trusted providers – or at least those with strong guarantees and an understanding of the European data requirements.
3️⃣ Include data ownership clauses in contracts: This means you want to see clauses about right to audit, source-code escrow (if relevant), data export control, and data deletion and portability.
4️⃣ Build your internal data governance + talent culture: Your HR and tech teams need to understand data ownership as part of the job, and part of your data culture. Going forward you should be hiring people who can demand transparency, assess risk, and align with regulatory trends.
💬 Deep Tech & A Culture of Ownership
I covered this more fully in my earlier newsletter on Deep Tech, but the core message applies here too:
There’s no app that’s going to solve the data sovereignty problem.
Deep Tech requires building the hard parts — the parts we don’t own yet. That includes encryption, secure decentralized infrastructure, and talent pipelines that train developers to work at that level. Germany has the infrastructure. We have the engineers. What we need is a culture of ownership.
What This Means for Recruiting & Talent Strategy
If you want a team you can trust here’s what I recommend:
- Recruit for understanding of data ownership in job descriptions.
- Look for candidates who speak to “data supply chain”, “hardware/firmware dependencies”, “vendor risk”, not just “cloud security.”
- Be clear about what you offer: if your stack is owned by third-party foreign suppliers, say so, and what you are doing about it. That honesty builds trust.
- Offer training or exposure to data sovereignty topics. Candidates increasingly ask about these issues in interviews. Being ahead of the curve will help you attract top data talent.
- Most importantly? Stop assuming your cloud provider “has it covered.” The risk, and the opportunity, is yours.
⚖️ Control is upstream, not just compliance downstream.
Data security isn’t just about firewalls and encryption. It’s about who owns what. It’s built into every layer before the cloud, before the app, before the “secure-by-design” label.
Yes, we want our data centers in Germany. Yes, we want reasonable, prudent European regulation. But we also need non-German, non-EU tools and innovation in our mix – if used with care – with clear ownership, and with exit paths.
Until next time,
— Ann
#DataOwnership #DataSovereignty #Security #HiddenChampions
📩 To receive more Hiring Insights, subscribe to this newsletter here, if you haven’t already.
And if you’re looking for a new role yourself, sign up to our job newsletter or check our current openings and career tips.
Sovereignty vs. Who Actually Owns Your Data?
Hello Data & AI Leaders,
In a recent chat with a Deep Tech expert, we discussed how realistic is data sovereignty in Europe? As many of you reading this know, most components are owned by non-German, even non-EU vendors. We came to the conclusion that while Germany may have data centers, we are limited in our choices for European providers of tools and storage.
Instead, the question we should be asking is, who actually owns our data?
☁️ The Illusion of Sovereignty in the Cloud
As privacy advocate Max Schrems recently explained in this article, the promise of the cloud was control, transparency and affordability.
But now? According to Schrems:
“The promise of the cloud was that everything would be much cheaper, but it turns out that it functions as a monopoly.”
„If you want to host your [data] somewhere you can trust, Europe is probably the most stable place you have right now.”
He’s right – and he’s being polite. The reality is, we’ve poured billions into physical infrastructure here in Germany, but we haven’t cracked the core challenge yet: ownership of the stack. Innovation happens at the layer above the data centre – in APIs, AI models, ML frameworks, and software-defined networks. And most of those still run on American (or Chinese) terms.
🤖 Security & Sovereignty are linked
🌍 Even if your DCs are in Germany, the layers above often aren’t. Hardware, cloud services, AI tools may be built outside, owned by foreign firms. That creates risk, from supply-chain insecurity to regulatory exposure to geo-political instability. It’s not enough to say your data is “in Germany.” Who owns the software? The firmware? The APIs? Who gets updates? Who controls vulnerability patches? All those layers matter.
What KMUs Can Do: Tools & Strategy
1️⃣ Define ownership boundaries: Map out all components: hardware, cloud providers, SaaS tools, AI models. Ask: who owns them? who maintains them? where is data stored and processed?
2️⃣ Choose tech partners with transparency: Vendors who disclose firmware will give you options for audits and also support exit strategies. Prefer European or trusted providers – or at least those with strong guarantees and an understanding of the European data requirements.
3️⃣ Include data ownership clauses in contracts: This means you want to see clauses about right to audit, source-code escrow (if relevant), data export control, and data deletion and portability.
4️⃣ Build your internal data governance + talent culture: Your HR and tech teams need to understand data ownership as part of the job, and part of your data culture. Going forward you should be hiring people who can demand transparency, assess risk, and align with regulatory trends.
💬 Deep Tech & A Culture of Ownership
I covered this more fully in my earlier newsletter on Deep Tech, but the core message applies here too:
There’s no app that’s going to solve the data sovereignty problem.
Deep Tech requires building the hard parts — the parts we don’t own yet. That includes encryption, secure decentralized infrastructure, and talent pipelines that train developers to work at that level. Germany has the infrastructure. We have the engineers. What we need is a culture of ownership.
What This Means for Recruiting & Talent Strategy
If you want a team you can trust here’s what I recommend:
- Recruit for understanding of data ownership in job descriptions.
- Look for candidates who speak to “data supply chain”, “hardware/firmware dependencies”, “vendor risk”, not just “cloud security.”
- Be clear about what you offer: if your stack is owned by third-party foreign suppliers, say so, and what you are doing about it. That honesty builds trust.
- Offer training or exposure to data sovereignty topics. Candidates increasingly ask about these issues in interviews. Being ahead of the curve will help you attract top data talent.
- Most importantly? Stop assuming your cloud provider “has it covered.” The risk, and the opportunity, is yours.
⚖️ Control is upstream, not just compliance downstream.
Data security isn’t just about firewalls and encryption. It’s about who owns what. It’s built into every layer before the cloud, before the app, before the “secure-by-design” label.
Yes, we want our data centers in Germany. Yes, we want reasonable, prudent European regulation. But we also need non-German, non-EU tools and innovation in our mix – if used with care – with clear ownership, and with exit paths.
Until next time,
— Ann
#DataOwnership #DataSovereignty #Security #HiddenChampions
📩 To receive more Hiring Insights, subscribe to this newsletter here, if you haven’t already.
And if you’re looking for a new role yourself, sign up to our job newsletter or check our current openings and career tips.