Google Cloud Offers UK AI Data Sovereignty but Support Externally
Google Cloud is responding to growing concerns regarding the storage of AI data with the introduction of an option to keep Gemini 2.5 Flash machine learning processing entirely within the UK. This move reflects an effort to acknowledge local data sovereignty and compliance needs, particularly vital for sensitive sectors like financial services where offshore data handling poses significant risks.
However, while organizations can select Google Cloud’s UK region (europe-west2) for their data storage, support requests will continue to be routed to Google’s global support staff, which complicates the notion of true data sovereignty. EU customers, on the other hand, can receive support from personnel based within the EU.
Concerns regarding the effectiveness of maintaining local sovereignty arise as effective support would ideally be conducted in the same jurisdiction. Recent comments from SUSE, a Linux vendor, underscore the importance of ensuring data remains within borders throughout the support process, meaning any potential for data crossing boundaries must be meticulously managed.
To counteract some of these risks, Google is recommending that customers maintain their own encryption keys. This step can help ensure data remains secure from unauthorized access. However, managing encryption keys places additional responsibility on the customer regarding access control and data management.
Alternative Solutions Available
Google also offers alternatives for heightened security and control, including Google Cloud Airgapped, where open-source software operates on completely isolated servers, and Google Cloud Dedicated, which runs its software through a trusted partner (currently only available in Germany and France).
Yet, concerns regarding the implications of operating within a US legal framework linger. Mark Boost, CEO of UK-based cloud provider Civo, has voiced unease about Google’s ties to the United States. He recalled recent plans to train UK civil servants on Google technology, stating, “This new partnership positions Google Cloud at the heart of the UK’s digital infrastructure, despite being governed by the US CLOUD Act.”
The CLOUD Act allows US authorities access to data stored on US companies’ platforms, even if hosted in the UK, raising potential legal and ethical challenges around data privacy.
Seeking Clarity on Data Access Safeguards
Boost stressed the necessity for clear assurances around data access safeguards, asserting that regulations need to be understood unequivocally by individuals, especially concerning sensitive information like NHS health records.
In response to inquiries regarding data access demands from US authorities, a Google spokesperson directed attention to the company’s whitepaper detailing its protocols for handling government requests. They asserted that responses to government inquiries follow international best practices and are evaluated individually for compliance with applicable laws.
Google stated, “In the event of a government request, our policy is to redirect the request to the customer in question.” This applies unless the customer has opted to manage their own encryption keys, which Google facilitates for increased data control.
Ultimately, Google Cloud’s announcements regarding AI data storage signify progress towards regional compliance, though significant complexities remain for businesses navigating the intricate relationship between operational sovereignty, legal frameworks, and data privacy.