Nestled in the heart of South Holland, Leiden is a historic city in the Netherlands known for its rich cultural heritage, prestigious universities, and picturesque canals. But beyond its scenic beauty, Leiden is making waves in the digital privacy arena. According to recent research by TransIP, a whopping 97% of businesses in Leiden are choosing local providers, ensuring compliance with the General Data Protection Regulation (GDPR). This figure starkly contrasts with a national trend where only 24% of organizations remain independent of U.S. tech giants.
In a world where privacy concerns dominate the digital landscape, Leiden is setting a shining example. According to recent research by TransIP, a whopping 97% of businesses in Leiden are choosing local providers, ensuring compliance with the General Data Protection Regulation (GDPR). This figure starkly contrasts with a national trend where only 24% of organizations remain independent of U.S. tech giants.
The study comes on the heels of an NOS investigation revealing that 76% of Dutch organizations rely on American companies like Microsoft and Google for their email services, raising concerns about potential conflicts between the U.S. CLOUD Act and the EU’s GDPR.
Leiden’s approach to data privacy highlights a growing preference for keeping data closer to home. This strategy not only aligns with GDPR standards but also mitigates risks associated with foreign data laws. Notably, institutions like the Leiden University Medical Center (LUMC) manage their hosting on-site, while others, like City Hotel Nieuw Minerva, opt for nearby Belgian services.
Experts suggest that to fully embrace GDPR compliance, organizations could either manage servers in-house or use entirely Dutch cloud solutions. Despite the challenges posed by international data laws, Leiden’s commitment to local data hosting showcases a robust defense against privacy vulnerabilities.
Companies and organizations in Leiden appear to be well-equipped for compliance with the GDPR privacy legislation. Earlier, NOS investigated companies and organizations across the Netherlands, finding that only 24 percent were independent of American tech companies. Research by TransIP (http://www.transip.nl/) into companies based in Leiden shows that 97 percent choose suppliers within the Netherlands, thus being well-prepared for GDPR compliance.
Earlier this year, NOS examined the use of the cloud by Dutch government services and large companies. The investigation revealed that most organizations host their emails with American tech companies. In 76% of the examined institutions, emails were managed by Microsoft or Google, both U.S.-based companies.
Digital Privacy Legislation in the Netherlands
Europe protects digital privacy through the GDPR (General Data Protection Regulation). In the Netherlands, this regulation is embedded in law through the AVG (General Data Protection Regulation). In short, this law makes organizations that collect and use personal data responsible for the security, accuracy, and legality of the processed data. Individuals whose data is processed gain more rights under the AVG.
The CLOUD Act and the GDPR
U.S.-based (tech) companies active in Europe must comply with the GDPR within the EU. In practice, this proves challenging because the GDPR conflicts with the U.S. CLOUD Act. This law requires companies with U.S. establishments to share data with U.S. authorities upon request, even if that data is stored outside the U.S. Consequently, a company might have to choose between complying with the CLOUD Act or the GDPR.
Compliance with the AVG is a Challenge
It’s evident that every company in the Netherlands must adhere to Dutch law. The AVG imposes a duty of accountability on companies and organizations processing personal data. To comply, they must control access to the data they process, even when stored in the cloud.
A Grey Area for the AVG
It’s often assumed that complying with the AVG is relatively simple: as long as data is stored within the EU, the EU’s rules apply, ensuring compliance. However, the CLOUD Act complicates this. The law mandates that companies with U.S. establishments share data with the U.S. government, even if stored within the EU. This makes using cloud services from American tech companies a grey area for the AVG.
AVG Warning from the National Cyber Security Center
In 2022, the National Cyber Security Center (https://www.ncsc.nl/actueel/weblog/weblog/2022/de-werking-van-de-cloud-act-bij-dataopslag-in-europa) warned about the conflict between the GDPR and the CLOUD Act. They pointed out that large tech companies face a choice between complying with the EU or the U.S. This jeopardizes AVG compliance.
Clingendael Concerned About Digital Economic Security
In March 2024, the Clingendael Institute added a warning (https://www.clingendael.org/publication/too-late-act-europes-quest-cloud-sovereignty): digital economic security in the Netherlands (and the EU) is vulnerable to geopolitical shifts. One reason is the over-reliance on U.S. tech companies. If these companies make their services inaccessible for any reason, the consequences could be severe.
How Dependent Are Dutch Organizations on the Cloud?
NOS investigated the dependence of organizations on major cloud providers. Hosting email in the cloud is popular, allowing organizations and companies to use better services with higher security at lower costs. To gauge dependence on tech companies, NOS examined cloud email usage.
NOS Methodology
To determine whether (and which) service an organization uses for email, NOS examined MX records. These MX records are part of the DNS (Domain Name System), which functions like the internet’s phonebook, indicating the address (IP) to which emails should be sent.
76 Percent of Dutch Organizations Dependent on American Cloud Services
NOS analyzed the MX records of 21,670 Dutch government institutions and independent administrative bodies, 3,800 large companies, and 110 companies classified as critical infrastructure. They concluded that 66 percent of the examined institutions and companies host their email with Microsoft and 10 percent with Google, totaling 76 percent. In contrast, 17 percent use a Dutch service, and 7 percent host email themselves. These figures are indicative; a third-party service might also refer to a spam filter, Content Delivery Network (CDN), or load balancer.
How Do Leiden Organizations Handle Hosting?
TransIP examined how major Dutch organizations and companies based in Leiden handle hosting. They selected 30 companies from various sectors, covering hosting and registration for:
- Municipality of Leiden
- LUMC
- Eurotransplant
- Leiden University
- Zorg & Zekerheid
- Leids Dagblad
- BCPlus
- Naturalis
- National Museum of Antiquities
- Leiden World Museum
- Boerhaave Museum
- Corpus
- Loetje
- Shabu Shabu
- La Cubanita
- ‘t Zusje
- Golden Tulip
- Bastion Hotels
- Van der Valk Leiden
- City Hotel Nieuw Minerva
All Examined Leiden Organizations Host Within the EU, Only One Outside the Netherlands
Of the 30 organizations examined, 28 arranged hosting with a Dutch party. One organization (LUMC) stands out for managing all hosting on-site. Another Leiden company, City Hotel Nieuw Minerva, deviates by arranging hosting and registration with a foreign party, using services in Belgium. Both organizations declined to explain their choices.
Two Options for Full AVG Compliance
By arranging hosting and registration with a Dutch host, companies theoretically comply with the AVG. Due to the CLOUD Act, ensuring full AVG compliance is more complex. If the partner is also active in the U.S., the NCSC indicates that AVG compliance can’t be guaranteed. Two options ensure full AVG compliance:
- Fully managing servers in-house.
- Using a 100 percent Dutch cloud environment.
Fully Managing Servers In-House
Like LUMC, companies can fully manage servers on-site. This is costly and requires specialized and experienced personnel. Alternatively, they can rent a server in the Netherlands from a fully Dutch host.
Using a 100 Percent Dutch Cloud Environment
Another option is to use a cloud environment entirely based in the Netherlands and managed by a Dutch company. Companies can rent this service, using a host that employs OpenStack technology, making it relatively easy to build an AVG-proof cloud environment.
Leiden Excels
The examined Leiden organizations meet the requirement that their data is stored within Europe. Leiden excels in this regard. However, full AVG compliance depends on which data is stored and with whom. Further research is needed.