Advancing European Internal and External Digital Sovereignty

EU Sovereignty in the Digital Age

The European Commission has declared the years 2020–2030 Europe’s “digital decade”, and a key challenge in this period is secur­ing European “technological sovereignty” and digital sovereignty. These terms were first used by industry representatives who cautioned that industrialised European nations were dependent on the availability, integrity, and controllability of current and emerging technologies, both for civilian and safety purposes, and that Europe was lacking production capacities and R&D in­vestments – which threatened technological sovereignty. Given that many concerns regarding the vulnerability of critical tech­nological infrastructure are often also discussed as cybersecurity issues, the term “digital sovereignty” has emerged and is sometimes used interchangeably with “tech­nological sovereignty”. Such discussions of the various dimensions of sovereignty demonstrate that the concept of sov­er­eignty has become even more complex and is nowadays better understood as a process, not a status quo. In other words, sovereignty no longer merely refers to a legally defined status – instead, it needs to be understood in the context of EU actors’ moderating capacity of legitimising their positions through transparent, internal opinion-forming processes and exercising them effectively internationally in multi-stakeholder bodies and institutions such as the TTC.

Consequentially, European technological and digital sovereignty have an internal and external dimension and emphasise that the key tool for European re-sovereignisa­tion is Europe’s regulatory power based on its norms and values. Internally, the EU can offer guidance on transnational and com­plex issues such as liability in the platform economy or data protection on social media platforms; externally, the EU can institutionalise its core values and norms by set­ting the standards required for access to the internal market. In order to establish a frame­work that is reflective of ethical con­siderations and protects consumer rights while enabling fair market competition, company growth, and innovation, the EU – represented by the European Commission and the Council of Ministers – needs to facilitate cooperation between corporations, interest groups, and public bodies in com­plex and transnational issues such as inter­operability and liability. Thus, an appropriate understanding of European sovereignty in the digital age encompasses both the in­ternal and external dimensions of European action, and that refers equally to the mem­ber state, European, and international levels of digital policies. In other words, sov­ereignty today is more appropriately understood as a multi-level political prac­tice.

EU Digital Policy

As part of Europe’s digital decade, the Euro­pean Commission initiated a variety of acts and directives with a special focus on digi­tal sovereignty and both of its dimensions: externalising European norms by regulating access to the internal market, and deepening European integration by providing guid­ance on digital challenges. Although regu­latory competencies for current and emerg­ing digital technologies rest with member states, EU digital policy has advanced posi­tive and negative European integration (see SWP Comment 43/2015) and non-binding documents, such as the CCoC, and demon­strates successful leverage of European regulatory power in digital foreign policy affairs. The following brief overview of the central pillars of the EU digital strategy and relevant tools illustrates two key observa­tions: The EU seeks to safeguard its digital sovereignty by externalising its fundamental values, such as core principles of the internal market (mutual recognition, direct-effect, non-discrimination, etc.), but its new rules and regulations primarily apply to foreign companies, especially in the US and Asia (specifically South Korea and China), which can lead to disputes.

A common EU digital foreign policy first started to take shape with the 2016 EU Net­work and Information Security directive (NIS Directive), which consists of three parts – national capabilities, cross-border collaboration, and national supervision of critical sectors – and first set international standards in the cyber realm by regulating access to the European market. Since 2021, the NIS 2.0 Directive and the mandate of the Committee on Industry, Research and Energy to enter into interinstitutional nego­tiations has further advanced the debate surrounding framework guidelines for Euro­pean cybersecurity and demonstrated potential for harmonised EU-wide cyber regulation.

In 2019, the European Parliament adopted the EU Cybersecurity Act, which established a cybersecurity certification framework for information and telecommunication prod­ucts and services that companies want to offer on the European market, overseen by the EU Agency for Cybersecurity (ENISA). Additionally, the Commission issued a rec­ommendation for ensuring the cybersecurity of 5G networks in March 2019 and presented a “toolbox” on secure 5G net­works in Janu­ary 2020. The toolbox in­cludes strict access controls before allowing a telecommunications company to contribute to the estab­lish­ment and operation of national 5G net­works. Especially in the US, where the Federal Communications Commission has identified and listed five companies (all from China) whose equipment and services are deemed an unacceptable national secu­rity risk, critics remarked that the toolbox was not strict enough. Meanwhile, some European governments and companies have expressed concerns for the advance­ment of their digital connectivity if global market leaders such as China’s Huawei are excluded from the internal market, which again illustrates the importance of agreeing on norms and standards with the US, as American companies can provide feasible alternatives and help advance European connectivity.

The 2021 Artificial Intelligence Act (AI Act) constitutes the first regulatory frame­work for such technologies worldwide, as it introduces a risk-assessment framework that is designed to regulate access to the European market based on the risk category evaluation of a company’s AI technology products. European and inter­national companies have welcomed the introduction of a regulatory framework in a hitherto largely unregulated field, but they have expressed concerns that the act could prove to be innovation-inhibiting, as com­panies do not yet know how strictly the evaluation criteria will be interpreted and could thus lose the incentive to invest in new AI applications that they might never be able to commercialise, as interoperability with European systems is uncertain.

The European e-commerce directive was over 20 years old when the Digital Services Act (DSA) and Digital Markets Act (DMA) were introduced, which address issues that have arisen with the emergence of new prod­ucts and service providers on the digi­tal market. Still, the e-commerce directive remains the cornerstone of European digital strategy and digital foreign policy tools of regulating market access and insti­tutionalising European norms. The e‑com­merce directive sets standards for transparency requirements for service providers and liability along the business chain, to in­clude intermediary service providers, and general rules for commercial communications. As the digital economy further diver­sified and personal data of private citizens themselves became an economic good, the EU updated its rules to ensure the data sov­ereignty of its citizens and companies.

The DSA introduced new rules in the issue areas of transparency, with specific information obligations on the storage and commercialisation of user data, handling hate speech and participation bans, and re­porting users who are found to share illegal content. The DMA is designed to establish a level playing field for enterprises in the digital age and to enable innovation and growth. It is tailored to regulate “gatekeepers”, which are defined as “large, systemic online platforms”. Examples of gatekeepers (although no companies have been des­ig­nated as gatekeeper so far) would be Amazon, Meta, and Alphabet. Small and medium-sized enterprises (SMEs) depending on these gatekeepers shall be protected by the DMA, as gatekeepers can no longer utilise their power as platform providers to advertise their goods and services more prominently, or prevent users from un­installing or disabling specific software if they wish to do so. Furthermore, gatekeepers are now required to allow commercial users access to data they generate while using their platforms, and to allow third parties to inter-operate with their services. The data sovereignty of European citizens is also protected by the recently adopted Data Act, which clarifies under which conditions private data can be commercialised.

The 2022 EU Chips Act is designed to inte­grate national efforts into a coherent European semiconductor research strategy and to facilitate collective action for (re-) build­ing production capacities in order to reverse the trend of outsourcing semiconductor production – Europe once had the highest production output but now only 10 per cent of the global chips industry’s market shares are there. Chips (also known as semiconductors) are critical components of digital technologies manufacturing, both in the civilian and military realms – and currently so high in demand that there is a global shortage. While American com­panies such as market leader Qualcomm design the chips, they are manufactured mostly in Taiwan – one single Taiwanese company produces 92 per cent of the global chip supply of the most advanced chip type, creating a highly vulnerable supply chain bottleneck.

This outlined European digital foreign policy has already greatly advanced the data sovereignty of European citizens and levelled the playing field of the digital market while also increasing protection against cybersecurity threats, thus significantly contribut­ing towards securing European digital sov­ereignty. However, Europe cannot achieve digital sovereignty alone – as of now, it lacks production capacities, big digital tech­nology companies, and to some extent also the relevant digital infrastructure. Therefore, transatlantic cooperation and action are necessary for securing the digital sov­er­eignty and geopolitical position of the EU and to further ensure fair market competition and the safeguarding of the civil liber­ties of its citizens – and the same applies to the US. For instance, the US and the EU account for 21 per cent of the world’s semi­conductor manufacturing capacity, but for 43 per cent of the global consumption of digital devices, revealing a potentially dan­gerous dependency on Chinese manufac­turers.

Institutionalisation of the TTC

All recent conflicts in matters of trade and tariffs aside, the EU and the US still share an unwavering commitment to democratic values and fair market competition, which distinguishes them from Chinese competitors in digital services and technology pro­duc­tion. Therefore, the European Commission proposed a Trade and Technology Coun­cil (TTC) in mid-2020 to find common ground on trade and technology standards after a contentious relationship and dis­agreements with the US on economic poli­cies during most of the Trump Ad­min­is­tra­tion. While this suggestion received only little attention then, the Biden Administration showed greater interest in cooperating with the EU and exploring the idea of an alliance on democratic technology, and the TTC held its inaugural meeting in Pitts­burgh, Pennsylvania, on 29 September 2021. Ten working groups of the TTC have been established, and a second meeting is planned for the spring of 2022.

The overarching European goal being pur­sued via the TTC is “values-based digital transformation”. The European approach in proposing and participating in the TTC clearly bears the hallmarks of the EU digital foreign policy strategy based on the Brussels effect. For instance, its pioneering act on AI regulation, which is designed to prevent the exploitation of this technology for illicit and unethical purposes, first sparked a debate on its purported innovation-in­hibit­ing effect, and then resulted in the estab­lish­ment of a TTC working group seeking to specify the rather broad legal speech of the act. International companies might express a hesitancy to invest in AI R&D when inter­operability with European systems is un­certain, as a lack of compliance with Euro­pean standards means exclusion from the internal market, and thus the loss of an important opportunity to commercialise. However, a realistic take on this issue also shows that such companies can hardly sus­tain their growth if the European market is inaccessible. Therefore, they have to seek cooperation with the EU and comply with requirements that ensure the overarching goal of protecting European citizens’ rights.

A case in which the Brussels effect even extends beyond the regulation of private actors and shapes foreign legislative debates is the US legislative debate on a federal privacy law. This debate gained momentum after a joint call for a federal privacy law similar to the GDPR by key players such as Apple, Alphabet, Meta, and Microsoft. The involvement of dominant tech companies in this process highlights the power of the Brussels effect, as even strong market domi­nators such as Meta need to reconsider their terms of service and data commercialisation business model if they want to retain access of the internal market. This is evidenced by the U-turn performed by its executive board in 2020, when key executives initially threatened to pull platforms such as Face­book and Instagram from the European market in response to the Schrems II ruling but quickly backtracked, as this tactic did not influence the European position as desired. Twenty-five per cent of Meta’s revenue is generated in Europe, which is too big of a share to lose. Consequentially, Meta had to adapt its terms to European stand­ards and has called for a US federal privacy law that converges with the GDPR in order to further increase legal certainty and interoperability.

Such lobbying efforts by US companies underscore the desire of private US actors to cooperate with Europe on digital and tech­nological standards via the TTC in order to retain market access and sustain their growth. Their European counterparts are also highly involved with the TTC through formats such as the Commission’s online con­sultation platform for stakeholder in­volve­ment in shaping transatlantic coopera­tion. All in all, Europe is dependent on US technology while US companies are depend­­ent on access to the European internal market. There are several contentious issues that need to be addressed in order to make transatlantic cooperation and trade more efficient and sustainable. EU policymakers are well-advised to remain cognisant of the success that the digital foreign policy strat­egy of the Brussels effect has already yield­ed for the EU and to pursue this strategy fur­ther, as some topics of transatlantic dispute remain.

“Gatekeepers” of the Digital Market

Conflicts between the partners on both sides of the Atlantic have arisen regarding the planned designation of gatekeepers, which will primarily apply to non-Euro­pean companies such as social media plat­forms mentioned above and digital market­places such as America’s Amazon or eBay and China’s Alibaba. Compliance of such companies with the provisions laid out in the DMA would mean fundamental changes to their established business models, which are based on offering free use of their plat­forms to private users and third commercial actors in exchange for their data and an op­por­tunity to increase the platform’s growth. As access to the marketplaces is free, con­sumers can easily find an SME advertising its products there and then purchase from the SME directly, often at a cheaper price. This means that the gatekeepers need to advertise their own products more promi­nently in order to profit as well. While some observers caution that the definition of gatekeeper should not be too broadly interpreted, and that the designation of gatekeepers should focus on companies with little competition, such as Google – which has a market share of almost 90 per cent in Europe – American partners are concerned that US companies are specifically being targeted, and thus are calling for a broader interpretation of the term. This has created a dilemma for the DMA in terms of preventing discriminatory practices by mar­ket leaders while adopting non-discrimi­na­tory regulations to address data sovereignty and fair competition on the digital market.

Furthermore, US policymakers have ex­pressed security concerns about requiring the possibility to distribute programmes such as apps outside of “closed systems” – in other words, to install apps on smart­phones and other devices without relying on the two dominating market powers, Apple (iOS) and Alphabet (Android). How­ever, this also means that the cybersecurity of smart devices can be compromised by downloading malicious software from a third source without established vetting and verification processes.

The EU has set precedent in issuing such decidedly antitrust regulations for the digi­tal market, such as the DSA and the DMA, and thus set the scene for the transatlantic debate. In the negotiations to come via the TTC, it would be best for the EU to insist on the framework created by the DSA and the DMA for fair competition and data pro­tec­tion while engaging both private actors and transatlantic partners in the design of speci­fications and further pro­visions. This ap­proach could be especially efficient, as the US is currently debating anti-trust legislation concerning big tech companies as well. Given that digital services are “indivisible”, as Bradford puts it, US companies updated their terms of service in accordance with the GDPR, which constitutes the world’s strictest and most detailed data protection regulation, as it would simply be too costly to offer a different service model across dif­ferent countries. As the DSA and the DMA are already in place, the EU has provided a framework for the transatlantic debate, which needs to be specified and fleshed out through a multi-stakeholder effort such as the TTC.

Schrems II and Legal Certainty

Another point of disagreement are data protection regulations, especially since the European Court of Justice (ECJ) voided the “privacy shield” (the transatlantic agreement regulating the exchange of users’ pri­vate data between European company sub­sidies and their American holding com­pa­nies for commercialisation purposes) in Data Protec­tion Commissioner v Facebook Ireland Limited and Maximilian Schrems in July 2020. Until now the EU has failed to imple­ment a new framework, with dire consequences for the companies concerned. For instance, the Aus­trian data protection authority banned the use of the data analysis tool Google Analy­tics, which was a significant setback for Google but also for Austrian companies uti­lis­ing the tool. Following the ruling, the EU Cloud CoC General Assembly, which includes inter­national companies, started to work on the Third Country Transfer Initiative, which seeks to address concerns regarding the pro­cessing of European users’ personal data in a third country by developing a specific “module” to complement the GDPR. How­ever, so far, no third-country module has been introduced, as it remains unclear how such a module should be designed to com­ply with the ECJ’s expectations.

A feasible solution for providing legal certainty for transatlantic data transfers is urgently needed, as interoperability is cru­cial for the provision of digital services and the pursuit of further business opportunities in Europe, both by American companies and European companies working with American digital products. This is an issue of significant importance. The EU should seek to finally agree on a replacement for the EU-US privacy shield to provide legal certainty for European companies using American services, and for American com­panies seeking to design products for the European market. The nomination of an oversight board might be a feasible step towards the institutionalisation of the Third Country Transfer Module, as such watchdogs and their ability to issue fines have successfully mediated company practices and GDPR regulations in the past, for in­stance in the cases of GDPR violations by TikTok and Facebook.

Institutionalising a replacement for the privacy shield first requires a joint Euro­pean effort to agree on a feasible alternative, which is only achievable through deepened integration. The establishment of a replacement for the privacy shield would not only mean a further step in the process of European internal re-sovereignisation It would also be an important signal reaffirm­ing European external digital sovereignty, as GDPR provisions have been successfully externalised via the Brussels effect in the past, and further strengthening the regula­tion and its international implications is nec­essary to underscore the GDPR’s du­rabil­ity and credibility.

Setting the Agenda for Transatlantic Cooperation

Transatlantic cooperation and European tech­nological sovereignty can appear to be mutually exclusive. For instance, the EU Chips Act calls for greater public investments in semiconductor R&D in Europe, where­as the American CHIPS Act, passed in June 2020, calls for investments in chip design R&D in America. Concerns about an emerging and counterproductive “subsidy race” have been voiced on both sides of the Atlantic. Careful leverage of the Brussels effect could also remedy this issue: Both American and European policymakers under­stand that a strictly US or EU focus on reclaiming technological sovereignty is unrealistic, which is why they are discussing areas in which international cooperation is inevitable, such as the procurement of rare earth elements necessary for chip production, via a TTC working group. This debate should also include considerations of an expansion of the TTC, for instance to include Canada, which is also committed to democratic technology governance and can certainly offer resources that are in demand.

As both the EU Chips Act and the US CHIPS Act have only been issued recently, the EU should seize the opportunity to facili­tate transatlantic research cooperation and set regulations for both the semiconductor market competition and the tech­nological capabilities of such products – similar to AI regulation – in order to out­law the inclusion of specific features that make chips made in Europe or the US vulnerable to espionage or sabotage. Trans­national cyber threats such as technological backdoors can only be combated if such equip­ment has equal certification in both the US and the EU. Although only the US currently has sufficient capabilities and expertise to compete with companies such as Huawei, whose products do not meet certification standards, the EU can set the agenda for spelling out the details of future cooperation on – and governance of – demo­cratic technology, as it already suc­cess­fully has in the case of AI technology. The case of Huawei equipment also illus­trates that companies not willing to comply with EU standards face market exclusion, which the EU should emphasise when it wants to protect its citizens’ data from US intelligence agencies as well.

The Way Forward

The path ahead can only be international, and especially transatlantic: American com­panies are dependent on access to the Euro­pean market to sustain their growth, and in turn, European citizens and com­panies (as well as public administrations) are depend­ent on products offered by Ameri­can digital technology companies in their daily lives and operations. Moreover, the US and EU constitute the biggest mar­kets, which are also liberal democracies, in a world where autocracies are on the rise, and they share key values such as the right to privacy and free speech as well as a commitment to free and fair economic com­petition. All of this makes a strong case for transatlantic co­opera­tion in advancing digital development and democratic tech­nologies. Leading up to the spring meeting of the TTC, European policymakers should continue their ap­proach of leveraging the Brussels effect in order to ensure and en­hance compliance with the European standards of fair market competition and data protection. At the same time, it is important to keep the door open for nego­tiations regarding the specif­ics of relatively new provisions such as the DMA’s designation of gatekeepers – the EU has established a pioneering framework for the digi­tal market and should now continue its approach of multi-stakeholder involvement as the regulations are trans­lated into com­pany practices and further spelt out. In order to enter such negotiations with a coherent approach and cred­ible mandate – and thus be able to secure and manifest external digital sovereignty – it is crucial to further advance the process of European internal re-sovereignisation, such as by agreeing on a replacement for the privacy shield. EU regulations developed in the European comitology procedures have been successfully externalised via the Brussels effect in the past, even despite strong initial opposition, and the EU should strive to continue this method, and thus strive to deepen integration.