Written by Giulia Lo Bue Oddo
This policy paper is the first part of a two-part series which explores the EU’s strategy for digital sovereignty and looks into the EU’s pre-existing and proposed legislation. After exploring the reasons for which the EU is pushing for ‘digital autonomy’ and the importance of ‘digital sovereignty’ for the EU, I will look into the current landscape of regulations and directives the EU is cementing in response to the pressing issues.
- The importance of digital sovereignty
Organisations and governments are quickly recognizing the importance of data as a value-generating asset (Dowden, 2020). With properly harnessed data-driven innovation and competitive business models, key players are now united in stressing that data must be protected (Hessel, 2021). Translating this into action means taking several decisions, namely the way data is accessed, collected, stored, and processed. More specifically, the EU must consider defining regulations regarding the location of storage and processing centres, and regarding the type and amount of data which they can store or process.
Looking at present legislation efforts of user-data protection, we see a series of EU regulations and directives emerging throughout the past few years, notably the Digital Markets Act, the Data Governance Act, the GDPR & the FFD regulation and the NIS Directive & the Cyber Security Act (Hessel, 2021). Glancing at 2020, the DMA legislative proposal, inspired by the German “Act against Restraints of Competition”, promotes a healthy and competitive digital market. On the other hand, the Data Governance Act tackles data reuse for Business-to-Business, and Business-to-Government data flows (CMS Law-Now, 2021). Moving back, we see the GDPR and FFD regulations which protect the personal data of EU citizens and non-personal data respectively. Lastly, the NIS Directive addresses how to protect EU critical infrastructure while the Cyber Security Act establishes security certifications for cloud services across the EU and harmonises the fragmented certification landscape.
To this day, the EU mainly relies on Chinese and American hypervisors, which implies data stored on foreign-owned infrastructures. Regarding cybersecurity, a variety of technical measures are currently implemented to protect user data at-rest or in-transit. Indeed, protocols such as TLS/SSH, cryptography, VPNs and firewalls protect data in-motion against the outside world while encrypted cloud storage accounts & hard disks protect data at-rest against external data theft. Regarding data in-use, however, current legislation and technical measures are still not able to fully protect data against a potentially malicious cloud provider (i.e., a provider who misuses or mishandles data). Given that, recent concerns have revealed that foreign powers are able to acquire information from data centres located outside their reach e.g., located in the EU. These fears, heightened by the introduction of recent legislation such as the 2018 US CLOUD (Clarifying Lawful Overseas Use of Data Cloud) Act and China’s 2017 Cybersecurity Act (Stolton, 2019), emphasise the need for the EU to regain control of its data through regulations.
- Looking into the EU’s digital independence as it stands
Although some European politicians and economists have been demanding more digital sovereignty for the EU and its member states(Sahin, 2022), the EU’s plan for strategic autonomy has just recently gained significant momentum, with many articles citing “GAIA-X”, the “EU cyber-certification schemes”, “GDPR”, along with various “Data Acts” and “Directives” (Papakonstantinou, 2021).
Two main trigger points, which intensified the EU’s “push for digital sovereignty”, are:
- A series of ongoing legal challenges against the Google, Apple, Facebook, Amazon, Microsoft (GAFAM) giants (Thieulin, 2019).
- Changes in the geopolitical landscape and new regulations affecting the control of data (Stolwijk, 2022).
The first trigger point is exemplified by Schrems II, a high-profile case (Case C-311/18), settled in 2020 by the Court of Justice of the European Union. Prior to the Schrems II judgement, all mechanisms for international data transfer had to be ‘secure’ and GDPR compliant. This meant that transfers outside the EU and EEA were prohibited unless the data transfers met ‘adequate safeguards’ such as EU Standard Contracting Clauses (SCCs) or Binding Corporate Rules (BCR), or complied with the EU-US Privacy Shield framework (Thomas Olsen, 2021).
Looking at the lawsuit itself, Schrems argued that Facebook’s use of transferring personal data to its headquarters in the US was in direct violation of the GDPR and therefore called for Facebook’s SCC for personal data transfer to be invalidated.
Although the ruling did not fully invalidate the SCCs, Schrems II’s ruling had significant implications on how personal data is transferred to third-party schemes (Sharp Cookie Advisors, 2020). Additional restrictions were placed on SCCs, and the adequacy of protection by the EU-US Privacy Shield was annulled (Decision 2016/1250). Moreover, shortly thereafter, the EDBP stated that BCRs’ validity should also be reassessed. The ruling also reinforced that Chief Data Privacy Officers are obliged to understand and assess what data is stored in the cloud and whether any data is being transferred outside the EU. Schrems II’s judgement ended with taking a range of affirmative actions which question or restrict the current data-transfer mechanisms, suggesting that the EU was ready to move towards “being in control” over its own data.
Regarding the second trigger point, new regulations, such as the US Cloud Act and Chinese CyberSecurity Act, quickly led to members of the critical sectors (sectors “essential for the maintenance of vital societal functions”) and businesses worrying about the impact of such laws on “EU data sovereignty” (Kissane, 2018). Moreover, there have been changes in the geopolitical landscape are the other elements that have boosted the EU’s drive to seek a comprehensive set of digital sovereignty tactics. Examples of this are the fragility of international supply chains, epitomised by the Suez channel blockage and later the Covid Crisis, and trade wars such as the 2018-2020 US-China trade war, the impending Lithuania-China row, and the AUKUS rift with France (GlobalNews, 2021). To date, the EU’s digital sovereignty tactics are extremely varied. On the legal and cybersecurity side, they range from IT security to strengthening Europe’s digital economy, to regulations, intellectual property and patents, and digital diplomacy. Technically, this implies developing a solid network & data centre infrastructure and ensuring adequate technical competency.
As digitalization is making data more valuable, and the cloud is the powerhouse of AI and other essential technology – EU regulations such as the GDPR, Data Act, and Data Governance Act are meant to control the flow of data across borders to prevent the risk of access by non-European authorities (Karlstad, 2021). On a digital level, businesses handle key actors of the value chain and the ecosystem. They must therefore be able to retain control of their data flows, knowing whom they are exchanging information with and in-turn identifying themselves. From a business perspective, digital sovereignty would foster competition, and also aid businesses, investors, and owners in ‘staying on top of the market’ – extracting value from data to predict, observe and react to the relevant market dynamics (International Data Spaces, 2021).
- Existing and proposed legislation
Looking into some of the key regulations within the repertoire of the EU’s existing regulations and directives, I now show how each one of the regulations contribute to shaping Europe’s Digital Future.
4.1. Digital Marketing Act (DMA)
Current competition regulation policies of evidence-based lawsuits and case-by-case investigations have not delivered desired results, with the digital market still being controlled by the few dominant ‘hyperscalers’. Several papers have pointed out the recurrent pattern of small to medium enterprises (SMEs) relying on ‘gatekeepers’, such as Google AWS, with data being increasingly accumulated in the hands of the few. This pattern, further accentuated by the Covid pandemic, forced businesses to rely on cloud solutions which sometimes were not compatible with IT security and data protection due to vendor lock-in effects. Looking into the DMA we note that gatekeepers are defined based on the number of users and the turnover of companies or ‘large user bases. Gatekeepers are therefore major online internet players which channel a lot of traffic through the platform. The DMA details the set of obligations gatekeepers must implement daily and the strict rules which are in place to keep gatekeepers in check and the mechanisms and sanctions for non-compliant behaviour (10% of the worldwide turnover). For example, under article 6 of the DMA, self-preferencing is prohibited and gatekeepers must ensure interoperability between third-party software. Article 6(1)(h) instead goes on to create rules for gatekeepers to facilitate data portability to prevent ‘siloes’ of stored data which lead users to be locked-in certain platforms.
4.2. Data governance Act (DGA)
Along with the DMA, the Data Governance Act wishes to level the playing field for market powers by setting data sharing provisions, interoperability requirements and improving data access for the public sector. Introduced in 2021, the DGA establishes the data governance framework for sharing industrial data and allowing B2G data-sharing of personal information. Hailed as “a good milestone of the European Data Strategy” the Act introduces data sharing provisions, strives for interoperable and standardizable software, and allows for data access for the public sector.
Sharing data would bring the vast amount of data produced by the EU-industrial base together thus providing the critical mass needed for big data and analytics and AI. Dealing with data on the large-scale therefore would lead to more efficient outcomes, with data sharing and data-reuse also leading to less errors and reworks. Indeed, until the DGA came into place, the protection of reuse of non-personal data was fragmented and indirect, with private contracts saturating the market. This often led to asymmetrical access and usage rights for SMEs and start-ups and businesses. By offering legal protection for the reuse of non-personal data, the data-sharing provisions, the DGA encourages hesitant organisations to share more data, leading to organisations remaining in control of their data while benefiting from the cogenerated data. By the same token, interoperability requirements are to limit the power of large data monopolists which rely on vendor lock-in practices to restrict the competition of the data-driven markets. Although the DGA’s aim is to enhance portability, its full effectiveness can be seen only in light of the pre-existing (i.e., the Cybersecurity Act) and future legislative proposals that instil trust and prevent potential theft of intellectual property.
Overall, in covering for ‘all’ types of data (GDPR and/or FFD compliant) DGA’s long-term aim is to allow for a common “safe” European data space, which acts as a single market for data, where high-quality data can be shared to boost research and innovation. In line with the EU’s view of providing solutions which benefit the whole economy, the DGA’s benefits impact multiple actors, ranging from public bodies (such as governmental agencies) to the private sector (businesses) and consumers. Regarding public bodies, the DGA paves a legitimate way for public bodies to access data for public interest. Regarding consumers, it empowers them and allows them to retain more control over their data. Regarding businesses, it creates the ability for businesses to benefit from data-exchange and switch between different cloud services.
4.3 Free flow of non personal data regulation (2018/1807) and the general data protection regulation (2016/679)
While the GDPR legally ensures that national laws protect key economic actors and citizens alike, with the protection of personal data largely covered by the GDPR (see point 1, Article 4), the same could not be said (until 2018) for the processing of non-personal data. As businesses and governments realised that data without personal references has a significant degree of economic relevance, “especially in innovative services and the research & development of new technologies” the EU presented its ambitious “digital decade” strategy at the 2021 Conference, it highlighted its two top priorities: the green and the digital transformation.
In recognizing that data is of great economic value both to companies, government players and citizens alike, the Commission highlighted the need for personal and non-personal data to flow in the digital market. Allowing data to be exchanged, reused and processed would ensure “technical innovation, competitive growth and equality”. In 2019, the FFD was approved by the European Parliament. The regulation was set to promote the European data industries and the development of cross-order technology. The FFD prohibits all forms of data-localization requirements. An example of a direct data-localization requirement would be to have obligations to store data on servers in geographic locations while an indirect data-localization requirement is having tech facilities which hinder the processing of data outside a specific location. Taken with the GDPR, the two regulations offer a comprehensive framework for a common European data space and free movement of data within the EU.
Overall, the FFD requires and encourages players to develop self-regulatory codes of conduct to foster the free movement of data, therefore codes at an EU-level which address the porting of data to avoid vendor lock-in. Taken along with the GDPR, the free movement of data, along with upholding data portability and eliminating data localization requirements, should aid medium-sized businesses in expanding across borders and developing new innovative services – leading to a competitive data economy.
4.4 NIS Directive (2016) & the Cybersecurity Act (2019)
With cyber-attacks growing increasingly common and severe, and trust and confidence around the innovation in the tech space waning, the NIS directive addresses the grounds and obligations countries must apply to national critical infrastructure where a cyber-attack to occur. National critical infrastructure covers the finance, insurance, health, transport, traffic and the energy sectors. The NIS directive targets the vital operators of member states’ economies and lays the groundwork for a high common-level of security of network-and-information systems across the union. By creating a uniform legal framework for cybersecurity, the NIS Directive wishes to foster and enhance cooperation among the EU member states.
Requirement and security incident reporting obligations are introduced for operators of essential services and digital service providers. With this directive, member states must introduce appropriate technological and technical organisational measures and have to secure the network of information systems. The other key point attributed to the NIS directive is the definition of the roles of ENISA and other stakeholder agencies on cyber issues. The Directive clarifies that ENISA had a key role in supporting member states, EU institutions and other stakeholders on cyber issues while the EU agencies would take care of organising EU-level cyber security training exercises such as the annual pan-European cybersecurity exercise. The EU would instead support and promote EU policies on cyber security, advise member states on the implementation of the directive thereby facilitating information sharing between the agency and the member states. Lastly, the directive allows companies to certify their ICT products and services against cybersecurity risks. It proposed 3 different assurance levels: basic, substantial, and high, where the basic assurance level merely required service providers and manufacturers to carry out security compliance assessments themselves.
The Cybersecurity’s 2019 Act addresses the market fragmentation of cybersecurity standards, removing barriers between EU countries where Member states had implemented different standards. It provides a permanent mandate for ENISA, allocating more resources to it to allow it to fulfil its goals, pushing for ‘security by design/by default’ practices and more importantly – establishing an EU-wide cybersecurity framework for products, processes and services. The regulatory framework would help ensure compliance with specified (pre-existing) cybersecurity requirements (e.g., those imposed by EU policies and regulations) while having an EU-wide certification scheme contributes to building trust in users and allowing businesses to carry out cross-border activities.
When compared to the NIS Directive, the Cybersecurity Act is directed toward all players (and not merely the critical sectors). Overall, the Cybersecurity Act reinforces trust in IT processes at a Union level and shapes a safer cyber-environment within the EU, pushing for collaboration on a greater scale.
In concluding this section, the EU is continuously updating its legislation in order to compete with the current market demands and geopolitical trends, which have fuelled new legislation in the US and several court cases at the international level.
- Summary and road ahead
Firstly, I discussed ‘trigger points’ which led to the EU wishing to be less dependent on foreign infrastructure and search for strategic autonomy and competitiveness., I moved on to provide a panorama of the relevant digital legislation and discussed how each of them is instrumental in achieving the EU’s digital vision. I showed how the ground-breaking Schrems II case emphasised that sensitive and/or critical data is to stay on sovereign soil. In the second part of this series, I will describe how the EU is taking action by building an independent ‘sandbox’ to host next-gen technologies.