![• According to the commission, EU companies “report reluctance to use cloud services due to
concerns of unlawful or unauthorized access that may lead to IP theft [or] industrial espionage.” This
reflects a “trust problem,” and “the trustworthiness of cloud services equals the trustworthiness of
the data economy,” according to the impact assessment for the Data Act.36
• Both the DGA and Data Act attempt to resolve this trust problem by erecting complex safeguards
that would complicate data transfer outside the European Union. The commission justifies
incorporating such restrictions into otherwise liberalizing measures by citing a threat also invoked in
the GDPR—extraterritorial governmental ac- cess laws.
• The impact assessment identifies two US signals intelligence authorities, Section 702 of the Foreign
Intelligence Surveillance Act (FISA) and Executive Order 12333, as well as China’s 2017 National
Intelligence Law.37 The commission also cites the US CLOUD Act, which allows US law
enforcement to demand information held abroad by communications service providers subject to
US jurisdiction](https://image.slidesharecdn.com/eupushfordigitalsovereignty1-240418121539-2bac532b/85/EU-Push-for-Digital-Sovereignty-1-pptx-12-320.jpg)
EU Push for Digital Sovereignty (1).pptx
- 2. Background They (EU) quickly realized that Europe was at a competitive disadvantage. However, the push for EU digital sovereignty was not based only on these technological and business shortcomings. It also drew on 4 (four) other strands of thinking in the European policy arena. 1. the 2013 revelations by Edward Snowden about bulk electronic surveillance—including of Europeans—by the US National Security Agency (NSA) led to a harsh reaction in many countries, especially Germany. More recently, the US Clarifying Lawful Overseas Use of Data (CLOUD) Act, which requires companies within US jurisdiction to provide federal law enforcement with access to foreign-located personal data, has reinforced those concerns. 2. this perception of European weakness at the hands of the NSA and Department of Justice coincided with a growing debate in Europe over the need for “strategic autonomy” in the security and defence sphere. In terms of security and defence, strengthening technological autonomy is now essential” for Europe 3. the COVID-19 pandemic and the explosion of online education and work brought the importance of digital policy to the fore. It also demonstrated the perils of supply-chain vulnerabilities, including dependence on any other country for essential goods or services, including vital technologies or digital services. 4. the EU has finally woken up to the dangers inherent in relying on companies and technologies from countries whose motives may be more geopolitical than commercial.
- 3. The EU Model of Digital Sovereignty 1. significant support in terms of resources and policy for the development of indigenous EU capabilities in emerging technologies 2. an explicit ambition to create global norms and “gold standards” 3. rules at both the EU and member-state levels designed to reduce exposure to external decision-makers
- 4. • But with the release and gradual adoption of key legislative proposals, as well as new national rules in some member states, a pattern has emerged: resources and regulations are aimed at supporting the “Europeanization” of key technologies and assets (including data). In a growing set of circumstances, non-EU companies, wherever they operate, must prove their ability to meet EU standards, with little distinction made between companies based in allied countries—including the United States—and those based in authoritarian states such as China. The tendency toward Europeanization has been accelerated by the search for greater resiliency in digital infrastructures and technologies, especially in the wake of the COVID-19 pandemic and the Russian invasion of Ukraine. • EU policymakers see it as intended to protect the interests of individuals and companies in the EU. But in seeking to promote a “sovereign” ability to safeguard those citizens and manage the European digital economy, the EU and its member states seem willing to use measures that veer toward discrimination and protectionism. At the very least, the EU’s single-market power has the ability to shape standard setting around the world, and the EU has demonstrated a willingness to force others to adopt EU standards or forgo access to its market. In some cases, EU or member- state rules disqualify non-EU companies from a part of that market.
- 5. • Europe was at a competitive disadvantage. • According to the European Commission’s “Digital Compass” report, “digital technologies are mostly developed outside of the EU,” with 90 percent of EU data managed by US companies, and EU-made micro- chips making up only 10 percent of the European market.
- 7. In 2020, the commission introduced proposals for three key pieces of legislation, 1. The Digital Services Act (DSA) 2. The Digital Markets Act (DMA) 3. The Artificial Intelligence Act Intended to Regulate the behavior of Online Platform
- 8. The Artificial Intelligence Act imposes numerous obligations on platforms operating in the EU, including requirements related to 1. identifying and removing illegal content, and 2. combating illegal and 3. counterfeit goods and 4. illegal hate speech. The DSA applies equally to EU-based platforms and non-EU platforms offering their services in the EU. It received final approval in July 2022.
- 9. The Digital Markets Act (DMA) Imposes significant constraints on the competitive behaviour of the largest platforms, designated as “gatekeepers” to the digital economy. • Gatekeepers would be prohibited from preferencing their own products and services, and from using data across different services. The DMA also received final approval in July 2022, with the list of gatekeepers to be identified by spring 2023.
- 10. The Artificial Intelligence Act Establishes rules for the use of AI throughout the EU, aimed at creating a standard for “trustworthy” and “human-centric” AI. • It distinguishes between high-risk and limited-risk AI, with most applications falling in the latter category. A few exceptionally egregious uses of AI are expected to be banned, including real-time facial recognition used for surveillance. The DMA also received final approval in July 2022, with the list of gatekeepers to be identified by spring 2023.
- 11. other pending EU regulatory moves in a few key areas— non-personal data, cybersecurity, and cloud—could well discriminate against non-EU companies or limit their ability to transfer data abroad. These additional proposals are not yet finalized, and potentially discriminatory elements could be removed. But for the moment, these proposals highlight the sometimes-exclusionary nature of the EU’s search for digital sovereignty.
- 12. • According to the commission, EU companies “report reluctance to use cloud services due to concerns of unlawful or unauthorized access that may lead to IP theft [or] industrial espionage.” This reflects a “trust problem,” and “the trustworthiness of cloud services equals the trustworthiness of the data economy,” according to the impact assessment for the Data Act.36 • Both the DGA and Data Act attempt to resolve this trust problem by erecting complex safeguards that would complicate data transfer outside the European Union. The commission justifies incorporating such restrictions into otherwise liberalizing measures by citing a threat also invoked in the GDPR—extraterritorial governmental ac- cess laws. • The impact assessment identifies two US signals intelligence authorities, Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, as well as China’s 2017 National Intelligence Law.37 The commission also cites the US CLOUD Act, which allows US law enforcement to demand information held abroad by communications service providers subject to US jurisdiction
- 13. • the DGA (Article 30) and proposed Data Act (Article 27) require data holders entering into foreign transfers to “take all reasonable technical, legal and organizational measures, including contractual arrangements” to avoid falling prey to foreign-governmental access law. The reference to “technical, legal and organizational” safeguards draws on the recommendations developed for personal data transfers by the European Data Protection Board, in the wake of the Court of Justice’s Schrems II judgment • The challenge will be compounded by the potential interaction of the DGA and DA with the GDPR data-transfer regime, as two scholars have noted • In these circumstances, the easiest course of action for most data holders will be to avoid third- country transfers of non-personal data. A recent survey reported that, since the invalidation of the Privacy Shield Framework, transfers of personal data from the EU to the United States have declined by about one-quarter. Technology industry groups predict that adding mandatory legal safeguards for international flows of non-personal data similarly would lead EU companies—as many as 40 percent of them, according to the previously noted economic study—to respond by localizing data within EU territory. In its push for “data sovereignty,” the EU risks blocking the international flow of industrial data—even to allies and likeminded partners— unless they can meet practically unattainable standards of protection on a case-by-case basis.
- 14. Industrial Data: The Next Frontier for Digital Sovereignty • With GDPR already established as the de facto global standard for protecting personal data transferred outside the EU, the von der Leyen commission has shifted its attention to fashioning comparable protections for international transfers of non-personal data. A recent economic study found that commercially sensitive non-personal data are the most common type of data to be shared across borders • The commission’s 2020 Data Strategy envisioned two separate measures addressing nonpersonal data 1. the Data Governance Act (DGA) and 2. the Data Act (DA
- 15. Data Governance Act Aims to facilitate the reuse by the private sector, for both commercial and non-commercial purposes, of government-held data (G2B), including data originally collected by public health, environmental, and transport authorities. • Commissioner Breton was characteristically geopolitical when announcing the proposed DGA: the com- mission’s goal was “an open yet sovereign European Single Market for data The DMA also received final approval in July 2022, with the list of gatekeepers to be identified by spring 2023.
- 16. Data Sovereignty: Lost in the Cloud? (1) • EU leaders have long recognized cloud services as a key part of digital infrastructure, and have highlighted the importance of home-grown cloud services as an element in achieving digital sovereignty. In 2019, the governments of France and Germany, in conjunction with a number of their major industrial companies, launched GAIA-X, an ambitious project to make cloud services interoperable and, thus, encourage the growth of smaller EU-based cloud providers • The GAIA-X initiative did not aim to create a single European cloud provider capable of competing with the three major US-based “hyperscalers”—Amazon Web Services (AWS), Microsoft, and Google—which collectively provide 70 percent of Europe’s booming cloud-services market. Rather, the goal was to develop common technical standards and legal frameworks so that customers could move data around freely within the envisioned network, including to potential new EU-based services. “The GAIA-X project is not a comprehensive European policy,” a leading European technology lawyer has written, “but it is a concrete realization of the open interfaces, standards, and interconnection needed for the European policy and is explicitly based on principles of sovereignty-by-design
- 17. Data Sovereignty: Lost in the Cloud? (2) • April 2022, GAIA-X released long-awaited policy objectives and labeling criteria that will form the main requirements of its emerging “trust” framework. The labeling criteria distinguish among three levels of service, with Level 3 targeting “the highest level of compliance” for “standards and expectations for data protection, security, transparency, portability, flexibility, and European control, fully aligning with EU regulations.”47 Specifically, Level 3 requires, among other things, that all data processing and storage be done within the EU. • The labeling criteria distinguish among three levels of service, with Level 3 targeting “the highest level of compliance” for “standards and expectations for data protection, se- curity, transparency, portability, flexibility, and European control, fully aligning with EU regulations. • Level 3 providers must also have their main establishment in the European Union and no controlling foreign shareholders. Thus, it appears that a foreign pro- vider would be able to participate in Level 3 activities only in cooperation with a controlling European partner. Non- European companies must demonstrate “their inde- pendence from non-European legislation or access from non-European actors,” GAIA-X has announced, adding that “non-European players will be free to adapt to our sover- eignty framework to operate in Europe.
- 18. The director general of ANSSI, Guillaume Poupard, was explicit about the motive. Europe needs “a rule that only European law is applicable on cloud products certified in Europe” Referencing a desire to “exclude the standard American and Chinese services” from offering services in critical sectors. “This is about...having the courage to say that we don’t want non-European law to apply to these services,” Poupard added. “If we’re not capable to say this, the notion of European sovereignty doesn’t make sense.”
- 19. • To avoid potential WTO litigation, and in the absence of a bilateral agreement addressing e- evidence issues, the EU should signal willingness to use the Trade and Technology Council (TTC) as a suitable venue for addressing the im- plications of the EU’s digital sovereignty approach and devising transatlantic solutions. Established at the June 2021 US-EU Summit, the TTC is intended to “grow the bilateral trade and investment relationship; to avoid new unnecessary technical barriers to trade; to coordinate, seek common ground, and strengthen global cooperation on technology, digital issues, and supply chains; to sup- port collaborative research and exchanges; to cooperate on compatible and international standards development; to facilitate regulatory policy and enforcement coopera- tion and, where possible, convergence; to promote inno- vation and leadership by US and European firms and to strengthen other areas of cooperation.”67 This is an ambi- tious list of goals, and broad enough to encompass every facet of digital sovereignty, from strengthening European capabilities and creating global standards to ensuring a “level playing field.”
- 20. • Although addressing digital sovereignty is not an explicit part of the TTC’s mandate, its main goals and workng-group structure provide an opportunity for the United States and EU to discuss a wide range of issues and ad- dress the tensions around digital sovereignty in the following three areas. 1. Strengthening transatlantic digital capabilities and re- silience 2. Creating global “gold standards” for regulating tech. 3. Examining the European push for localization and, in some cases, discrimination.