How far is the EU ready to go to assert its digital sovereignty?
The answer to this question will have profound implications for the structure of the tech industry, as well as the cross-border data flows that increasingly underpin global economic activity.
In its purest form, digital sovereignty means keeping all European data in Europe, under the control of European regulations, and subject to storage and processing by European IT companies. All of these conditions may not be met in all cases, but it is an aspiration that is beginning to have a significant impact on EU digital policy.
Anyone doubting the resolution need look no further than the data bill unveiled in Brussels this week. The bloc’s latest major data law, the General Data Protection Regulation, has set a tough new standard for protecting personal data. Data law instead tackles non-personal information – the data streams discarded by things like modern production lines, transportation fleets and “smart” homes.
The proposed law aims to give customers more control over how they can use this data. The owner of a “smart” washing machine, for example, would be free to choose how the information he broadcasts is used, allowing him to choose a different company to monitor and repair the device than the one from from which he bought it.
This is the vision of a European internal market for data that is more open, but which risks being hermetically closed to the rest of the world.
The law’s requirements for companies to protect data from foreign government surveillance could make life more difficult for US tech companies, even if they store and process all of their European customers’ data in Europe. The requirements are partly a response to the US Cloud Act, which made it easier for US authorities to cross borders to demand data held by US companies overseas.
Concerns like this are already having a practical impact. Microsoft faced a backlash in France after winning a contract to act as a cloud provider for a new government health data repository, which will be managed in France. A French court upheld the American company’s right to do the job, but a decision was then made to have the job done by a European service provider anyway.
Another question is whether deliberate barriers will be erected to hamper major US tech companies. In its initial form, the Data Act would limit the extent to which “gatekeepers” – the term used in the EU’s Digital Services Act to refer to these companies – can benefit from the new data portability freedoms proposed for other companies.
To Americans, proposals like this have always looked like industrial policy designed to help Europe sustain its own tech industry.
At least when it comes to battles over personal data, the controls are stronger. It is understandable that European governments want to protect their citizens from the prying eyes of US authorities, especially after Snowden’s revelations about widespread digital surveillance. However, there are fewer reasons to erect geographical barriers around industrial data.
The promoters of the initiative did little to conceal their objectives. Speaking to the FT last month, Thierry Breton – the EU’s digital economy commissioner and former chief executive of French IT firm Atos – said the aim was “to prepare us so that data is used for Europeans, by Europeans and with our values”. ”.
Data law still has a long way to go to become law. But more immediately, a drumbeat of interventions by European national regulators, carried out under GDPR privacy rules, threatened to slow down transatlantic data transfers.
Earlier this month, the French data regulator ruled that Google Analytics could no longer send data about EU users to the US, echoing an earlier Dutch decision.
And in the largest and most important case of its kind, Ireland’s data registrar said this week that it had completed a draft order barring social media giant Meta from sending the data of its European users across the Atlantic. This imminent threat has already led the company to warn in its regulatory documents that if nothing changes, it is “likely” to have to shut down Facebook and Instagram services in Europe.
US and EU negotiators are working on a compromise that would forestall such threats, with an agreement expected by mid-year. But earlier compromises like this have been overturned by European courts, and a legal challenge by privacy activists against any new deal seems inevitable.