Abstract

This Study discusses extensively the concept of “European Digital Sovereignty”. It presents the opportunities opened by the concept but also the risks and pitfalls. It provides a panorama of the major debates and developments related to digital/cyber issues in Europe. Here is the Executive Summary of the Study:

“The Times They Are A-Changin”. When Jean-Claude Juncker, then President of the European Commission, proclaimed in 2018 that “The Hour of European Sovereignty” had come, half of Europe criticized him, recalls Paul Timmers. Today hardly a day goes by in Europe, without a politician talking about “digital sovereignty”. 

From a purely normative point of view, the concept makes little sense. It can only further accentuate the classic confusion surrounding the use of the term “sovereignty”, which is one of the most equivocal terms in legal theory and which has been criticized by a famous scholar for often being nothing more than “a catchword, a substitute for thinking and precision”. Still, from a political point of view, “European digital sovereignty” is an extremely powerful concept, broad and ambiguous enough to encompass very different things and to become a “projection surface for a wide variety of political demands”.

This study analyses in a detailed way the two understandings of the term: sovereignty as regulatory power; and, sovereignty as strategic autonomy and the ability to act in the digital sphere without being restricted to an undesired extent by external dependencies. While doing so, this study presents a panorama of the most recent le-gislative proposals (such as the Data Governance Act) and the most important debates on digital issues currently taking place at the European level: 5G deployment and cybersecurity concerns; international data transfers and foreign governments’ access to data after SchremsII; cloud computing; the digital services tax; competition law; content moderation; artificial intelligence regulation; and so many others.

The first part of this study challenges the sometimes expressed idea that Europe is a somehow “powerless” entity, unable to regulate the digital sphere and big tech companies. Applying Anu Bradford’s concept of “The Brussels Effect”, this study shows that the EU is the most powerful global actor in the field of digital regulation. Far from being normatively irrelevant, Europe has become, through the “Brussels effect”, a “global regulatory hegemon unmatched by its geopolitical rivals”. 

This does not of course mean that Europe can or needs to regulate everything. There are several limits to what Europe can and wishes to regulate. These are due to internal and external factors. Internally, regulatory action could be blocked by political disagreements among EU Member States; legal obstacles (starting with the national security exemption); or economic considerations – for instance the fear that overregulating AI could hinder innovation and affect competitiveness. Externally, situations of interdependence could render international cooperation necessary in order to avoid retaliation, to find constructive solutions and to resolve conflicts of laws and jurisdiction. This study presents some of the top priorities in the field of international cooperation and builds upon proposals to create “strategic partnerships” with like-minded stakeholders in order to defend certain democratic values and human rights in cyberspace. 

The second part of this study focuses on digital sovereignty as strategic autonomy. The EU quest for strategic autonomy in the digital sphere is based on a series of legitimate concerns, including geopolitical considerations and a series of dependencies, the significance of which has been exacerbated by recent important developments such as the US-China “tech war” or the Covid-19 crisis. These concerns have led to initiatives which open opportunities for Europe. However, they also entail potential pitfalls. The EU and Member States should carefully study the risks and successfully navigate around them or, at least, take decisions in an informed way, after sufficiently weighing the potential negative impact of a specific measure.

Europe should first of all undertake to draw the fine line between restrictions based on legitimate reasons (such as compelling cybersecurity or privacy/data protection considerations) and unjustified protectionist measures. Before engaging in anything resembling the latter, Europe should examine the risks posed by such measures.

Another area where much more study is necessary are the current calls for “data localisation” and the idea that “European data must be stored and processed in Europe”. Greater understanding of the stakes is necessary: what exactly does “data localisation” mean at a technical level? What are the exact reasons behind the calls to implement such policies in Europe? What are the potential adverse effects and the costs for European companies? What would be the consequences in terms of cybersecurity? And what could be the potential impact on human rights? Data localisation measures, initially promoted by countries like Russia, are now adopted by other countries. NGOs have indicated that this is “alarming” for the future of the free, open and global internet. What would be the message sent to other countries if Europe embraces data localisation? 

European calls in favor of data localisation are often motivated by genuine and legi-timate concerns, related to data protection, privacy considerations and the fear of foreign snooping into European personal and industrial data. Nevertheless, it is well known that data protection considerations can sometimes be misused as a vehicle to further domestic business interests and protectionism. The question then is how to distinguish between data protection and data protectionism. This paper advances a series of thoughts and a methodology in order to assess if data localisation is, in specific circumstances, an adequate way to deal with data protection risks. It considers that the critical test should be whether restrictions to transnational data flows are proportionate to the risks presented, taking into account the nature of the data and a series of other considerations. As a conclusion, data localisation could not be a ne-cessary, proportionate or adequate response to serve data protection in cases where the likelihood of foreign access to data is very limited and where other, more satisfactory and less disruptive, solutions exist.

In a more general way, this study raises the question of what model Europe wishes to promote. An increasing number of voices in Europe are calling for it to imitate certain Chinese policies. For years, Europe has been criticizing Chinese protectionism as well as the “Chinese model” of the internet, a model based on firewalls, surveillance and control. How could Europe avoid policy inconsistency and contradiction if it enters into a “The Chinese do it, we will do it” approach?

The study concludes that Europe has important and hard choices to make in order to achieve strategic autonomy. The “European digital sovereignty” debate is a useful way to inform policy-makers and citizens and to enable decision-making based not on emotions, but on careful risk-assessment and thorough analysis of the issues involved. 

This study can be downloaded here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3748098