European leaders are feeling besieged again. Having spent the past several years building up Europe’s physical defenses against migrants, they now see themselves faced with a less tangible sort of invasion—US technology companies dominating their markets and vacuuming up the personal data of their citizens. And so the cry has gone up from Berlin, Brussels, and Paris: “Digital sovereignty!”
It is a rousing slogan, to be sure. But what exactly is digital, or technological, sovereignty? The term was first popularized in privacy manifestos aimed at obtaining greater individual control over personal information shared via social media and in internet consumer contexts. It helped spur the European Union’s recent General Data Protection Regulation (GDPR) and the US-EU Privacy Shield Framework.
But lately, digital sovereignty has come to be the theme for an ever-widening set of European concerns about foreign technology companies which move well beyond the realm of privacy law. One commonly voiced grievance is the low—albeit legal—rates of tax paid by global internet giants in Europe, which has led to a feeling of sovereign powerlessness, notwithstanding efforts in France and elsewhere to impose a digital services tax.
Another is the evident inability of European companies to match the scale and market dominance of foreign cloud service providers. Sentiment has solidified in major European capitals that foreign companies should not be allowed to capture other burgeoning markets like the one for data analysis using artificial intelligence.
Political leaders in both France and Germany recently have spoken in favor of efforts to develop ‘European champions’ as an alternative to US cloud providers. In September, French President Emmanuel Macron told an interviewer from Radio France International that “the battle we’re fighting is one of sovereignty…If we don’t build our own champions in all areas—digital, artificial intelligence—our choices will be dictated by others.” German Chancellor Angela Merkel has spoken similarly of “digital dependencies” on the United States.
New European Commission President Ursula von der Leyen has echoed these sentiments. Her Political Guidelines for the Next European Commission, issued in July, bravely insist that “it is not too late to achieve technological sovereignty” in some areas of critical technology, including algorithms, blockchain, and quantum computing.
But the evidence to the contrary is stark. 92 percent of the Western world’s data is stored in the United States. Six of the world’s largest ten tech firms are American—none are European. The Brussels-based CEPS think-tank estimates that one US company—Amazon Web Services (AWS)—has one-third of the global market for external servers hosting corporate data. Microsoft and Google follow not far behind, with 16 percent and 7.8% of the market share, respectively. France’s deputy economy minister, Agnes Pannier-Runacher, has even likened AWS’ cloud services to a “soft drug. The more you take it, the more you like it.”
Sign up for the “Plugged In” newsletter, which showcases updates and analysis from the Transatlantic Digital Marketplace Initiative on the latest information and thinking on digital policymaking in Europe and its potential impact on the United States.
Despite past failed French state-supported efforts to crack this market, France is poised to try again. Finance Minister Bruno Le Maire recently announced that leading French companies Dassault and OVH would develop plans for entering the cloud services market
In October, Paris and Berlin announced a new project, known as Gaia-X, to connect various cloud providers around Europe using open standards, thereby allowing businesses and customers to move their data around freely within the network, subject to shared data privacy and security standards. A statement from Germany’s Economy Ministry described Gaia-X as “an enabler for platforms ‘Made in Europe” and declared that it would “enable companies and business models to scale out of Europe competitively world-wide.” Project organizers also anticipate that such a broad pool of data will be a valuable resource for developing data analysis tools involving artificial intelligence.
Don’t buy American
As more and more governmental entities in Europe entrust public sector data to US cloud companies and increasingly rely on their software, anxiety has grown across the continent about the ability of the US government and companies to obtain Europeans’ stored data for their own purposes.
In September, the German Interior Ministry publicized a study it had commissioned from the consulting firm PWC on ‘digital sovereignty in public administration.’ Interior Minister Horst Seehofer emphasized the report’s finding that there was increasing dependency on the standardized software products of a few foreign companies. “In order to safeguard our digital sovereignty,” he asserted, “we will reduce dependency on individual IT providers, as well as review alternative programs to replace specific software.”
This federal announcement followed a number of decisions at the state level to no longer utilize foreign software in processing public data. Microsoft, for example, has lost contracts for the use of its Office 365 software program in schools in Hesse, after the state data protection authority there objected that the tech giant could utilize collected student data for its own internal business purposes.
While the long reach of US intelligence agencies remains a worry across European governments, lately greater concern has been focused on the expansive extraterritorial ability of US law enforcement agencies to obtain foreigners’ personal data. The 2018 US CLOUD Act clarified that a US court may require an internet platform with a US presence to produce a customer’s personal information for use in a US criminal investigation or prosecution—even if it the data is held on a foreign server.
European governments are beginning to react to the CLOUD Act in ways that emphasize sovereignty concerns. In Sweden, a government digitalization organization—eSam—has ruled that outsourcing public sector data to US cloud service providers subject to the CLOUD Act would violate that country’s law on public access to information and secrecy. In France, a government commission has issued a report (the Gauvain report) that recommends strengthening and expanding the scope of the country’s blocking statute to prevent corporate compliance with unilateral US law enforcement demands for electronic data.
Technology and geopolitics
Politics, of course, plays an important role in all these contexts. In Europe, it is impossible to completely separate technological and legal considerations from political sentiments about US and Chinese economic influence, as the ongoing controversy about 5G telecommunications networks demonstrates. Europe’s aspirations for ‘digital sovereignty’ thus reflect the extent to which it feels caught in the US-Chinese technological competition. The pursuit of greater technological independence will be an interesting test for the geo-political ambitions of von der Leyen’s European Commission.
Kenneth Propp is a nonresident senior fellow in the Atlantic Council’s Future Europe Initiative.
Tue, Oct 22, 2019
As concern skyrockets over political disinformation, hate speech, and terrorist incitement on the Internet, legislators across Europe are scrambling for regulatory answers.
New Atlanticist by
Thu, Oct 3, 2019
Under the outgoing European Commission of President Jean-Claude Juncker, the European Union has emerged as the regulatory superpower of the global digital economy. Early signs indicate Brussels will continue to leverage the power of the single market and its regulatory approach when a new Commission takes office in November 2019.
Blog Post by