Balancing the scale of Data: Data is the lifeblood of the digital economy however there have been calls across Europe to ensure digital sovereignty — whereby states protect their citizens and businesses from the challenges of self-determination in the digital sphere. How can the EU and other European countries promote sustainable technological growth while also ensuring digital sovereignty in this sphere?
Committee on Civil Liberties, Justice and Home Affairs I (LIBE I)
Anastasia Khairova (HR)
Topic at a Glance
Data security is once again taking centre stage after the COVID-19 pandemic unexpectedly moved almost all life online. Although legislation such as the GDPR has made great strides in data protection, the pandemic is exposing just how important proper regulation is. With this new need for improvisation as working environments are transferred online, it is important to ask whether Europe is equipped to handle challenges of the digital era while sufficiently guarding sensitive data.
Europe must become technologically and digitally sovereign, said Chancellor Merkel in her speech on the occasion of Germany assuming the European Council presidency in 2020. But for a term that is so central to the current political debate, ‘digital sovereignty’ is surprisingly vague. It could be seen as the fight for the control of data, software (e.g. AI), standards and protocols (e.g. 5G and domain names), processes, hardware (e.g. mobile phones), services (e.g. social media) and infrastructure (e.g. cables, satellites, smart cities): in short, control of the digital. It has become increasingly clear in the past years that digital space has complicated relatively simple notions of national sovereignty and international collaboration, further blurring the lines between the individual, states and private companies.
While the fight has always been waged between private companies for hegemony in social media or search engines, the Snowden revelations in 2013 became a catalyst for a global discussion on data privacy concerning states’ involvement. Data sovereignty has become a global issue since the disclosure of the United States (US) government mass surveillance programme: it monitored not only US citizens but was tracking populations across the globe.
In the wake of what some call a digital Cold War, the European Union (EU) is coming to the realisation that a normative approach to the digital sector is no longer sufficient to protect its political and economic interests. Independent regulation of the digital sector is made more difficult by the fact that most digital products are offered by private companies which are often based outside of the EU. This international dependency has become a pressing issue as the Union is finding its place in the confrontation between the US and China, while pushing to establish itself as a sovereign actor in the digital sphere.
Relevant Policy Measures and Legal Framework
The Covid-19 crisis has acted both as a magnifying glass and an accelerator: it has highlighted the importance of technology for both economic and health resilience of the Union, and gave rise to a steep increase in use of digital infrastructure. Digital infrastructure has proved especially vital for social welfare during the pandemic, as online health and education services suddenly became key for national economies.
European reliance on Big Tech companies during an international crisis has become another wake up call to strive towards European data sovereignty. The crisis has also emphasised the persisting digital divide in Europe — while some of the largest and wealthiest states such as France and Germany are behind in creating digital infrastructure, states such as Lithuania and Greece are leaders in the field.
Recognising that much of the previous legislation had become outdated, the EU passed the General Data Protection Regulation (GDPR) in 2016, aimed at coordinating data privacy laws across Member States as well as providing greater protection and advancing
individuals’ rights. As such, it can be considered as the world’s strongest set of data protection standards. It places strict rules on how people can access information and limits what organisations can do with the data they collect. At the heart of the law is personal data, which it defines as information that can be used to identify a living person directly or indirectly. This includes names, locations and usernames, but also IP addresses and cookie identifiers. Special attention is given to categories of sensitive personal data — information pertaining to an individual’s ethnic origin, sexual orientation, health information, religious and political beliefs are all given greater protections. GDPR is based on the seven principles of: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity, confidentiality and security; and accountability. In practice, this limits the amount of data companies are allowed to hold and requires justification for the data collected. It further strengthens the security around the acquired data and forces companies to keep extensive records of their compliance with the regulations.
Just as GDPR replaced the outdated regulation, the EU is currently working on replacing the ePrivacy Directive (ePD), in effect since 2002. The Directive is focused on protecting privacy and security of personal data in electronic communications, as it focuses European law on internet service providers and cell carriers. When updated in 2009, the ePD became known as The Cookie Law because it explicitly required consent from users to process their web cookies. What is important to note is that GDPR does not directly impact cookies, but it does require “unambiguous consent” when collecting data: the ePD overrides the general law implemented by the regulation. The new ePrivacy Regulation (ePR), first drafted in 2017 but still currently a proposal meant to replace the ePD and further complement the GDPR. With many hoping the ePR would come into power by the end of 2021, it seems unlikely that the regulation will be implemented before 2023.
Further Research and Questions
With sweeping changes across the bloc, the EU has introduced and continues creating new legislation regarding the digital world. However, many have pointed out that although the GDPR is regulatorily strong, its enforcement seems to be an issue. Furthermore, Ireland and Luxembourg are known for having a reputation of tax havens of the bloc and were found to face significant backlogs in their investigations of foreign companies under GDPR. When conducting your own research on the topic, inquire which issues the EU has faced since starting its ambitious project to make the EU a leader in a data-driven society. Consider the following:
- How can the EU promote awareness about individual’s rights on data protection?
- What approach do you believe the EU should adopt in creating a digitally sovereign Union?
- Which steps can the EU take to assert itself as an independent global actor in the digital sphere?
- How can the EU ensure that the Internet stays competitive while insisting on appropriate regulation of consumer data?
- How should the EU address the tensions between global actors such as the US and
- China, who have radically different approaches to the digital sphere, while promoting technological growth and European values?