LIBE I

pexels-pixabay-373543

Committee on Civil Liberties, Justice and Home Affairs I (LIBE I)

Balancing the scale of Data: Data is the lifeblood of the digital economy however there have been calls across Europe to ensure digital sovereignty — whereby states protect their citizens and businesses from the challenges of self-determination in the digital sphere. How can the EU and other European countries promote sustainable technological growth while also ensuring digital sovereignty in this sphere?

anastasia

Written by:

Anastasia Khairova (HR)

Topic at a Glance

Captions
Hey everyone! My name is Anastasia and I will be chairing the first committee on civil liberties, justice and home affairs, concerned with data protection and sovereignty across the EU. although we might not be explicitly aware of it, data protection is an issue that affects every single person in Europe and beyond. Our data is collected, processed and stored with every move we make online, often to optimise our user experience. But the fight for data sovereignty does not concern just user collected information — it also concerns new developments in Artificial Intelligence, production of necessary hardware, services such as social media and many more. With more and more talk of the EU taking a strong stance on how to tackle issues of data sovereignty, our committee will present its view on how the European Union should proceed in a time where data is everything.

Data security is once again taking centre stage after the COVID-19 pandemic unexpectedly moved almost all life online. Although legislation such as the GDPR has made great strides in data protection, the pandemic is exposing just how important proper regulation is. With this new need for improvisation as working environments are transferred online, it is important to ask whether Europe is equipped to handle challenges of the digital era while sufficiently guarding sensitive data.

Context

Europe must become technologically and digitally sovereign, said Chancellor Merkel in her speech on the occasion of Germany assuming the European Council presidency in 2020. But for a term that is so central to the current political debate, ‘digital sovereignty’ is surprisingly vague. It could be seen as the fight for the control of data, software (e.g. AI), standards and protocols (e.g. 5G and domain names), processes, hardware (e.g. mobile phones), services (e.g. social media) and infrastructure (e.g. cables, satellites, smart cities): in short, control of the digital. It has become increasingly clear in the past years that digital space has complicated relatively simple notions of national sovereignty and international collaboration, further blurring the lines between the individual, states and private companies.

While the fight has always been waged between private companies for hegemony in social media or search engines, the Snowden revelations in 2013 became a catalyst for a global discussion on data privacy concerning states’ involvement. Data sovereignty has become a global issue since the disclosure of the United States (US) government mass surveillance programme: it monitored not only US citizens but was tracking populations across the globe.

In the wake of what some call a digital Cold War, the European Union (EU) is coming to the realisation that a normative approach to the digital sector is no longer sufficient to protect its political and economic interests. Independent regulation of the digital sector is made more difficult by the fact that most digital products are offered by private companies which are often based outside of the EU. This international dependency has become a pressing issue as the Union is finding its place in the confrontation between the US and China, while pushing to establish itself as a sovereign actor in the digital sphere.

Relevant Policy Measures and Legal Framework

The Covid-19 crisis has acted both as a magnifying glass and an accelerator: it has highlighted the importance of technology for both economic and health resilience of the Union, and gave rise to a steep increase in use of digital infrastructure. Digital infrastructure has proved especially vital for social welfare during the pandemic, as online health and education services suddenly became key for national economies.

European reliance on Big Tech companies during an international crisis has become another wake up call to strive towards European data sovereignty. The crisis has also emphasised the persisting digital divide in Europe — while some of the largest and wealthiest states such as France and Germany are behind in creating digital infrastructure, states such as Lithuania and Greece are leaders in the field.

Recognising that much of the previous legislation had become outdated, the EU passed the General Data Protection Regulation (GDPR) in 2016, aimed at coordinating data privacy laws across Member States as well as providing greater protection and advancing

individuals’ rights. As such, it can be considered as the world’s strongest set of data protection standards. It places strict rules on how people can access information and limits what organisations can do with the data they collect. At the heart of the law is personal data, which it defines as information that can be used to identify a living person directly or indirectly. This includes names, locations and usernames, but also IP addresses and cookie identifiers. Special attention is given to categories of sensitive personal data — information pertaining to an individual’s ethnic origin, sexual orientation, health information, religious and political beliefs are all given greater protections. GDPR is based on the seven principles of: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity, confidentiality and security; and accountability. In practice, this limits the amount of data companies are allowed to hold and requires justification for the data collected. It further strengthens the security around the acquired data and forces companies to keep extensive records of their compliance with the regulations.

Just as GDPR replaced the outdated regulation, the EU is currently working on replacing the ePrivacy Directive (ePD), in effect since 2002. The Directive is focused on protecting privacy and security of personal data in electronic communications, as it focuses European law on internet service providers and cell carriers. When updated in 2009, the ePD became known as The Cookie Law because it explicitly required consent from users to process their web cookies. What is important to note is that GDPR does not directly impact cookies, but it does require “unambiguous consent” when collecting data: the ePD overrides the general law implemented by the regulation. The new ePrivacy Regulation (ePR), first drafted in 2017 but still currently a proposal meant to replace the ePD and further complement the GDPR. With many hoping the ePR would come into power by the end of 2021, it seems unlikely that the regulation will be implemented before 2023.

1_growth of data
Predicted values by 2025

Topic Analysis

Individual

When it comes to discussing data protection, the individual is at the heart of the discussion simply because it is their data that is being accessed and manipulated. Without proper legislation, data collected from individuals is not tracked, and can be used to manipulate the consumer into purchasing items, voting for political parties or even furthering discrimination based on the algorithm. GDPR was thus designed to give back control of one’s own data, and as such lays out eight rights of the individual; the crucial ones being the right to be informed, access, rectify, erase, and restrict processing of one’s data. Digital sovereignty for the individual means the ultimate form of control in terms of self-ownership of one’s body, choices, and data. 

National

In today’s era where analogue reality is being increasingly controlled and modified by our digital reality, socio-political sovereignty on both seems to be essential for better democracy, public accountability and coordinated cooperation to tackle global problems. In Europe, this poses the problem of who should be exercising digital sovereignty: Member States or the Union. The pitfall of supporting national digital sovereignty is that it could end up supporting digital statism, with each Member State creating its own approach to resolving issues of digital reality. Individual approaches to digital sovereignty risk being insufficient or too overwhelming to be developed by a single government, especially as they would lack harmonisation across the Union. 

European

Digital data sovereignty seems to be more feasible at the EU level, as seen through the implementation of the GDPR. But the implementation of a supranational authority over a digital reality is not without its issues, the main one being the issue of legitimacy or the lack of popular authority that is ever present in the discussions on EU competencies. One proposed solution is allowing Member States a degree of control over their own data sovereignty, with possible coordination with the rest of the Union under larger EU guidelines. Another suggested approach would move all digital sovereignty issues to an EU level: however, this strategy raises complex questions about the authority Member States enjoy offline and possible loss of sovereignty in decision making when it comes to the online sphere. Differing approaches to digital sovereignty in Europe require larger decisions about the direction Europe is taking, as well as the discussion on degrees of sovereign authority European institutions should be given.

International

Although GDPR is a European law, its scope of influence extends far beyond European borders. There are several reasons for this. Firstly, apart from targeting governmental agencies, organisations and institutions, GDPR also targets private companies, many of which are based outside of the EU. This gives the Union a degree of control in monitoring and even sanctioning non-European companies. Chapter V of the GDPR also prohibited transfer of personal data to countries outside the European Economic Area, also known as third countries, unless appropriate safeguards are imposed or the third country’s data protection regulations are considered adequate by the European Commission. GDPR also inspired similar legislation being passed outside of Europe, highlighting the strength of European influence around the globe.

Further Research and Questions

With sweeping changes across the bloc, the EU has introduced and continues creating new legislation regarding the digital world. However, many have pointed out that although the GDPR is regulatorily strong, its enforcement seems to be an issue. Furthermore, Ireland and Luxembourg are known for having a reputation of tax havens of the bloc and were found to face significant backlogs in their investigations of foreign companies under GDPR. When conducting your own research on the topic, inquire which issues the EU has faced since starting its ambitious project to make the EU a leader in a data-driven society. Consider the following:

  • How can the EU promote awareness about individual’s rights on data protection?
  • What approach do you believe the EU should adopt in creating a digitally sovereign Union?
  • Which steps can the EU take to assert itself as an independent global actor in the digital sphere?
  • How can the EU ensure that the Internet stays competitive while insisting on appropriate regulation of consumer data?
  • How should the EU address the tensions between global actors such as the US and
  • China, who have radically different approaches to the digital sphere, while promoting technological growth and European values?