The dependence of EU companies on foreign technology is very prominent, such that no European company is among the top 20 global technology brands, and 92% of the Western world’s data is managed by US-controlled entities.
The main problem is that the data of European citizens is less protected in the US than in the EU. For example, US surveillance authorities may request direct access from service providers. This means that the personal data of EU citizens is transferred to the United States without meeting the privacy standards set by the GDPR. Google Analytics, whose data transfer was declared illegal by the CNIL last February, is the latest in a series of invalidations by the EU. Indeed, both attempts to solve this problem, namely the Safe Harbor and Privacy Shield data transfer agreements, were invalidated.
Therefore, in the context of digital sovereignty, should European companies better consider alternative EU-based solutions?
Have a solid foundation for digital sovereignty
The GDPR states that personal data from the EU can only be transferred to countries that provide adequate protection. There is no federal data protection law in the United States, and state-level privacy laws are much less restrictive than the GDPR. In addition, under certain conditions, US surveillance agencies can access any database (containing, for example, personal information of European citizens) owned by a US company, regardless of the location of the server. This capability was the main reason for the failure of the Privacy Shield, the most recent system for transferring data between the EU and the US.
The EU could simply force big US companies out with rules and force European companies to opt for European technology and host their data locally. However, strictly digital sovereignty is unrealistic. The Internet and technology should not have borders, and actions to limit the use of certain providers will only kill innovation and doom European organizations dependent on technology. To remain competitive, companies must be able to make optimal technology choices.
However, the EU did not sit idly by and announced the launch in 2020 of its European sovereign cloud project called Gaia-X. The goal in Europe was to have a complete cloud service infrastructure provider like AWS/Azure/Google Cloud. Unfortunately, the project quickly stalled, vague goals and excessive political ambitions led to the fact that the project was stuck at the concept stage.
There will be other positive signals as well. Indeed, growth in the digital space is one of the priorities of the French Presidency of the European Union in 2022, which has established the four pillars of Europe’s digital sovereignty. It is about strengthening security in cyberspace, attracting foreign investors and foreign talent to create world-class businesses, encouraging free and open standards, and above all, ensuring a level playing field for businesses in the digital single market.
Using more of a stick than a carrot, the medium-term goal is to strengthen the European technology sector. The influence of big business will certainly be reduced (but not eliminated), but will allow European solutions to flourish. And every time a European technological solution is preferred by big business, the EU’s dependence on the US will decrease.
Towards a new agreement between the EU and the US?
Another possible way out of this situation is the early conclusion of a new data transfer agreement between the EU and the US, which was announced at the end of March this year at a joint press conference of the US President and the President of the European Commission.
This new transatlantic data protection system aims to bring order to the entire digital economy between the EU and the United States, as much of it depends on the transfer of data from and to the United States. It is very important to find a sustainable solution that will allow this huge sector to flourish gradually.
In the absence of a draft, it is difficult to say what are the chances that this new document will satisfy the EU courts. So far, only an “agreement in principle” has been reached, that is, the two political leaders have agreed on the need for such a settlement. The actual draft will be created in the coming months and will take even longer to go into effect.
However, voices are already being heard that this will not be enough. It is certain that the Nyob association will legally challenge the new agreement. If the additional guarantees are not satisfied by the EU courts, the agreement can be terminated, like Safe Harbor and Privacy Shield.
Digital sovereignty is not a new concept, as local residence requirements for services and data have existed for decades in the financial and public sectors of the EU. Standards developed by highly regulated industries should simply be used by everyone.