EU-US data wrangle tests digital sovereignty

How far is the EU prepared to go to assert its digital sovereignty?

The answer to that question will have profound implications for the structure of the tech industry, as well as the cross-border data flows that increasingly underpin global economic activity.

In its purest form, digital sovereignty means keeping all European data in Europe, under the control of European regulation, and subject to storage and processing by European IT companies. All those conditions may not be met in all cases, but it is an aspiration that is starting to have a significant impact on EU digital policy.

Anyone who doubts the resolve need look no further than the draft Data Act unveiled in Brussels this week. The bloc’s last major piece of data legislation, the General Data Protection Regulation, set a tough new standard for protecting personal data. The Data Act takes a swing instead at non-personal information — the streams of data thrown off by things like modern production lines, transport fleets and “smart” homes.

The proposed law seeks to give customers more control over how they can use this data. The owner of a “smart” washing machine, for instance, would be free to choose how the information it throws off is used, letting them pick a different company to monitor and repair the device than the one they bought it from.

It is a vision of a more open internal European market for data — but one at risk of being hermetically sealed from the rest of the world.

The act’s requirements for companies to protect data from foreign government surveillance could make life harder for US tech companies, even if they store and process all the data of their European customers in Europe. The requirements are partly a response to the US Cloud Act, which made it easier for the American authorities to reach across borders to demand data held by American companies abroad.

Concerns like this are already having a practical impact. Microsoft faced a backlash in France after it was awarded a contract to act as the cloud provider for a new government health data repository, to be managed inside France. A French court upheld the US company’s right to do the work, but a decision was later made to shift the work to a European service provider anyway.

Another question is whether deliberate barriers will be thrown up to hamper the leading US tech companies. In its early form, the Data Act would limit the extent to which “gatekeepers” — the term used in the EU’s Digital Services Act to denote these companies — can benefit from the new data-portability freedoms that are being proposed for other companies.

To American eyes, proposals like this have always looked like industrial policy designed to help Europe support its own tech industry.

At least when it comes to battles over personal data, there is a stronger case for controls. It is understandable for European governments to want to protect their citizens from the prying eyes of US authorities — particularly after the Snowden revelations of widespread digital surveillance. There is less reason, though, to throw up geographic fences around industrial data.

The promoters of the initiative have made little secret of their goals. Speaking to the FT last month, Thierry Breton — the EU’s digital economy commission, and a former chief executive of French IT company Atos — said the aim was “to prepare ourselves so the data will be used for Europeans, by Europeans and with our values”.

The Data Act still has a long way to go to become law. But more immediately, a drumbeat of interventions by Europe’s national regulators, made under GDPR’s privacy rules, has threatened to slow Transatlantic data transfers.

Earlier this month, the French data regulator ruled that Google Analytics could no longer send data about EU users to the US, echoing an earlier Dutch decision.

And in the biggest and most significant case of its kind, Ireland’s data registrar said this week it had completed a draft order to bar social networking giant Meta from sending the data of its EU users across the Atlantic. That looming threat has already led the company to warn in its regulatory filings that as things stand, it is “likely” to have to shut down Facebook and Instagram services in Europe.

US and European negotiators are working on a compromise that would forestall such threats, with an agreement expected by the middle of the year. But previous compromises like this were struck down by European courts, and a legal challenge from privacy campaigners to any new deal seems inevitable.