The dependence of EU companies on foreign technologies is very visible, so that no European company is among the top 20 global technology brands, and 92% of the Western world’s data is governed by entities controlled by the United States.
The main problem is that the data of European citizens is less protected in the United States than in the EU. For example, US surveillance agencies may request direct access from service providers. This means that the personal data of EU citizens is transferred to the United States without respecting the privacy standards imposed by the GDPR. Google Analytics, whose data transfers were deemed illegal by the CNIL last February, is the latest in a series of invalidations by the EU. Indeed, both attempts to remedy this problem, namely the Safe Harbor and Privacy Shield data transfer agreements, have been invalidated.
Therefore, in this context of digital sovereignty, should European companies better consider alternative EU-based solutions?
Have a solid foundation for digital sovereignty
The GDPR states that personal data from the EU can only be transferred to countries that offer adequate protection. In the United States, there is no federal data protection law, and state-level privacy legislation is far less stringent than the GDPR. In addition, under certain conditions, US surveillance agencies can access any database (containing, for example, personal information of European citizens) belonging to a US company, regardless of the location of the server. This possibility was the main reason for the failure of the Privacy Shield, the most recent framework for data transfer between the EU and the United States.
The EU could simply crowd out large US companies through regulations and force European companies to choose European technologies and host their data locally. However, strictly digital sovereignty is unrealistic. The internet and technology should have no borders, and actions to limit the use of certain providers would only kill innovation and doom European organizations that depend on technology. To remain competitive, companies must be able to make optimal technological choices.
However, the EU did not sit idly by and announced the launch in 2020 of its European sovereign cloud project called Gaia-X. The goal in Europe was to have a full cloud service infrastructure provider like AWS/Azure/Google Cloud. Unfortunately, the project quickly bogged down, unclear goals and too much political ambition left the project stuck at the concept stage.
Other positive signals are to come. Indeed, growth in the digital space is one of the priorities of the French presidency of the European Union in 2022, which has set four pillars for Europe’s digital sovereignty. It is about strengthening security in cyberspace, attracting foreign investors and foreign talent to create world-class businesses, encouraging free and open standards and, above all, providing a level playing field. businesses in the digital single market.
By using more carrots and not sticks, the medium-term objective is to strengthen the European technology sector. The influence of big business will certainly be reduced (but not eliminated), but it will give European solutions room to flourish. And each time a European technological solution is preferred to big business, the EU’s dependence on the United States will decrease.
Towards a new EU-US agreement?
Another possible solution to this situation is for the EU and the US to conclude a new data transfer agreement soon, as announced at the end of March this year during a joint press conference by the US President and of the President of the European Commission.
This new transatlantic data protection framework aims to bring order to the entire digital economy between the EU and the United States, since most of it relies on the transfer of data from and to the United States. It is very important to find a sustainable solution that allows this huge sector to flourish piecemeal.
In the absence of a draft, it is difficult to say what the chances are that this new document will satisfy the courts of the EU. So far, only an “agreement in principle” has been reached, meaning that two political leaders have agreed on the need for such a settlement. The actual project will be created in the coming months and it will take even longer for it to come into effect.
However, voices are already being raised to say that this will not be enough. It is certain that the Nyob association will legally challenge the new agreement. If the additional guarantees do not satisfy the courts of the EU, the agreement could be terminated like Safe Harbor and Privacy Shield.
Digital sovereignty is not a new concept, as local residency requirements for services and data have existed for decades in the financial and government sector in the EU. Standards developed by highly regulated industries should simply be emulated by all.