The relationship of the European Union with big tech may become an important geopolitical theater in the next decade. And in terms of technology, the EU is beginning to forge a path that could allow it to play both sides of the US-China equation.
On many issues facing the European Commission (EC), decision-makers must accomplish the daunting task of regulating the home market while asserting authority abroad and maintaining cordial relations with both the falling and rising superpowers.
5G cybersecurity roadblocks
This year could mark a turning point in the EU asserting more sovereignty over the cybersecurity landscape including fifth-generation telecommunications (5G), smart cities, surveillance, and data centers.
For instance, the Cybersecurity Strategy, Joint Cyber Unit and the Directive on Security of Network and Information Systems (NIS directive) will all update the EU’s critical infrastructure protection regime as well as prepare the regional block to make determinations over the controversial 5G question between the US and China.
This question has already sparked analysts to determine where the EU will come down on the Huawei issue. Indeed, some countries within the EU have recently made formal decisions to block or limit the use of Huawei and join the US State Department’s “Clean Network Initiative,” a program that seeks to undermine the proliferation of Huawei equipment.
Yet the implementation of the EU toolbox on 5G remains unfinished as many members of the bloc, including Germany, have articulated a strategy of “diversification” rather than unilateral blocking the Chinese company.
Launched early this year, the toolbox serves as a guideline for member states to make critical evaluations about the security of their 5G networks. It stresses the need for government regulators to determine the risk of equipment and products from ICT (information and communication technology) suppliers and act upon such determinations through domestic policies.
While not legally binding, this instrument has been the only commitment on 5G that the EU has taken as regional whole. Although the toolbox reflects common US talking points, it does not formally ban Huawei.
Network applications and data security
Shifting away from telecom networks, when it comes to applications and data protection generally, the EU is asserting a degree of independence from the US.
Indeed, cracking down on big tech has been a central feature of EU policy this year. The Digital Services Act, a legislative package that would impose responsibilities for platforms over how they distribute content, has picked up steam and could penalize US companies for their online practices.
In addition, the recent decision of the EC to open an investigation into Apple’s alleged anticompetitive behavior underscores what could one day become binding law. EC Executive Vice-President Margrethe Vestager has already announced that Brussels would consider publishing a list of prohibited behavior such as self-preferencing to make US firms more accountable.
But even more telling, in July, the Court of Justice of the European Union (CJEU) struck down the agreement that has facilitated trans-Atlantic data flows from the EU to the US for the past four years. In Schrems II, the court held that the so-called Privacy Shield agreement could not guarantee that major digital platform companies like Facebook and Google could comply with EU data-protection laws because of their obligations to the US intelligence establishment under US law.
The implication of the ruling could prove disastrous for these companies, as it would severely limit the amount of data they could trade with European companies and possibly disrupt the channels of online advertising that comprise a massive percentage of their revenue streams.
Data privacy meets government surveillance
Since the decision, both Washington and Brussels have been working on an “enhanced EU-US Privacy Shield framework” to comply with the new ruling.
The solution thus far has been to modify the standard contractual clauses (SCCs) that tech companies use when negotiating data sharing contracts. Under the modifications, these contracts would impose heightened requirements on companies to safeguard data. European citizens and entities could simply sue Facebook or Google for breach of contract in the United States if they mishandle data.
However, this cannot provide a long-term solution. The fundamental issue between the US and EU with respect to data flows concerns US government surveillance – particularly with respect to Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333. These administrative instruments notoriously authorized the National Security Agency’s controversial PRISM program, which was exposed by Edward Snowden in 2013, and are still binding law today.
And when it comes to surveillance, the US intelligence community has expressed an absolute red line: No sweeping changes will be made. And while breach of contract may provide Europeans with one option of relief, jurisprudence under the Fourth Amendment of the US constitution allows a court to force companies like Facebook to hand over data to US intelligence agencies even though doing so would violate a contract.
To top it all off, individuals generally cannot bring claims in US courts over harms caused by US surveillance operations, a perennial problem for EU regulators.
A possible EU-China dialogue on data?
The uncertainty regarding US-EU data relations underscores Chinese Foreign Minister Wang Yi’s unveiling of Beijing’s global data security initiative last week with European lawmakers.
Framed as a counter to the Clean Network program, China’s initiative contains eight proposals aimed at ensuring security for data that crosses telecommunications networks using Chinese equipment. In addition, the proposal strives to safeguard supply-chain security, promote digital economic activity and foster international cooperation on global data security rules.
The initiative is an offshoot of many domestic projects China has been working on in the past few years, including data security guidelines. These guidelines offer companies a series of benchmarks to meet obligations imposed by various laws and national standards such as the Cybersecurity Law, the Personal Information Specification, and the Chinese Civil Code.
Chinese leaders know that digital relations between the EU and the US are beginning to break down. And this provides an opportunity to gain more geopolitical and diplomatic leverage in a world where the US continues to lose its credibility abroad.
In February, the EC published a white paper regarding how it will regulate the internal market for data. Creating nine data spaces divided into sectors such as agriculture, mobility and energy, the data strategy calls for facilitating digital trade within the EU between European companies.
It also represents a novel and ambitious attempt to create a solidified approach to data while fostering home-grown innovation and creating a marketplace that respects data privacy.
The framework lays out principles that will guide how the private and public sector may share data between different systems and services and specifies how data can be harnessed for the public good.
In addition, GAIA-X, a European cloud-computing standard-setting body, is developing standards for cloud usage and data storage which will complement the larger data strategy framework outlined above. Along with both of these items, the EU published its guidelines on artificial intelligence in July.
While rules governing the use of artificial intelligence seem far off, the EU has taken a first step in assembling the basic principles through a non-binding guide to spur meaningful governmental conversation around novel technologies.
Such initiatives reflect the strengthening of the EU’s approach to the US-China technology samba. And as far as dances go, the regional bloc will continue to assert its own sovereignty in digital space while developing EU-specific strategies for the digital transformation.