Digital sovereignty, data protection and innovation: E&M’s author Jurek Wötzel explains the aims, conflicts and contradictions behind EU data legislation, and how the European commission is walking a fine line.
The European Journal of June 2022 carried in it one of the recent pieces of regulation aimed at making Europe ‘fit for the digital age’: the Data Governance Act (DGA).
By creating a new business category, so-called data intermediaries, the EU wants to ease the sharing of large sets of data between the public sector, research institutes and business, while at the same time upholding rigorous data protection standards. An official registry, in which data intermediaries will have to be listed, shall ensure such standards are implemented. Remarkable are the exclusion criteria for becoming a listed data intermediary: firms that offer cloud services or search engine services, among others, are off the board. Moreover, even firms that do not fall in this category are required to strictly separate data-sharing services from other commercial operations.
The DGA, therefore, seems to be another targeted attack on monopolistic tendencies in digital markets, especially with regards to the attempt to prevent the pooling of different digital business models. More importantly, though, is that the DGA seems to be another targeted attack on American Big Tech, and a step towards more robust European ‘data sovereignty’ – a concept particularly endorsed by Thierry Breton, commissioner for the internal market.
Originally, Breton had even defended a more intense version of the DGA, which included a clause forcing global firms to localize their data in Europe by creating a legally established branch in the EEA. Following the pressure of experts, who reminded the commission of the WTO’s prohibition of such data localization requirements for data sharing businesses, the commission eventually dropped this part of the DGA.
It is clear why strong data sovereignty is the favorable path for European legislators, as compared to more open digital markets. Only a digitally sovereign EU can design digital markets according to European values, among them standards of privacy and data protection, as well as the ethical use of AI. Despite a number of shortcomings, the EU tends to be seen as the regulatory pioneer regarding these issues, a portrayal that is often supported with the example of the GDPR, which has become a benchmark in data protection globally.
EU Legislators are facing a key trade-off, though. No one knows how far the bloc can go in regulating the digital sphere without seriously stifling growth and innovation. The signs of a deterioration of the incentive structure for founders and investors can already be seen. For instance, the much praised GDPR has placed tremendous compliance costs on businesses that operate in Europe. A recent study by three Oxford University economists concluded that businesses targeted by the law saw their profits shrink by 8.1%.
Regrettably, it appears as though the regulation was even tougher on European small and medium-sized enterprises than on Big Tech. Small IT firms were particularly hard hit with a profit crunch of 12.5%, while large IT firms saw their profits decline by 4.6%. On top of that, research from the Centre for Economic Policy Research shows that the web technology vendor market has become more concentrated, rather than less, after the introduction of the GDPR.
Creating a strong European digital economy, however, is essential for data sovereignty. A key reason why regulation is attractive to the commision is the fact that Europe is almost fully dependent on American digital services. Data from 2018 shows that within the total global market share of the top 60 digital companies, European companies make up only 3%, while American firms capture two thirds, and Asian firms 30%.
Breton wants to localize data because, thus far, the European economy has been unable to produce competitors for Google, Meta or Amazon, which makes delicate data from the EU vulnerable to US surveillance. The recent US Cloud Act, which makes it easier for American authorities to access foreign data stored by American corporations in the US, is just one example of how the US in particular is continuing to assert its influence in the EU’s digital sphere. The following negotiations about a US-EU Data Transfer Agreement have been met with skepticism about the EU’s negotiation talent, due to its concession allowing the US to access data when “necessary and proportionate to protect national security”.
With its exclusion of search engine providers or cloud service providers from becoming registered data intermediaries, the DGA is a prime example of how the EU is attempting to regulate in order to innovate. Instead of following a laissez-faire, “growth first, regulation second” approach, legislators are trying to design the perfect legal framework to reduce the influence of American companies and give European ones a boost.
Other recent EU legislation even further clarifies the demands that define the regulatory nexus the commission is operating in: the AI act seeks to ban ‘high-risk’ AI activities and force companies to transparently communicate their AI practices to authorities, while the digital markets act is supposed to make so-called ‘gatekeepers’ such as Google or Amazon respect competitive principles. It is a nexus defined by the demands of privacy, ethical corporate governance and fair competition.
As a result of the digital arms race with China and the US, legislators are facing constant pressure within this nexus. Between facing those pressures and upholding our values, there are trade-offs: stricter privacy regulation or more transparent corporate reporting practices are likely to increase compliance costs and thus slow much-needed digital growth.
It remains to be seen whether the European digital economy will take off at all in the coming years, yet, one thing is for sure: the commission is walking on a knife-edge.