The German government is pushing for Europe’s digital sovereignty and the Bundestag is discussing how to influence EU’s impending Digital Services Act to that effect, Thomas Heilmann, a German parliamentarian and a member of the German Digital Agenda Committee, said. France, too, is actively working on achieving sovereignty in the digital space, Marine Guillaume, the Deputy to the Ambassador for Digital Affairs in the Ministry of Europe and Foreign Affairs said. Both of them spoke at different panels at the CyFy, the annual cybersecurity conference organised by the Observer Research Foundation.

The aim of digital sovereignty is to create conditions to break the monopoly of American actors, Guillaume said. This aspiration for digital sovereignty is the “assertiveness of the European Union” as an alternative to the “big techno spheres” so that the EU can take its own decisions in the future, Regine Grienberger, the German ambassador for cyber foreign policy, said. This claim for a European sovereignty, Grienberger specified, was not limited to 5G, but extended to technology and emerging technologies in general.

The French and German commitment to digital sovereignty is not new. In November 2019, German Chancellor Angela Merkel had urged Europe to claim “digital sovereignty” and seize control of its data from American companies at an employers’ conference in Berlin. She said that the EU should develop its own platforms to manage data, and reduce its reliance on American cloud services run by Amazon, Microsoft and Google.

France and Germany, in fact launched GAIA-X in 2019 which is basically sovereign digital infrastructure for Europe. 22 companies from the two countries incorporated GAIA-X on September 15, 2020 in Brussels. At the GAIA-X summit scheduled for November, French and German finance ministers will be accompanied by a representative from the European Commission, signalling a pan-European interest in the endeavour.

After the whole controversy around Apple and Google’s contact tracing/exposure notification API, Germany and France’s calls for digital sovereignty were backed by Italy, Spain and Portugal.

European digital sovereignty is not the same as cyber sovereignty

Unlike the EU, authoritarian regimes like Russia and China have been trying to garner support for “cyber sovereignty”. The key difference between the two is that cyber sovereignty is governed by national security interests while digital sovereignty is governed by economic, communication and business interests. However, that is not to say that the two never overlap. Case in point is nations’ concern that popular third-party apps, such as TikTok, might be sharing personal data of citizens with foreign governments. Or that when communications are routed through China, as was the case with Zoom (albeit mistakenly), they can be intercepted and accessed by the Chinese government.

“Cyber sovereignty is an exclusive arrangement, digital sovereignty is an open an inclusive arrangement that welcomes others to participate using a rules-based framework,” Samir Saran, the president of ORF, summed up.

5G and sovereignty:
The rampant concern over “trustworthiness of 5G vendors” also ventures into cyber sovereignty territory more than digital sovereignty.

“Trust is a really scarce good in the political relations, not within the EU, …, but with our neighbours and other regions of the world,” Grienberger said. A “national decision” on 5G, which will have an impact on German critical infrastructure, will be taken this year or before the next elections that are expected in the second half of 2021. The aim is to balance between quick implementation of 5G against putting restriction on companies that set up the infrastructure, she said.

Unlike the US, UK and Australia, which have ousted Chinese vendors like Huawei from their 5G equipment or set a deadline to do so due to national security concerns, the EU has taken a more laissez-faire approach despite its influence over its member states. It has told member states to take individual calls on the issue while keeping national security in mind. As a result, some European countries, like Czech Republic, Poland, Denmark, Romania, Estonia, Latvia, and Greece have banned Huawei et al, while the others are yet to take a call.

Guillaume said that the EU idea of digital sovereignty means that the region remains open. “Sovereignty doesn’t mean to be closed or accepting a social contract where the government gets unrestricted access to the data of its citizenry,” she said. It also does not mean exerting social control over the citizens.

Doesn’t India have something similar?

For the last few years, the Indian government has been pitching for “data sovereignty”. Emphasis on data localisation norms in different policies, such as the Personal Data Protection Bill and digital payments, is a consequence of that. Coupled with Prime Minister Narendra Modi’s emphasis on Make in India and recent emphasis on Aatma Nirbhar Bharat (self-reliant India), India’s “data sovereignty” is a mix of different schools of thought.

Grienberger clarified that the European model of digital sovereignty is not a model of autocracy or self-reliance. “It is of self-sufficiency. It is a model of openness, open trade, open economic area so that we can do business together for the profit of everybody,” she said. This is in addition to regulating Big Tech via the impending Digital Services Act.

European digital sovereignty does not mean creating European Google

Digital sovereignty does not mean having European champions for everything, Grienberger said. The aim is to ensure that Big Tech companies adhere to European regulations.

“It’s not about having European champions like a European Google,” Guillaume said. The aim if to create a space where innovation can flourish and European companies can compete on the basis of their ability rather than backing by the state. The assumption, here, of course is that due to market dominance of American Big Tech, European companies are not even in a position to compete.

European counterpoint: Innovate, don’t regulate

Carl Bildt, a former Swedish prime minister and the current co-chair of the European Council on Foreign Relations, however, was not keen on digital sovereignty. “In Europe, we are too keen to regulate, too bad at innovate,” he said. Europe needs to think 10 years ahead and invest in research and investment accordingly, he said. Taking the case of General Data Protection Regulation (GDPR), he argued that regulation in Europe is so complex that small and medium enterprises in Sweden cannot deal with it but Facebooks and Googles can handle it with their thousands of lawyers.

Ways to enable digital sovereignty

Guillaume proposed two ways of enabling digital sovereignty. The first is via the impending Digital Services Act, which is expected to be discussed in the European Parliament next week. This will create an open market that creates a place for everyone to innovate, she said. The second way to via digital commons wherein smaller companies can leverage a pool of common resources to innovate and build themselves up.

To that end, Grienberger explained that Germany is on the brink of finalising negotiations on two instruments to encourage innovation. The first is EU’s multi-annual financial framework which will determine where EU money, to the tune of €133 billion (~₹11.4 lakh crore), will be allocated to encourage investment in internal markets for innovation and research. The second is the Recover EU instrument that will inject additional funds to deal with the effects of the COVID-19 pandemic.

What is the Russian idea of cyber sovereignty?

In Russia, the state has always been the most important player in internet and the government has always been the most important stakeholder. “Principle of sovereignty has been the most important one for Russia,” Elena Chernenko, head of the international section of the Russian newspaper Kommersant, said.

In the last 10 years, Russia has taken multiple steps to ensure its sovereignty in the cyberspace, Chernenko said. To that end, in 2011, Russia had released a concept note, called Convention on International Information Security, that argued that internet-related policy issues are sovereign spaces. Russia was supported by China, Tajikistan and Uzbekistan when it proposed this convention to the UN.

Russia is also creating an alternative infrastructure for a situation where it could have been cut off from the global internet, she said. Its efforts intensified after conflicts with Eastern Ukraine over Crimea in 2014. In 2019, the country’s controversial Sovereign Internet Law came into effect that basically allows the government to control people’s access to the internet in every possible way.

Does Russia respect others’ cyber sovereignty?

Russia has for many years tried to create universal rules around prohibition of interfering in other countries’ internal affairs, Chernenko said. She cited Putin’s recent overture to the US where he proposed a bilateral treaty around non-interference in each other’s elections suing ICT technologies.

At this, Johanna Weaver, special adviser to Australia’s ambassador for cyber affairs, pointed out that the rule of non-intervention is already enshrined in international law as well as the UN Charter. “The problem is not a lack of rules, the problem is a lack of adherence to those rules and accountability when countries are breaching those rules,” Weaver said.

Is the threat of live scene election interference real? Bildt said that while the threat was present in Europe too, but at a lower scale than the US. He said that similar propaganda has been used throughout history; the medium has changed but propaganda actors are the same. “Resilient and credible democracies are normally able to handle this,” the former Swedish prime minister said.

The interplay between cyberspace and sovereignty

Lydia Kostopoulos, strategy and operations adviser at US Special Operations Command, explained that digital infrastructure often crosses sovereign borders. For instance, Google and Facebook dropped their plans to build an undersea cable connecting the US and Hong Kong after the American Department of Justice warned that the Chinese government could use it to siphon personal data of Americans. Since digital infrastructure has material underpinnings, in the form of undersea cables, telecom towers, data centres, etc., it has to exist within sovereign borders. That’s where nation states start erecting borders in the intangible cyberspace.

Conversely, Kostopoulos explained that digital infrastructures, usually privately owned, have also replaced some of the infrastructure that nation states have created for the citizens. For instance, the US Postal service, set up by the American government, has been replaced by private email service providers such as Microsoft and Google. What went unsaid here is that most such digital infrastructure originates in the US.

Weaver explained that just like in the physical world sovereignty and national security go hand-in-hand, so they can in the cyberspace. She cited the case of free trade agreements that have national security-related carveouts.

Here are few of the instances where sovereignty crept into cyberspace:

  • Blocking foreign investments or unwinding overseas transactions: Both China and USA have engaged in “direct, aggressive activities” at individual corporate level and at digital infrastructure level, Ma said. The TikTok situation, wherein US President Donald Trump, through an executive order, compelled ByteDance to divest from TikTok, shows how the US government is using investment regulation to ask a Chinese company to undo its acquisition in the US, he said. The Chinese company ByteDance had acquired American app Musical.ly in 2017 and merged it with its own TikTok in 2018.
  • To develop digital infrastructure: Both the US and China have used sovereign investment funds to develop 5G and semiconductor chips. Semiconductors are one of China’s main imports which is why, China is using “sovereign funds to develop semiconductor technology so that it can be more chip independent”, Ma said. US is similarly setting up sovereign investment vehicles of implementing 5G without Huawei and other Chinese companies.
  • Taxation: By trying to implement digital taxes, Europe (and other nations) is saying that that they have a right to tax companies that derive profit from their citizens, Kostopoulos said. This is a trend that has been seen in India as well.
  • Computer emergency response teams report to the government: Abdul-Hakeem Ajijola, a Nigerian cybersecurity expert Commissioner for the Global Commission on the Stability of Cyberspace who has chaired UN’s working group on cyber incident management, pointed out that the first CERTs weren’t part of the government but came from the academia and a few private players. Now, however, they are not only government run but “embedded in the national security establishment, particularly the intelligence establishment”, he said. Many of these CERTs report directly to the National Security Committee or its equivalent which is chaired by the chief of the state, suggesting greater intersection between sovereign concerns and cyberspace. CERTs don’t only exist at national level, but also at regional level, such as EU-CERT.

Weaver and Ajijola said that cyber sovereignty is not about fragmentation but about building alternate products, services, so that viable alternative environments, to those set up by USA, China, EU and Russia, are possible.

Ajijola pointed out that this “weaponised interdependence’, that is where countries with control over ICT networks leverage it to coerce other nations into submission, may mean that African nations become “unwary victims” of some of these interplays between US and China, US and Russia, India and China. It remains to be seen what steps governments in the “Global South” can take to insulate themselves from geopolitics that is affecting technology interests all over the world.

Read more: