Data Governance in the EU: Data Sovereignty & Cloud Federation
By Adil Nussipov
The EU already has the strongest data governance framework in place thanks to a slew of regulations it introduced in the past more than five years.
The General Data Protection Regulation (GDPR), the EU’s main piece of data regulation, which turned the bloc into a global leader in data protection, was released in 2016. Two years later, the EU issued GDPR’s sister-regulation on the free flow of non-personal data (FFD). It was followed by Cybersecurity Act and Open Data Directive, both published in 2019.
There is no state or international organization in the world today that would come close to the data governance framework that the EU has created.
And the EU has no intention of stopping.
European Data Strategy
On 19 February 2020, the EU released its brand new Digital Strategy, a package of three documents that outline fundamental elements for the creation of Digital Europe. They include a five-year policy roadmap, a White Paper on Artificial intelligence that outlines plans for new legislation on transparent, traceable and human-controlled AI systems and European Data Strategy, a proposal for the creation of an European single market for data.
The Data Strategy aims to create a European data space, a single market for personal and non-personal data that offers strong protection for personal data and easy access for companies to non-personal and commercial data. The document is grounded on the idea of Data Sovereignty, illustrating the desire of the EU to reduce its technological dependencies on foreign data infrastructures and to increase EU-based cloud services.
The work on the creation of European data space will be carried out through four pillars.
The first pillar prioritizes the creation of an enabling regulatory environment for cross-sector data sharing, facilitating voluntary business-to-business and business-to-government data sharing.
Under the second pillar, the EU plans to invest €4bn-6bn into building new data infrastructures. Some €2bn of that sum is envisaged to come from the European Commission (subject to negotiations under the Multi-annual Financial Framework), and the rest will be contributed by member states. The top investment priority is the creation of a cloud federation, a centralized data infrastructure based on the cloud that will serve as hardware foundation for the single data market.
Under the third pillar, the Commission is to provide even stronger enforcement for data protection and create European personal data spaces.
Lastly, the fourth pillar outlines the creation of nine data spaces that are to spread across various key sectors and areas, including industry and manufacturing, environment, mobility, health, finances, energy, agriculture, public administration and skills.
Cloud Federation: Motivations and Costs
Although the EU portrays itself as an advocate for the data rights of individuals, there are a series of political and economic motivations behind EU’s data strategy. Terms like Data Sovereignty and Cloud Federation are not technical terms describing models for designing data infrastructures, but old political concepts of sovereignty and federalism adjusted to the current era. They are exactly what their meaning imply: united together into a federation, and fighting for sovereignty from foreign influence in the digital global order.
In the past, “foreign influence” always meant powerful states; not anymore. In the digital global order, it is the influence of net states from which the EU strives to reduce dependency. Net states are digital non-state actors such as Facebook, Amazon, Apple and Google, which are not constrained by physical borders and have more influence than their own governments.
The dominance of these players raised two types of fears among the EU’s top companies. One is that the European companies are lagging behind global data-driven economy; and the second that tech giants from Silicon Valley will force local leaders from the latter’s home markets. The essence of net states’ influence is best captured in Apple Effect, a phenomenon that describes how Apple is worth more than the 30 largest German companies combined.
Despite these fears, the EU is actively fighting back to regain authority over essential unregulated spaces to create a safe data environment for European citizens. GDPR indeed does make the EU the only global tech regulator with a human face. However, it comes with economic costs as well. While the EU values rights over economic benefits, its main rivals, the U.S. and China, do not share the same logic. While the EU requires companies to follow GDPR, tech giants in the U.S. freely collect, sell and turn into new businesses the personal data of their customers. At the same time, the Communist Party in China regularly monitors the lives of the country’s citizens from a massive surveillance laboratory equipped with billions of personal data entries and the best face-recognition and machine learning tech.
There are financial costs, too. The U.S. does not need a lot of financial resources to avoid regulating its tech sector whereas China profits from reusing state-collected personal data via its national government-backed tech companies like Huawei.
In contrast, the EU needs considerable funding to implement its regulatory framework. European companies suffer from it as well: they have smaller datasets in comparison to their American and Chinese competitors and face harsh penalties if they do not comply with GDPR. In turn, this leave a limited space for these companies to innovate. In the meantime, American startups enjoy absolute freedom and Chinese startups experiment in the government-controlled sandboxes.
Adil Nussipov is a researcher working on a project aiming to map the global data governance and to identify the design of the global data governance architecture. He also works on the Media Influence Matrix project at the Center for Media, Data and Society and acts as Global Governance Editor at E-International Relations.
