BANNER: European Commission President Ursula von der Leyen speaks during the presentation of the European Commission’s data/digital strategy in Brussels, Belgium February 19, 2020. (Source: REUTERS/Yves Herman)

Digital sovereignty is the term du jour – a political attempt by various countries, both democratic and autocratic, to justify increasing control over the internet and its infrastructure. In recent years, the term has managed to penetrate internet governance discourse, creating the conditions for a novel conversation that attempts to reconcile the global nature of the internet with the need for nation-states to feel a sense of control over the way the internet operates locally. This creates a tension that is most evident in democracies like the European Union.

In February 2020, President of the European Commission Ursula von der Leyen said that Europe must be able “to make its own choices based on its own values, respecting its own rules.” One year later, Charles Michel, president of the Council of the European Union, declared that there is “no strategic autonomy without digital sovereignty.” This narrative has shaped the Union’s digital agenda, especially in the past few years. It has been a main driver for many of the regulatory initiatives the European Commission has undertaken in the past four years. 

Although the term digital sovereignty is pervasive in European politics, the European Union did not initiate it. China was the first to use the term “cyber-sovereignty” or “internet sovereignty” to respond to the rise of networked communications and the possible threat they posed to the Chinese political system, in which Communist Party control is the reigning priority. In many ways, therein lies the great irony – the fact that this conversation is taking place amidst a growing narrative about the “Chinese approach” and the “democratic approach” should make us all pause and consider what exactly we mean by digital sovereignty, what drives its use, and, ultimately, whether the term is the one that could advance both the open and global internet as well as democratic ideals.

Unfortunately, what we are faced with instead is a set of different and diverse interpretations of digital sovereignty, each pointing to a different problem and adding to the confusion over the term’s use in political discourse. 

Even within Europe, despite the fact that the term digital sovereignty is widely used, there appears to be significant confusion and oversimplification regarding how much – and to what extent – it drives Europe’s agenda. To add to this confusion, Europe does not operate internally under one consistent narrative of digital sovereignty. Even though there is consensus regarding the need for Europe to achieve a higher degree of technological autonomy and build its own independent future, member states have approached the idea of digital sovereignty differently and have abstained from defining its exact scope or premise.

Usually, reports about Europe’s approach to digital sovereignty tend to suggest a holistic view disregarding the nuances and divergence of approaches and intentions between its member states. 

In Denmark, for instance, the debate has received little attention, which shows a certain degree of skepticism regarding the value of approaching digital issues under the purview of digital sovereignty. On the other hand, Estonia, mirroring its own success in the digital arena, appears to be more enthusiastic about the possibilities “digital sovereignty” offers in creating a fully digitally enabled nation. Finally, for the Netherlands, digital sovereignty is reflective of wider security concerns in terms of national security and economic security. 

Elsewhere, in Germany, the discourse is “marked by seven different narratives about digital sovereignty that promote different – and, at times, contradictory – agendas.” These range from issues of security, economic prosperity, consumer protection, data protection, democratic empowerment, the ability to exercise the “European way of life,” and the ability of the German government to digitize its services under its own rules. But, most fundamentally, Germany also interprets digital sovereignty as the ability to boost technologies without locking them within Europe’s territorial boundaries. To this end, the German government announced in 2022 that it would launch a sovereignty tech fund with the mission of supporting “the development, improvement and maintenance of Open Digital Base Technologies […]. The goal [would be] to sustainably strengthen the open-source ecosystem, with a focus on security, resilience, technological diversity, and the people behind the projects.”

Europe’s other digitally influential country, France, has adopted a much starker interpretation of digital sovereignty. For France, digital sovereignty means a set of strong regulatory frameworks, primarily focusing on the protection of data, how data travels outside of Europe and under what conditions, the securitization of digital and telecommunications infrastructures, and the development of its own innovation and industrial capabilities. There is, however, a deeper and more traditional aspect of sovereignty that France seeks to promote on the internet, and it relates to the idea of ensuring that European (and French) values prevail in the management and governance of the internet. After French President Emmanuel Macron lost his parliamentary majority in 2022, many observers expressed concern that France may be turning toward a tech policy that shows signs of protectionism.

At the institutional level, things are also unclear. While the European Commission has been involved in setting one of the most ambitious and invasive regulatory agendas on critical issues, ranging from competition to content moderation, cybersecurity, privacy, network investments, and artificial intelligence, not all European member states agree that addressing these issues should be equated to Europe promoting its own digital sovereignty rationale. This type of inconsistency and confusion has presented a challenge, and an opportunity, for Europe to set internet regulatory standards as requirements for access to its highly regarded internal market.

Outside of Europe, there is the assumption that much of the digital sovereignty agenda is driven by the lack of innovation from European companies and the bloc’s inability to produce technology champions like its closest ally, the United States. However, this only provides a small and, frankly, convenient interpretation of what is happening. In reality, the drivers for digital sovereignty are far more complex and are part of a historical context regarding the role regulation plays in incentivizing and controlling Europe’s single market.

Unlike in the United States, in Europe, regulation has always been seen as an asset that has allowed the creation of a single market and the harmonization of laws across the Union. Since Europe’s inception, regulation has been essential to how the European Union functions and evolves; there is no reason that Europe would treat the internet differently. At the same time, unlike its counterparts, Europe has taken advantage of events, like the Snowden revelations or the Cambridge Analytica scandal, to promote its own narrative about the need for internet regulation. “I believe we need to move away from the false possibilities we are currently offered, whereby two models would exist: that, on the one hand, of complete self-management, without governance, and that of a compartmented internet, entirely monitored by strong and authoritarian states. To be very politically correct, we are seeing two types of internet emerge: […] there is the Californian form of internet, and a Chinese internet. […] We, therefore, need, through regulation, to build this new path where governments, along with internet players, civil societies and all actors are able to regulate properly,” a newly-elected Macron declared in 2018.

At the same time, however, it would be misguided to brand Europe’s entire regulatory activity as synonymous with digital sovereignty. The reality is that, although some of the legislative proposals emanate from the premise of imposing European rules globally, in many other contexts, the initial need comes from a strong desire to create a legal framework that ensures the protection of EU citizens. Privacy and data protection provide a good example. One could conclude that much of the current state of transatlantic relationships is attributed to the insistence of the European Union to promote its own privacy legislation, the General Data Protection Regulation (GDPR), worldwide. This sentiment may have some degree of truth, but, in fact, privacy has historically been a priority topic for Europe and a right that has been fundamental to its raison d’etre; as a fundamental right, privacy for Europe is what free speech is for the United States.

The path to strong privacy protections that would eventually lead to the GDPR started long before the narrative of digital sovereignty took hold. Specifically, and according to early EU legislation, European citizens have the right to the protection of personal data, in line with the provisions of Article 8 of the European Convention on Human Rights. The article states that every individual has, amongst other rights, the right to freedom from interference in their private and family life. Similarly, under the Charter of the Fundamental Rights of the European Union, adopted in 2000, the right to the protection of personal data constitutes a fundamental principle of EU law. The Charter extends the protection of the individual beyond just interference to cover personal data as well. When considering digitally generated data, the EU put forward rules as early as the 1990s concerning its use and transfer. These rules set the foundation for how citizens’ data would be treated within Europe’s single market as well as the adequacy requirements that should be in place for the transfer of such data outside of the EU borders. This substantive framework continues to underlie and define Europe’s approach to privacy to this day.

All that considered, the European Commission’s recent behavior points to a more concentrated effort toward utilizing Europe’s own data and privacy rules for the promotion of “digital sovereignty.” Europe understands that data plays the most critical role in advancing new technologies and, therefore, in becoming technologically competitive and independent. Data, specifically personal data, is a resource that has generated a complex set of institutions responsible for collecting, analyzing, and trading the value that can be extracted from it. To this end, most of Europe’s current legislation on artificial intelligence, cybersecurity, 5G, and cloud infrastructure is premised on the support of a strong regulatory framework that allows the continent to exert full control over how that data exists and is used. Europe has this framework at its disposal in the form of the GDPR and, most recently, in the form of the Data Governance Act and the Data Act. This is the intersection at which Europe’s data protection regime gets integrated into its digital sovereignty narrative in the form of a legitimate, controlling power. 

Notions of digital sovereignty now exist throughout the world. The most recent attempt by the US Congress to ban TikTok is a manifestation of a version of this concept. At the same time, India, Brazil, and China have all utilized the term in their future digital strategies and approaches to internet governance, all with less democratic values baked into those frameworks and actions. Each one of them uses the term to mean different things. It would, therefore, be a mistake to attempt to oversimplify it or condense it to just one interpretation. We may end up misunderstanding the role and impact it actually has.

Konstantinos Komaitis, “The complexity of Europe’s digital sovereignty agenda explained,” Digital Forensic Research Lab (DFRLab), May 22, 2023, https://dfrlab.org/2023/05/22/the-complexity-of-europes-digital-sovreignty-explained/.