Image by PIRO4D from Pixabay

Digital sovereignty

Digital sovereignty has multidisciplinary connotations, and it can assume different meanings or describe several aspects depending on the contest in which we refer to it.

We already wrote about digital sovereignty and the European scenario in the article entitled “Digital Sovereignty Between “Accountability” and the Value of Personal Data”.

In summary, therefore, we would affirm that with the expression “digital sovereignty” we intend to refer to the power attributed to the State in the sphere that concerns any activity classifiable as “digital”, that is connected to the use of the technologies or derived from them.

It is well-known that with the term “sovereignty”, we generally refer to a power (of State, of people, of economy, etc.), original and independent from any other, and expressed by the manifestation of a will.
The different definitions of “digital sovereignty” have in common only the meaning to express primacy on something but not on the digital domain in a broad sense; the technology’s primary role, whose development or diffusion involves the manifestation of power anyway, might be ”digital sovereignty.”

From our perspective, it is possible to affirm that “digital sovereignty” - in general terms - is not exclusively identified with the power exercised by the State.

Indeed, we can express “digital sovereignty” in any model adopted by the private sector through which the power over one’s digital domain is exercised (in autonomy and with complete control). This power may correspond to actions undertaken, choices of particular work technologies, and, hence, the intention of preserving the digital heritage.

Thus, we can define “digital sovereignty” as the power over one’s digital domain exercised by a State or even a private organization. The key point is the “power over one’s digital domain”. In the case of a State, that power will consist of any activities to protect its cyberspace. A private organization may exercise that power by carrying out any activity focused on its digital domain (protect, develop, spread, propose, sell, etc.). Ultimately, we can have different “digital sovereignty” approaches depending on the (private or public) bodies. It is not a matter of subjective profile, but the main point is the power and how it is exercised.

Digital sovereignty and Europe

We assisted in how the European Commission accelerated on some subjects related to the “digital”, at least in the last two years.

Indeed, we know the acts already issued by the EU commission recently.

We are referring to: 

  • Digital Markets Act (DMA) - we know the news by the EU Parliament after a phase of the trilogue related to the gatekeepers and the ensued debate on the IM apps via API
  • Digital Services Act (DSA)
  • Data Act (DA)
  • Artificial Intelligence Act (AIA)
  • Chips Act
  • GAIA-X (a European project that proposes, as we read on the official website, “a Federated and Secure Data Infrastructure - Gaia-X strives for innovation through digital sovereignty. Our goal is to establish an ecosystem, whereby data is shared and made available in a trustworthy environment.).

On February 7 and 8, the conference “Building Europe’s Digital Sovereignty” was held in Paris under the French presidency of the European Council.

They introduced the four pillars of Europe’s digital sovereignty

The conference was focused on the four pillars listed below:
(i) To ensure the European Union’s role as a protective power, Europe must strengthen the security of citizens, public services and businesses in cyberspace and set down an industrial data strategy that can stand as a bulwark against extraterritorial laws.
(ii) To ensure the European Union’s role as a standard-setting power that champions core values, Europe must shore up democratic institutions, promote the return to a fair playing field for businesses in the digital single market and put forward new rules and regulations in order to increase accountability among tech firms.
(iii) To ensure the European Union’s role as a power for innovation, Europe must attract foreign investors and foreign talent and foster an environment in which world-class tech firms are created.
(iv) To ensure the European Union’s role as a power for openness, Europe must encourage free and open standards, support building physical and software infrastructure that is open and shared in the global digital commons, and back such efforts from a technological and financial perspective.

Regarding Innovation, they stated:

Taking advantage of network effects and new technologies, online platforms have accumulated substantial market power, resulting in a market highly concentrated around a limited number of players. In this vein, the conference will take up the proposed Digital Markets Act (DMA), which seeks to promote innovation and prohibit unfair practices on the part of online platforms acting as gatekeepers in digital markets.

On 17 May 2022, the President von der Leyen participating at the imec Future Summits 2022, among others, stated:

The headline goal of the European Chips Act is simple: By 2030, 20% of the world’s microchips production should be in Europe. That’s twice as much as today, in a market that is set to double in the next decade. So it means quadrupling today’s European production. The European Chips Act will back this ambition with considerable investment. It will enable more than 12 billion euros in additional public and private investment by 2030, on top of more than 30 billion euros of public investments that are already foreseen.

The future of our economy depends on chips, and I want Europe to reclaim a global leadership role in the semiconductors industry.

The picture is clear.

There are ambitious intentions, but we think Europe is late compared with other countries.

In essence, increasing competitiveness in Europe implies an improvement in both the internal and the global market: sovereignty, therefore, would express supremacy in the market. I think Europe is pushing for any effort to gain digital sovereignty to use it globally.

In light of this, we should find the correct balance between those measures and digital sovereignty.

We think that Europe has a strengthen willing to acquire a seat of class in the digital sovereignty domain.

Pushing to have a primary role globally also means balancing interests and protection of rights in the data protection and privacy domains.

We must pay attention not to overlook data protection rights by other requirements, and the EDPS has to be vigilant as it has done till now.

The DMA impact users’ data protection and privacy in messaging systems

Firstly, there is the needing for a short premise.

Currently, we still have a proposal for the Digital Markets Act (DMA) in the latest version of 11 May 2022 - as is our understanding.

That text was (and we think it still is) under negotiations by the EU Commission, the EU Parliament, and the Council.

On 24 March 2022, the EU Parliament published a press release in which they announced that “Parliament and Council negotiators agreed on new EU rules to limit the market power of big online platforms.”

Some information on the DMA: Currently (because we don’t know what could happen in the final drafting), it is composed of 108 Whereas, 54 Articles, and an Annex.

We have to refer to some articles of the DMA, and precisely, Article 3, entitled “Designation of gatekeepers”, and Article 5, entitled “Obligations for gatekeepers”, which offer much food for thought.

So, Article 3 describes how to designate gatekeepers, and precisely we can consider it divided into two parts. Part one provides a general framing in three points, and part two defines every single point of part one.

Indeed, considering Article 3 (Designation of gatekeepers), we read:

Article 3 Designation of gatekeepers
An undertaking shall be designated as a gatekeeper if:
(a) it has a significant impact on the internal market;
(b) it provides a core platform service which is an important gateway for business users to reach end users; and
(c) it enjoys an entrenched and durable position, in its operations, or it is foreseeable that it will enjoy such a position in the near future.
An undertaking shall be presumed to satisfy the respective requirements in paragraph 1:
(a) as regards paragraph 1, point (a), where it achieves an annual Union turnover equal to or above EUR 7,5 billion in each of the last three financial years, or where its average market capitalisation or its equivalent fair market value amounted to at least EUR 75 billion in the last financial year, and it provides the same core platform service in at least three Member States;
(b) as regards paragraph 1, point (b), where it provides a core platform service that in the last financial year has on average at least 45 million monthly active end users established or located in the Union and at least 10 000 yearly active business users established in the Union, identified and calculated in accordance with the methodology and indicators set out in the Annex;
(c) as regards paragraph 1, point (c), where the thresholds in point (b) of this paragraph were met in each of the previous three financial years.

Article 3 is relevant because builds the identity of a gatekeeper not only in terms of generic framing, but also identifying the profile by the annual turnover.

Moving to Article 5 (Obligations for gatekeepers), paragraph 2 contains four main prohibitions for gatekeepers from point (a) to (d), but I highlight the latter and precisely what is laid down by point (d). In fact, we read

The gatekeeper shall not:

(d) sign in end users to other services of the gatekeeper in order to combine personal data.

Just after point (d) the legislator introduces the following clarification:

However, the first subparagraph of this paragraph shall not apply where the end user has been presented with the specific choice and has given consent in the sense of Article 4, point (11), and Article 7 of Regulation (EU) 2016/679.
Where the consent under the first subparagraph has been refused or withdrawn by the end user, the gatekeeper shall not repeat its request for consent for the same purpose more than once within a period of one year.

Then, jumping to paragraph 5 of Article 5, we read:

The gatekeeper shall allow end users to access and use, through its core platform services, content, subscriptions, features or other items, by using the software application of a business user, including where those end users acquired such items from the relevant business user without using the core platform services of the gatekeeper.

To recap, according to the mentioned articles’ content, particularly Article 5(5), we think security and privacy issues might exist. 

Mainly, those security issues are related to how gatekeepers should allow accessing their services by using the software application of business users who enable access to users.

Indeed, the gatekeepers should give the business users their API to access their services. For those who don’t know what API is, it is the acronym for Application Programming Interface. According to IBM, an API is a set of defined rules that explain how computers or applications communicate with one another. Essentially, the APIs are like a set of instructions. The APIs should enable applications to exchange data and functionality easily and securely.

Given that, the main concern is that the use of API might generate security issues because the access will not be direct to the gatekeeper’s platform but by the software application of business users. So, some steps exist to allow communication between the software application of business users and the gatekeeper’s platform. We don’t want to deepen in more technical aspects here.

One of the risks could be that of not being able to fully guarantee E2EE encryption with consequent prejudice for privacy and compliance with the GDPR, given that the GDPR itself sets out in Article 3 the territorial scope, i.e., the conditions for the applicability of EU Regulation 2016/679 to processing carried out in the Union.

Regarding data protection and privacy, it will be necessary to provide information to the users according to Article 13 of the GDPR. 

Balancing the DMA regulation purposes with the concrete use of core platform services provided or offered by gatekeepers and the impact on data protection and privacy

We think there might be privacy issues related to processing personal data by the gatekeepers and business users. Indeed, let’s guess a user who wants to access a software service like Facebook but by the software application of business users. In that case, Facebook has to expose its API to allow access to any software application of business users.

What about data protection and privacy?

Facebook is the controller; whether the user chooses to access Facebook via the software application of business users, he has to give the consent, and the latter is another controller. Could it be a case of a joint controller? Both will process the personal data of the same user for the same purposes.

What about whether the user withdraws their consent? They can do it anytime.

Moreover, we doubt whether the processing should be lawful if it is only based on the user’s consent. According to Article 6 of the GDPR, there are five cases of lawful processing, and one applied could be the one under letter (b).

In essence, Europe is in the whirlwind of consolidating a solid position in the digital sphere. However, that purpose should not overlook the entire context relating to the protection of natural persons with regard to the processing of personal data for the exclusive benefit of the needs of the market and the digital economy.

Follow us on Mastodon

Stay tuned!