To achieve European digital sovereignty, it is essential to regulate the use, storage, and collection of data. This necessary data protection continues to provoke a complex debate among member countries. This has not stopped the European Union from taking several initiatives on this subject. Let’s take a look at some of them.
The General Data Protection Regulation (GDPR): the starting point
Coming into force in May 2018, the GDPR is a first step towards digital sovereignty. It regulates the access, storage, and use of personal data of European citizens. For this, companies holding such data must meet several requirements (deletion of data, consultation on request, appointment of DPO…). The same regulation stipulates that personal data from the EU may only be transferred to countries that offer similar protection and that the EU considers “appropriate”*.
However, the US legislation, for example, is much less strict than the RGPD. The Cloud Act allows the US government to access data held by US companies. And culturally, Americans consider data to be an asset that can be traded. Despite these differences, many European companies entrust their data to large American digital service providers, especially for hosting. This has prompted the EU to take further initiatives to regulate the data market.
Data Governance Act and Data Act : the way forward
These two regulations complement the GDPR. They aim to develop a single market for data that supports the access, sharing, and re-use of data, in line with EU values.
The Data Governance Act will be applicable in September 2023. It aims to promote the sharing of personal and non-personal data by setting up intermediation structures. The latter will clearly define the conditions under which data held by the public service can be reused, and thus compete on equal terms with international market players.
The Data Act aims to establish harmonised rules on access to data generated by connected objects and the various related services. The goal is to facilitate access, management, and sharing of this data.
The platform-to-business regulation: the first European legislation to provide a framework for B2B e-commerce
This EU regulation, which came into force in July 2020, creates a fair and predictable environment for B2B traders using online platforms (around 7,000 platforms and marketplaces).
It prohibits unfair practices, such as abusive account closure, and obliges online platforms to make their terms and conditions more accessible. Finally, they must explain what data they collect and how it is used, especially when it is communicated to commercial partners. In other words, it introduces transparency and ethical principles into digital commerce between companies.
The NIS2 directive: sovereignty and cybersecurity
The European Network Internet Security Directive, known as NIS2, aims to strengthen companies and organizations cyber risk management. It will result in new obligations, such as security measures, supervision rules, and the obligation to notify any attack to national cybersecurity agencies, such as ANSSI in France.
A risk analysis will allow each member state to draw up a list of the organizations covered by this directive. It is estimated that several thousand entities related to digital services, the space industry or research will be subject to this directive, which is currently being adopted.
CNIL and ANSSI: a French example of how local authorities ensure compliance in France
France has two bodies that are responsible for ensuring that data protection regulations are applied and for helping companies and citizens deal with the cyber threat.
The National Commission for Information Technology and Civil Liberties (CNIL), sometimes called the digital policeman, is a government agency responsible for the regulation of personal data. It has several missions:
- Informing and protecting rights: it responds to information requests from professionals and individuals regarding data protection. It also handles their complaints.
- Supporting compliance: it offers a toolbox to help companies achieve compliance.
- Anticipating and innovating: it helps to develop privacy-protective solutions, advises companies, and helps to start a discussion about the ethical issues around data.
- Control and enforce: it ensures that the law is applied in practice.
The ANSSI (Agence nationale de la sécurité des systèmes d’information, the French information system security agency), provides expertise and technical assistance to organisations in the field of cybersecurity. It provides a monitoring, detection, alert, and reaction service to computer attacks.
Action by EUropean goverments: real recommendations
Governments have an important role to play in moving towards digital sovereignty. Their actions are influencing the choice of technological solutions. Their decisions contribute to the promotion of the know-how of the European digital players. Local authorities and businesses have been pushed to turn to open-source solutions or software produced by local publishers for some time now.
The development of Europe’s digital ecosystem gives people a real alternative to the GAFAM, and gives them control over their data.
Europeans are aware of the issues related to digital sovereignty. The attention of citizens has been awakened by regulations such as the GDPR. The media are reporting on the health data leaks or the opportunity provided by health data. Europe has taken some initiatives, but they are not enough to counter the power of the American giants. However, these regulations show the way to more respectful ways of handling citizens’ data.
* Voir https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde