In almost twenty years, the world has witnessed an explosion of digital technologies. Data has become a primary resource and is at the heart of geopolitical issues – just like any other essential resource. The regulation of cyberspace is therefore necessary to control the appetite of the giants that threaten Europe.
On the occasion of the G8 conference on security and trust in cyberspace, Jacques Chirac, then President of the French Republic, declared in his speech of 16 May 2000 that the Internet “will play an increasing role in the daily lives of the men and women of our countries,” adding that “it is our responsibility to ensure that it functions smoothly.”
Twenty years of political discourse later, a single observation: the regulation of the intangible world is insufficient or even non-existent.
Regulating an increasingly complex and systemic world shaped by globalisation is still a major challenge today. The speech made by the current President of the Republic, Emmanuel Macron, at the Internet Governance Forum at UNESCO on 12 November 2018 still attests to this desire for co-regulation.
This need is confirmed every day by increasingly frequent and costly computer attacks (more than 50,000 euros on average per company in 2019). These attacks target both individuals (e.g. bank card fraud) and companies (such as Sopra Steria at the end of 2020). These phenomena will increase as 100 billion machines will be connected to the Internet in 2030.
The principle of governance stresses the need for shared prerogatives and a common vision. However, the United Nations (UN), represented in particular by the Internet Governance Forum, is still struggling to lay the foundations for global co-regulation. The example of the resolution issued in December 2019 and providing for the creation of an international treaty against the use of communication and information technologies for criminal purposes reaffirms the difficulty of uniting contradictory interests around a single treaty. The project, which was initiated by Russia and favourably received by China, has met with opposition from Western countries, which see it as a means of enabling certain countries to control and censor the Web.
The only existing supranational document is thus the Budapest Convention signed in 2004. This convention deals with cybersecurity and establishes a common criminal policy against offences committed on the Internet. However, it suffers from a lack of representativeness, particularly due to China’s refusal to ratify it. This governance, involving states and companies, is all the more crucial today as an unbalanced power relationship has been established, in particular in the European Union, to the benefit of the GAFAMs (the American digital giants) and tomorrow perhaps the Chinese BATXs.
If the purpose of regulating cyberspace is above all to create a safer immaterial world, it is also a question of European states asserting their sovereignty over an increasingly strategic space. If the European Union, led by France, still wishes to promote its values while keeping a central place on the international scene, it will have to equip itself with the means to regulate its immaterial borders and “this Far West“, as described by Thierry Breton, the current European Commissioner for Internal Market. Despite the importance of the challenge, Europeans are struggling to do so for various reasons.
The need to rebalance the power relationship in favour of the European Union is facing a great deal of resistance.
The Covid-19 pandemic had the merit of revealing the grip of the GAFAMs on our societies. These digital powers deteriorate the autonomy of European countries, particularly in economic and commercial matters, and prevent them from creating an alternative model. Their quasi-monopoly destroys any attempt to create a European competitor and enables them to absorb innovation, gain market shares, and monopolise data. Unicorns (start-ups with a financial value of more than 1 billion dollars) are then bought out by these modern-day predators. The example of Google-Alphabet is striking. In 20 years, the company has bought over 200 companies, including YouTube, Waze, Nest, and DoubleClick.
This worrying market domination is also illustrated by the decision to host at Microsoft the French health database ‘Health Data Hub’ (HDH). According to its director, Stéphanie Combes, Microsoft was chosen in the absence of equally interesting hosting offers in Europe to meet this need, and also because no State had shown an interest in quickly certifying a European company to submit an offer. Therefore, it seems that Microsoft’s lobbying is working and destroying any confidence in the possibilities offered by European companies. According to the New York Times, Google, Amazon, Facebook, Apple, and Microsoft are said to have spent more than €20 million in the first half of 2020 alone to influence MEPs in decisions on digital regulation, among other things. By comparison, they had spent the same amount for the whole of 2019.
In addition to the risk of abuse of a dominant market position, the question of the security of personal data is a matter of concern. Indeed, these data can be easily retrieved by the American intelligence services via the ‘Cloud Act’, as stated in the Schrems II ruling of the Court of Justice of the European Union (CJEU) of 16 July 2020. While the data are hosted in the Netherlands by Microsoft, the United States can invoke the ‘2018 Act’ to request their return. This form of extra-territoriality of the US law on European soil seriously undermines the digital sovereignty of Member States. Furthermore, it should be noted that Microsoft has encouraged the United States to create the ‘Cloud Act’ to counter European intellectual property law and thus justify economic espionage that threatens fair competition in Europe.
Moreover, for GAFAM competitors to exist, we must be able to invent them. And we still haven’t solved the challenge of the flight of French brains towards Silicon Valley (estimated at 10,000 in 2015), which further amplifies their domination and increases the loss of sovereignty. The reputation of the US universities is as much a dream as the careers offered by the American digital giants. The talent shortage is a reality, with 3.5 million cybersecurity positions that will not be filled worldwide in 2021. Every year, positions in cybersecurity and IT development are left vacant. In this respect, the associative initiative entitled ‘France Digitale‘ and created in 2019 aims to encourage expatriates to return to France and to attract foreigners, particularly to work in the French digital sector. As well as interesting jobs, France Digitale offers its help with administrative and tax issues, etc.
European competition law has its limits. Years of investigations and legal proceedings are costly, despite significant fines. Moreover, the behaviour of the GAFAMs does not change. Despite a €5 billion fine imposed by the European Commission for non-compliance with competition law in 2018 (regarding the distribution of Android), Microsoft is still using its dominant position and is aware that consumers and smartphone manufacturers are dependent on its services. The commercial encirclement also applies to a majority of French companies that use Google tools to operate. They are under threat of a unilateral increase in the price of its services.
What solutions can be found to regulate tomorrow’s cyberspace and preserve European economic sovereignty?
Solutions do exist to regulate the immaterial world. The European Union has shown, through its General Data Protection Regulation (GDPR), that co-regulation is possible and that it can protect the personal data of Europeans. The aforementioned Schrems II ruling is proof of this. In its ruling, the CJEU concluded that the ‘Privacy Shield’, an agreement between the United States and the European Union, does not ensure a level of protection of personal data from the EU equivalent to that permitted by the GDPR. The case-law resulting from this ruling requires companies transferring personal data from Europeans to the United States to provide more guarantees (such as standard contractual clauses). If this is impossible, then this transfer may not be carried out. This ruling has the merit of affirming a turning point in the position of the European Union, which now protects the personal data of European citizens. Moreover, if the European Union now applies the GDPR, it has not always been so: indeed, Margarida Silva, an expert in lobbying for the ‘Corporate Europe Observatory’, stresses that although the regulation was created, its application has been slowed down due to lobbying by GAFAMs, which mainly targeted European decision-makers acting in the European Parliament, the Council, and the European Commission.
But the GDPR is now being taken up by other legislative bodies, such as in California, Australia ,and Japan, which illustrates its success. It contributes to preventing the privatisation of regulation by certain multinational companies and enables the European Union to assert its sovereignty over its digital space by applying heavy financial sanctions on offending companies.
The current European ‘GAIA-X’ project is also an illustration of the growing awareness of Europeans of the importance of data. While its objective – to regain Europe’s sovereignty in the face of the world’s digital giants – is clear, the recent adhesion of certain GAFAMs to the project is perplexing. A formidable solution for a data economy in Europe, the Franco-German project will still have to make its mark in an already highly competitive market to achieve its goals.
One thing is certain: speeches breathe life into projects, but they are not enough. The political will must dominate in Europe to face the lobbying force of the digital giants. And generally speaking, the European Union is struggling to find compromises with 27 members. On this point, the example of the GDPR speaks for itself. We had to wait for Edward Snowden’s revelations on the wiretaps carried out by the NSA on German Chancellor Angela Merkel before an agreement was finally reached. And if doubt persists as to the strength of the lobbying mentioned above, an Amazon document dating from 2017 leaked at the end of 2020. In this document, Jeff Bezos’ firm praises its lobbying campaign against the e-Privacy Directive in the European Parliament, where the project did not receive strong support. The stated aim was therefore to influence it to weaken its role in the negotiations.
The two draft European regulations presented by the European Commission on 15 December 2020 – the Digital Services Act (DSA) and the Digital Markets Act (DMA) – are intended to create a regulatory framework for the Internet. The first aims to establish a system of obligations for the major digital players. The second should allow for better regulation of risky and illegal content such as child pornography or the glorification of terrorism. These regulations should also provide, as a last resort measure, for the dismantling or banning of access to the world’s largest market in the event of non-compliance with obligations. The final adoption of these texts should take place by the beginning of 2022. It would therefore appear that attempts to influence senior EU officials are becoming less and less effective or that these officials are determined to make the European Union a sovereign entity, capable of action.
This article is partly based on the 9 December 2020 speech relating to the co-regulation of cyberspace and made at the opening of the FIC Agora.
Sources : https://portail-ie.fr/analysis/2561/vers-une-co-regulation-du-cyberespace-entre-rapports-de-force-et-imperatifs-de-souverainete