Broken Shield Digital
How can data sovereignty be preserved after the Privacy Shield has been invalidated?
13 August 2020
Man riding coronavirus viruses on ascending curve
Is the Covid-19 pandemic a victory for big tech?
13 August 2020

Covid-19 has made Europe’s technological dependence on the US clearer than ever

US paperboat leading EU paperboat with a broken flag

Illustration © Miriam Doerr Martin Frommherz

by Rachel Griffin

Long before the pandemic, big tech companies provided much of the vital infrastructure for the world economy, from communications platforms to internet cables and cloud computing facilities. They were also expanding into ever more public services, from healthcare to defense contracting and policing. But the Covid-19 crisis and lockdown measures have made it more apparent than ever how much we – both citizens and governments – depend on their services.

In March, EU Commissioner Thierry Breton successfully negotiated with Netflix to reduce its video quality, in order to prevent network congestion as people used more internet bandwidth while in confinement. In April, France’s digital minister Cédric O was less successful in negotiations with Apple and Google: his public plea for them to modify their operating systems to give France’s centralised contact tracing app full Bluetooth access (which they had reserved for decentralised apps) was ignored. 

The contact tracing dispute illustrates that tech giants’ control of digital infrastructure gives them substantial political power. This issue is felt particularly acutely in Europe, which has so far failed to produce its own tech giants, meaning that much of its vital infrastructure is controlled by foreign companies. As a recent European Parliament report put it, the pandemic ‘has showed the essential role played by the high-tech sector…and has accelerated the reflection on the need for sovereign digital technologies’. Regulators are newly motivated to advance Europe’s tech industry and strengthen its digital sovereignty, and questions are increasingly being raised about whether its dependence on the US tech giants is sustainable. 

The contretemps over contact tracing

The use of smartphone apps to record close contact between users and flag potential Covid-19 infections gained worldwide attention after they were used in Singapore, South Korea and Taiwan, all of which contained the spread of Covid-19 much more successfully than most of Europe. Arguably this had more to do with the appeal of quick-fix technological solutions than with the evidence for their effectiveness, which is rather thin. As it has become clear that lower-tech interventions like mask-wearing and testing capacity are key to controlling the pandemic, apps have become increasingly peripheral: France recently announced that its StopCovid application had only sent 14 infection risk notifications since being launched. Nevertheless, the contentious history of Europe’s contact tracing apps is revealing when it comes to the political power now wielded by the tech giants.

Apple and Google’s operating systems power 99% of the world’s smartphones, and serve as gatekeepers for all applications running on these devices, setting strict rules for app developers. In principle this is both justified and necessary: if anyone could freely launch a smartphone app, users would face huge security and privacy risks. Yet it is also open to abuse. The European Commission recently launched an investigation into whether Apple’s use of app store restrictions to take a 15-30% cut of all payments to app developers is harming competition. However, the contact tracing saga has also made it apparent that this gatekeeper position gives Apple and Google significant political power. 

Essentially, the companies’ control of operating systems enabled them to dictate how contact tracing apps would be designed. The Bluetooth-based apps envisaged by European governments, which aimed to protect privacy by tracking physical proximity between users without recording their identities or locations, would not work without modifications to Apple and Google’s operating systems, which don’t generally allow apps to run Bluetooth in the background at all times. In April, the two companies released joint technical standards for an application programming interface (API) that would allow government-developed contact tracing apps enhanced Bluetooth access. However, in order to protect user privacy, they imposed stringent conditions on access to the API. As well as being available only to state institutions, it would only allow decentralised apps (where anonymised contact records are stored only on phones, not on a central server), and prohibited compulsory apps or the use of location data. 

Following this announcement, Germany and Italy abandoned their original plans for centralised apps and switched to the Apple-Google standards, with their obvious technical advantages. In contrast, France and the UK continued with plans for centralised apps, on the basis that this would help public health authorities learn more about the spread of the virus and develop more effective interventions. However, this meant sacrificing important technical functionalities. As a result, three months into the development of its centralised app, the UK was forced to abandon its plans: an ‘embarrassing U-turn’ for which it was heavily criticised, with a consensus that it should have gone with the Apple-Google standards much earlier. 

Regardless of the actual merits of centralisation or decentralisation, the choice between them is undeniably a political one: how should the potential advantages of giving more data to public health bodies be weighed against the privacy of users, and – since apps are only useful if widely adopted – the likely level of public trust in either option? It is remarkable that this policy choice about public health was made not by governments, but by two multinational companies. French and Latvian government representatives have made caustic statements to the press about how inappropriate it is that ‘Google or Apple get to tell a democratically elected government or its public health institutions what they may or may not have on an app’. Yet despite this rhetoric, neither government was able to get its way against the tech giants.  

As digital rights expert Michael Veale has pointed out, it is also remarkable that no government raised the possibility of creating a legal obligation for Apple and Google to cooperate with their chosen public health strategies, which is the traditional route by which governments can impose their wishes on private companies. Instead, while other companies simply gave in immediately, France and the UK unsuccessfully attempted to negotiate with the companies as equals. France’s digital minister Cédric O stated publicly that, ‘We’re asking Apple to lift the technical hurdle,’ noting that he had also held private discussions with company representatives but failed to reach an agreement. The UK government publicly blamed Apple’s intransigence for the failure of its original app, but then privately called the company to apologise

It’s certainly possible to imagine a more hardline approach backfiring badly. If the companies which provide the operating systems for almost all smartphones took the extreme option of simply withdrawing from the French or British market, chaos would ensue. Big tech firms also wield significant political influence in the US, and attempts to curb their power have previously been met with a harsh response from the US government – most notably the minor trade war triggered last year by France’s introduction of a national digital tax, discussed in more detail in our other blog post. It seems that the French and British governments didn’t think going up against companies which have been described as ‘more powerful than the nation state’ was worth it. 

Cloud computing and data sovereignty

As well as smartphone hardware, US tech giants control a substantial proportion of the communications networks and data centers which power modern digital economies. The undersea cables that carry internet traffic were once provided by traditional telecommunications companies subject to extensive regulation: now they are increasingly owned by Facebook, Google parent Alphabet, and other tech giants expanding beyond consumer services.

‘Data sovereignty’ has been a growing issue in Europe for years, as it becomes increasingly apparent that its lack of domestic computing infrastructure is putting its tech industry at a disadvantage, making it more difficult for it to regulate the tech sector, and leaving its citizens’ data vulnerable to foreign surveillance. Lockdown measures increased many companies’ reliance on cloud computing services, and the European Commission has made digitalisation (alongside the green transition) one of the two guiding principles for its post-pandemic recovery programmes. The pandemic is therefore likely to give a new impetus to the EU’s efforts to reduce its dependence on foreign-owned infrastructure. How successful they will be remains to be seen. 

Cloud computing – outsourced data storage and processing services which most companies now rely on – is a highly concentrated market, dominated by ‘hyperscalers’ whose size enables them to offer cheaper and more efficient services which are hard to compete with. Of the five leading companies, four are American and one is Chinese; Amazon alone has a 48% market share. Last year, a Gizmodo investigation found that avoiding sites hosted by Amazon makes the internet effectively unusable. This market dominance also gives the company substantial political power, which it hasn’t hesitated to exercise: in 2018, it forced privacy-protecting messaging app Signal to stop using the domain fronting practices that allow it to evade censorship in authoritarian countries like Egypt and the UAE. With no viable alternative cloud provider, Signal had no option but to comply. 

Europe’s dependence on American providers also leaves its citizens’ data vulnerable to state surveillance: notably, the 2018 CLOUD Act obliges all American companies to hand over data to federal law enforcement agencies even if it is not stored on servers in the US. Politico recently reported that the German federal police stores its body camera footage on Amazon servers, despite warnings from data protection authorities that this makes it accessible to US authorities, simply because there is no domestic alternative. 

In light of the European Court of Justice’s recent Schrems II judgment, this issue has received renewed attention. The ECJ found that the Privacy Shield agreement governing the transfer of EU citizens’ data to the US was inadequate to protect privacy and therefore invalid. It also held that transferring EU citizens’ data to third countries can only be justified by standard contractual clauses guaranteeing privacy protection where national data protection authorities judge that the clauses do actually offer effective protection equivalent to the GDPR (in the US case, quite doubtful). This doesn’t bar all transfers of data to the US: they will still be permitted where necessary for a business transaction, or with the explicit consent of the data subject. However, US companies will no longer be able to store European data in the US just for convenience. This may drive them to shift some of their physical infrastructure and investments to Europe. Nevertheless, while these US companies continue to dominate the European market, the impact on citizens’ privacy and on broader issues of digital sovereignty will probably be limited. 

In an attempt to alter this dynamic, France and Germany have created a more ambitious plan to boost Europe’s domestic cloud computing infrastructure. Their Gaia-X project, led by German economy minister Peter Altmaier, was formally announced in early June, to be launched fully in 2021. The project brings together a number of European and foreign providers to create a unifying platform for all their cloud services. This will allow customers to move their data freely between providers, and ensure that they all follow Europe’s strict transparency and data protection rules

Altmaier and his French counterpart Bruno Le Maire have spoken of the project in ambitious terms, suggesting that it could become the worldwide ‘gold standard’ for cloud services; but so far, the reaction in the industry has been quite ambivalent. In a market that rewards scale, analysts think it’s too late for EU companies to catch up with the American giants. Indeed, Altmaier has tried to manage expectations in this regard, presenting Gaia-X as an opportunity to capture part of a rapidly expanding market rather than an attempt to compete for the US giants’ existing business. Even that would be quite ambitious since so far the biggest providers’ share of the market has been growing. Some commentators have also suggested that France and Germany’s top-down approach is fundamentally misguided and that its strict uniform standards may just create further barriers to European tech innovation. Indeed, since AWS and other US market leaders are participating in Gaia-X, they may ultimately be the ones to benefit most. 

Historically, the EU has led the way in tech regulation, but lagged behind when it comes to innovation: it has had quite some success in imposing its legal standards on foreign companies, but failed to break its dependence on them for vital infrastructure and services. So far, Gaia-X does not seem likely to buck this trend.  

Where does Europe go from here? 

As well as highlighting Europe’s dependence on foreign tech companies, the Covid-19 pandemic has heightened broader geopolitical tensions, calling into question the US’ reliability as an ally, and reminded governments of the risks of relying on globalised value chains for key infrastructure. With Ursula von der Leyen’s Commission aiming to use the post-pandemic recovery programmes to boost the ‘twin green and digital transitions’, it may seem that the stage is set for Europe to stimulate its own tech sector and break away from its dependence on US big tech. 

However, this is much easier said than done. In the middle of a huge economic crisis, with major disagreements between member states, translating funding into concrete policies to make European digital sovereignty a reality is not straightforward. Even agreeing on the EU’s next budget and the details of the €750 billion earmarked for the post-pandemic recovery has proved an immense challenge. In order to fund recovery programmes while satisfying the ‘frugal’ member states which oppose major spending increases, the agreement finally reached after a four-day summit plans large cuts to the Horizon Europe research programme, which does not seem auspicious for the digital transition. 

Experts have consistently highlighted that regulatory leadership is not enough to give the EU real autonomy in the digital economy: it needs a better industrial policy and a much more advanced domestic tech sector. Free-market think tank ECIPE takes a pessimistic outlook of the pandemic response programmes, arguing that the crisis will just be used to justify more prescriptive, interventionist industrial policies which will ultimately hold European tech companies back – particularly in smaller member states, since the push towards digital sovereignty is mostly driven by France and Germany, who are primarily interested in boosting their own domestic industries. It’s not the case that regulatory intervention is always an economic disadvantage: if it protects competition, provides legal certainty, and ensures public trust in technology it can be the opposite. Stronger harmonisation of rules across Europe should be a particular priority, to make it easier for businesses to expand across the single market. But it does seem that if the EU continues to focus on regulation and highly prescriptive top-down initiatives like Gaia-X, without a more holistic industrial policy and concrete financial support for innovation, it is unlikely to reduce its dependence on foreign providers. 

The pandemic has delayed many European regulatory initiatives, heightened tensions between member states, and caused a historically severe recession across the continent. As discussed in our earlier blog post, it is also increasing market concentration in the tech sector, driving many smaller startups out of business – which will only benefit the biggest, mostly US-based companies. It will be quite an uphill struggle for the European tech sector to grow and thrive in this economic and political climate. 

Rachel Griffin is a master’s student in public policy at Sciences Po Paris and the Hertie School of Governance in Berlin, and a research assistant at the Digital, Governance and Sovereignty Chair