In the saga of Big Tech companies and their seemingly never-ending confrontations with EU legislators, issues surrounding what the EU calls “digital sovereignty” are among the most intractable.
The European Parliament has defined digital sovereignty as “Europe’s ability to act independently in the digital world” adding that the concept should be understood in terms of both “protective mechanisms and offensive tools to foster digital innovation (including in cooperation with non-EU companies).”
The European Parliament has also at times mobilized the related concept of data sovereignty, which exists at both the individual level and at a larger scale.
For the individual, data sovereignty refers to people’s ability to control who does what with their data. But at another level, data sovereignty can refer to independence from what the EU perceives as the oversized influence of a handful of Big Tech firms in the global data economy.
Since last year, EU’s relationship with American Big Tech companies, most notably Google and Meta, has become increasingly fraught following a landmark ruling by the Court of Justice of the European Union (CJEU).
In July 2020, the CJEU struck down a transatlantic data sharing agreement known as the EU-U.S. Privacy Shield, which was designed by the U.S. Department of Commerce and the European Commission to ensure that the requirements of the EU’s General Data Protection Legislation (GDPR) were met when transferring personal data from the EU to the U.S.
The case that led to the invalidation of the Privacy Shield was initially filed by an Austrian privacy advocate, Max Schrems. In 2015, Schrems filed a complaint with the Irish Data Protection Commissioner (DPA) against Facebook, challenging the company’s use of standard contractual clauses (SCCs) as a legal basis for transferring his personal data to the U.S.
Schrems argued that the personal data of EU subjects might be at risk of being mass processed by U.S. intelligence agencies once transferred without ensuring a level of protection equivalent to GDPR.
While the Schrems case led to the Privacy Shield being struck down, Facebook has continued to use SCCs. However, the practice has come under increased scrutiny since.
Under the DPA’s warnings that Facebook and Instagram’s use of SCCs as a means of exporting data may be illegal, in February, Meta raised the issue in its annual report, stating that if a replacement to the Privacy Shield isn’t worked out soon, it may have to pull both platforms from the EU.
Already, data protection agencies across the EU have been warning businesses that their usage of Google Analytics is illegal for similar reasons.