Two Visions of Digital Sovereignty

Sujit Raman 

Source Link

If bipartisan agreement in the United States is rare, in at least one area, it is increasingly clear: “economic security is national security.” As global events have pushed Europe and the United States closer together, the convergence of these concepts—both at home and abroad—has begun shifting the tenor of the long-turbulent transatlantic relationship.

Consider cross-border data flows. In the recent past, issues concerning digital trade and digital security—from who creates, derives value from, and accesses data, to how it is shared, where it’s stored, and for how long—gave rise to considerable friction and persistent misunderstanding. Today, those same issues provide glimpses of opportunities for transatlantic collaboration and the development of mutual trust.

The good news is that policymakers on both sides of the Atlantic appear to recognize the possibilities of a moment in which digital commerce issues run parallel to, and perhaps even coterminously with, digital security issues, and in which the two can be mutually reinforcing. (If nothing else, the recent record 1.2 billion euro fine against Meta should accelerate implementation of the new EU-U.S. Trans-Atlantic Data Privacy Framework (TDPF).)

But if momentum on transatlantic data issues is to last over the long run, at least one concept popular in recent European policy discourse will need to be reimagined. That concept—“immunity to non-EU law”—refers to the idea that any private-sector entity, in order to be entrusted with storing sensitive EU data, must be subject exclusively to EU jurisdiction and, therefore, must be “independent” of the concurrent reach (including for legitimate law enforcement purposes) of any foreign sovereign’s law.

This immunity concept is integral to a pending EU cybersecurity proposal that also would require the localization of sensitive data within Europe and would impose strict citizenship and control requirements on qualifying cloud service providers (CSPs). Typically justified in security terms, such provisions would subject the relevant data to heightened, rather than diminished, cybersecurity risk. And by “practically excluding American and other international cloud providers”—including, perhaps unwittingly, the leading EU-based providers, as well—“from the EU market,” these requirements would have a hard-edged commercial impact. Most importantly, the contemplated immunity requirements could have a catastrophic impact on transatlantic data flows generally and on the TDPF specifically. At bottom, “immunity to non-EU law” is an artifact of the not-too-distant past in which “digital sovereignty” essentially meant digital autarky and in which ideas regarding digital commerce and digital security mixed in confused, often misinformed ways—usually to the detriment of both.

There is another way. An alternative vision of digital sovereignty has long existed, a vision in which rule-of-law nations work together to lower barriers to the free flow of digital trade and of digital evidence for law enforcement and public safety purposes, even as they build robust, consensus-based frameworks of trust premised on shared values (like individual privacy and due process) and respectful of sovereign differences. That vision has experienced renewed life recently, including in Europe. Policymakers should take concrete steps to expand its domain.

Streamlined Access, Increased Privacy Protections

For those working on transatlantic data issues, these are heady days. After nearly two years of uncertainty wrought by the Schrems II decision, the EU and the United States announced a new data privacy framework in March 2022 that, “[b]y ensuring a durable and reliable legal basis for data flows,” aspires to “underpin an inclusive and competitive digital economy and lay the foundation for further economic cooperation.” As promised, an October 2022 executive order, along with an intelligence community implementing directive and a U.S. Department of Justice rulemaking, introduced new privacy and civil liberties safeguards in connection with U.S. signals intelligence programs. For its part, the European Commission in December launched the process for finding that the new framework provides an “adequate level of data protection” under the General Data Protection Regulation (GDPR), Europe’s data protection and privacy law regime. Despite recent hiccups, that process continues apace and is expected to conclude (positively) in the coming months.

As transatlantic commercial data flows begin to find a firmer and hopefully more permanent legal footing—mirroring the “booming” trade and investment ties between the U.S. and Europe; the growing recognition of shared security interests; and the creation of joint governmental initiatives like the U.S.-EU Trade and Technology Council, a bilateral forum designed to “advance a multilateral economic order that privileges ties and economic exchange between aligned countries that share a plurality of interests and values”—efforts to build a more efficient yet privacy-protective EU-U.S. information-sharing framework for law enforcement and national security purposes likewise seem poised to find new life.

Such efforts could build upon several recent milestones: Last December, the Organization for Economic Cooperation and Development (OECD) adopted “the first intergovernmental agreement on common approaches to safeguarding privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes.” Two years in the making, the OECD declaration—which has been endorsed by 38 countries (including the United States) and the European Union—“stemmed from growing concerns that the absence of common principles in the sensitive domains of law enforcement and national security could lead to undue restrictions on data flows.” By finding areas of consensus linking the long-term future of digital commerce to discussions surrounding government access-to-data issues, the project helps create trust in cross-border data flows among democratic, rule-of-law nations.

The OECD declaration followed in the footsteps of the opening for signatures in May 2022 of another long-running multilateral project concerning rule-of-law nations’ access to data for law enforcement purposes: the Second Additional Protocol to the Budapest Convention on Cybercrime. That protocol—which, to date, has been signed by over 30 nations (including the United States and numerous Council of Europe countries)—is, according to the U.S. Department of Justice, “specifically designed to help law enforcement authorities obtain access to ... [cross-border] electronic evidence, with new tools including direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored data in emergencies”—all “subject to a system of human rights and rule of law safeguards.” (To be sure, some privacy advocates have a less sanguine view.)

Earlier this year, the EU Council and the European Parliament finally reached agreement on an intra-EU “e-evidence” framework for cross-border access to electronic evidence. This long-debated regulation will allow public authorities in one EU member state to issue judicial orders requiring the production of electronic evidence directly on service providers located in another member state, thereby bypassing traditional, often-cumbersome mutual legal assistance mechanisms, without prejudice to fundamental individual rights.

Shortly thereafter, in early March 2023, the EU and the U.S. jointly announced the “resumption of negotiations”—which were stalled in recent years while the e-evidence framework was being worked out—“on an EU-U.S. agreement to facilitate access to electronic evidence in criminal investigations.” Those negotiations will likely be guided, at least in part, by similar agreements that the U.S. government has recently executed with the United Kingdom and with Australia, which streamline mutual access to data for law enforcement and national security purposes while acknowledging and accommodating each sovereign’s sometimes-diverging “essential interests.” U.S. and EU negotiators could also draw inspiration from ongoing frameworks, negotiated in the pre-GDPR era, that “introduced high privacy safeguards for transatlantic law enforcement cooperation” and “provide[] for the appropriate safeguards to accommodate legitimate concerns about security, privacy, and respect [for] fundamental rights.”

Most recently, in late April, the digital and technology ministers of the Group of Seven (G-7) nations met in Japan and “reaffirm[ed] [their] commitment” to facilitating cross-border data flows and to addressing challenges “regarding security, privacy protection, [and] data protection[.]” Notably, the participating ministers established a formal Institutional Arrangement for Partnership (IAP) designed to enhance trust in cross-border data flows. While the scope of the IAP has not yet been set, it could serve as a mechanism to better align trusted data policies between the EU and the rest of the G-7 nations, including the United States.

Overall, while broader tensions in the relationship surely remain, recent trends around transatlantic data flows are encouraging. Both the United States and the EU are prioritizing the formalization of mechanisms to streamline how they access data stored outside their borders needed for law enforcement, national security, and regulatory purposes. This is a fundamental necessity in an age when businesses store data around the globe for beneficial reasons and when digital evidence is likewise borderless. Such mechanisms advance sovereign interests in the efficient enforcement of domestic law and in the preservation of public safety, consistent with civil rights and civil liberties protections. And all of this is being accomplished in tandem with a related project aimed at broadening cross-border commercial access to data for trade and innovation.

A More Bounded Vision

Despite these recent trendlines, a separate, very different vision of European digital sovereignty persists. That vision (to which I’ll refer as the “sovereignty-based approach”) derives from prominent calls in recent years for European “strategic autonomy” and demands for such autonomy to extend into the realm of “technological sovereignty.”

Officially, the sovereignty-based approach is premised largely on the need for data security, especially in connection with information “of national importance” that is stored in the cloud. Maintaining information security is indisputably important for any government. It is also critically important for any private firm storing such information on a government’s behalf. Maintaining data autonomy is also an understandable strategic priority; in light of recent events, it may be unsurprising that European officials are factoring in “the possibility of ... getting cut off from American cloud services” as they decide how and where to store sensitive data. And yet, as explained below, a sovereignty-based approach actually imperils the security of such information rather than protects it. Such an approach also weakens collective defense against malign cyber activity precisely at a time when, more than ever, rule-of-law nations need collaboration between private- and public-sector entities.

More broadly, critical aspects of the sovereignty-based approach suffer from incoherence. According to its proponents, this approach ensures data security and autonomy because it requires sensitive European data to be stored on European soil by European-owned and European-staffed CSPs that maintain their headquarters in the EU. Proponents believe that CSPs stockaded in this way will be subject only to EU law and will therefore be “immune to non-EU laws” (including, presumably, the concurrent application of U.S. domestic law for law enforcement and national security purposes).

But the same EU-based cloud service providers that would benefit, in the name of security, from these commercially protectionist arrangements have global aspirations. And once they operate outside the EU, including in the United States—as several of them already do—these providers become subject to U.S. jurisdiction and therefore to valid U.S. government requests for data, just like U.S.-based providers are. In any event, these sovereignty-based policies are often rooted in a profound misunderstanding of U.S. law enforcement’s ability to access such data when stored by U.S.-based service providers. Some European officials have pointed to a 2018 U.S. law called the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) (described further below) as a principal reason why their nations should move away from cloud solutions offered by non-EU companies and instead should deploy European-designed cloud solutions. In fact, U.S. law in this area is consistent with international principles, and it affords very high privacy protections—including protections that are more rigorous than what domestic governments in Europe typically provide to their own citizens.

SecNumCloud and French Digital Sovereignty

Recent developments in France demonstrate the drawbacks of a sovereignty-based approach. The French national cybersecurity agency, known as ANSSI, launched the SecNumCloud certification scheme in 2016 in an effort to improve information security for French government agencies and firms that operate in critical sectors and qualify as operators of vital importance (OVIs). All OVIs must use SecNumCloud-certified cloud services. The SecNumCloud label is granted to service offerings that fulfill a set of requirements based on the internationally recognized ISO 27001 standard. Many of those requirements, including “physical access controls, strong authentication with password hashing and salting, [and] software encryption,” among others, reflect familiar cybersecurity best practices and procedures. To date, the service offerings of only a handful of firms, all of them French, have been granted the SecNumCloud label.

ANSSI periodically refines the SecNumCloud requirements, and it is the revision proposed in September 2021 (English translation here), which went into effect in March 2022, that is particularly concerning. This revision is expressly protectionist and, consistent with the French national cloud strategy published in 2021, imposes a number of controversial, “sovereignty”-based conditions that ironically could endanger the security of French critical-sector information. As one commentator has observed, the revision includes

severe, China-like restrictions that force foreign firms to store data locally and only use local support and technical staff …. Similar to China, it would effectively only allow local firms to attempt for certification, and thus force foreign firms to set up a local joint venture to try to be certified as “trusted.” ... [The revision would] disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as 600-plus firms that operate “vital” and “essential” services.

The revision also contains an entire newly drafted provision, Section 19.6, which requires certified cloud service providers to have “immunity to non-EU laws” [“protection vis-à-vis du droit extra-européen”]. As discussed below, that provision in particular is self-defeating.

If the latest SecNumCloud revision represents “digital sovereignty,” then the concept is deeply flawed. The costs of data localization, writ large, are well known. Digital flows exert a greater impact over economic growth than traditional goods. It follows that cross-border data restrictions significantly impact GDP. Forced localization also reduces domestic investment and economic welfare and could result in the “tangible degradation or loss of many digital services and business functionalities that rely on cross-border data flows.” But the costs associated with data protectionism are not just economic. Such protectionism also threatens scientific and technological advancement, particularly in areas like data science and the “Internet of Things.” In addition, fragmentation and localization of internet communication promotes censorship and surveillance, thereby increasing the ability of malign actors to target free expression and infringe on human rights.

Linking data localization requirements to purported cybersecurity benefits is especially problematic. As one prominent trade association has observed, “How data is protected is much more important to security than where it is stored.” In fact, the latest SecNumCloud revision’s mandate that all OVIs must store and process data within certain territorial limits raises significant cybersecurity red flags. For instance, increased data localization translates to an increase in the number of data centers, as providers are forced to maintain a physical presence in every country in which they seek to do business, rather than consolidating their operations into a limited number of fortified data centers located strategically around the globe. More data centers mean more staffing, with the associated increases in the risk of human compromise and human error; more data centers also translate to more potential points of hardware and software compromise. Thus, ironically, localization can create a larger and more vulnerable surface area, while providing malign actors with a set of concrete, identifiable targets on which to focus both cyberattacks and physical attacks. (This is precisely why, for example, Ukrainian officials, in the days before the Russian invasion, “transfer[ed] the existing local servers [containing government data] to the public cloud,” effectively “evacuat[ing] critical government data” to processing centers located outside the country.)

In addition, the notion that maintaining an entity’s entire technology “stack” in one physical place is the best way “to generate the required level of trust in certified cloud services” is simply wrong. Most unauthorized intrusions into computer networks are accomplished remotely, so physically consolidating the relevant people, hardware, software, and infrastructure in territorial space accomplishes very little in terms of cyber defense. Moreover, requirements to use local support and technical staff create additional redundancies and associated points of compromise; and to the extent those staff members may lack best-in-class knowledge and training, their presence could well prove counterproductive.

On a broader scale, data localization inhibits cybersecurity advances by reducing the overall amount of cyber-threat information available to governments, businesses, and researchers. As commentators have observed,

The accelerating arms race in cyber warfare requires increasingly sophisticated and constantly evolving defense solutions. Public cloud service providers and cloud based cyber security firms have delivered incredibly valuable common solutions where the economies of scale, access to scarce talent resources, and the ability to monitor global networks in real time have provided an essential solution to enterprises trying to cope and to regulatory supervisors looking for workable solutions.

To say this is not to deny the cloud’s unique vulnerabilities. But by interrupting the critically important pooling of real-time cyberthreat information, data localization weakens common global defenses. Imposing strict sovereignty controls also significantly reduces consumer choice, as few providers will be able to meet the relevant requirements, and those that do may nonetheless reflect “shortcomings” when compared to global best-in-class offerings. Such controls thus “make[] the ecosystem less diversified” and once again “more vulnerable to attacks.”

The ENISA/EUCS Framework

If recent developments on the SecNumCloud front were not concerning enough, the French government has been working to extend the sovereignty-based approach on an EU-wide scale. Indeed, France has been advocating for the European Union Agency for Cybersecurity (ENISA) to include sovereignty requirements identical to SecNumCloud in that agency’s cloud service initiative, the EU Cloud Security Scheme (EUCS). Efforts to finalize the EUCS requirements are currently accelerating. A high-level working group is understood to have met on May 26 to discuss the latest draft version of the scheme, which could be finalized within the next few months and in its current form contains several “hard” sovereignty requirements.

By way of background: The EU has enacted a number of initiatives over the past few years designed to enhance Europe’s cybersecurity posture, including the Network and Information Security Directive (the NIS Directive), the Cybersecurity Act, and the EU cybersecurity certification framework. The NIS Directive, adopted in 2016, was the first piece of EU-wide cybersecurity legislation. Recently updated (NIS2), the directive required member states to craft national cybersecurity standards, to collaborate with other EU countries in the development and maintenance of cross-border networks, and to supervise critical sectors. Subsequent directives have strengthened ENISA’s authority. The Cybersecurity Act, for example, permanently extends ENISA’s mandate to achieve “a high common level of cybersecurity across the Union, including by actively supporting Member States, Union institutions, bodies, offices and agencies in improving cybersecurity.” Under the authority of the Cybersecurity Act, ENISA adopted the certification framework, which establishes EU-wide certification schemes for the information and communication technology sector.

To continue its push toward EU-wide cybersecurity regulation, ENISA released the first public draft of the EUCS in late 2020. The plan establishes three security assurance levels: basic, substantial, and high. And while “it has been argued” that the EUCS high assurance level is “only meant to address ‘state-confidential’ scenarios,” this assurance level is in fact “much broader in scope” in its “potential market and broader economic impact.” As commentators have observed, under Article 52(7) of the Cybersecurity Act, “level high is the only level intended to ‘minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources.’ This will make level ‘high’ the go-to choice for cloud [solutions in Europe], particularly considering that the GDPR requires due consideration for the ‘state of the art’ for security.” Meanwhile, though EUCS certification itself is voluntary, customers—whether governmental or commercial—are free to include it as a mandatory tender requirement. In addition, “NIS2 allows EU governments and the European Commission to mandate certain cloud customers to only use a certified EUCS cloud service,” which may well become the case “for the numerous entities deemed essential or important” under the updated directive.

The insertion of SecNumCloud-like “sovereignty” requirements into the EUCS high assurance level would therefore be hugely significant. And that is precisely what the European Commission apparently asked ENISA to do in early 2022, during the French presidency of the EU. “The drafting of EUCS has been criticized for a lack of transparency and accountability,” and the exact contents of the scheme’s proposed “Annex J” (“Protection of European Data Against Unlawful Access”) were long shrouded in secrecy and speculation until they were released (via media leak) just a few days ago. I discuss those draft requirements in the next section. As a general matter, ENISA has proposed adding requirements designed to “ensure immunity from foreign jurisdictions” and to diminish foreign participation in the European cloud market. For the reasons described above, such a framework would actually weaken Europe’s overall cybersecurity posture.

Such a framework would also contrast starkly with public-sector cybersecurity standards adopted in other parts of the free world. In the United States, for example, FedRAMP authorizes cloud service offerings to the federal government at various “impact” levels (low, moderate, and high), depending on the security objective. While individual U.S. agencies may impose citizenship or data handling conditions in connection with particular programs or projects, FedRAMP itself imposes no citizenship or data localization requirements. It follows that the list of FedRAMP-certified products contains the cloud service offerings of many non-U.S.-based firms, including several at the high level. This is as it should be: Cybersecurity standards should actually promote cybersecurity, rather than advance narrow political or commercial agendas. Considering the outsized role that European standard-setting plays in global technology matters, this is an area in which European policymakers need to display true international leadership.

Misunderstanding the CLOUD Act

One of the principal motivations behind Europe’s push for “digital strategic autonomy” is the idea that allowing non-European cloud providers to store sensitive European data would afford foreign nations—in particular the United States—inappropriate, or least undesired, access to that data, including potentially for commercial advantage. (Despite widespread recognition in Europe that “substantial protection of personal data against government access does not exist in [for example] the PRC,” when European digital sovereigntists refer to “non-EU law,” they typically focus on the United States—though recent news may indicate early signs of a possible shift in attitude.)

As early as 2015, the French government voiced its concerns about OVIs’ use “of applications and data processing hosted in uncontrolled virtual spaces, supported by physical infrastructures located outside the national territory and not subject to European law.” More recently, the European Commission has advanced the notion that because “data produced in Europe is generally stored and processed outside Europe,” this “bring[s] risks in terms of cybersecurity ... [and of] unlawful access to data by third countries.” A prominent EU commissioner echoed this view when he declared that “[o]ur digital sovereignty rests [in part] on ... control over our data …. [I]t is becoming imperative to have autonomous European clouds that guarantee our companies that their industrial data will not be subject to any third country law and will be protected against external cyber interference.” Under this reasoning, the obvious solution should be to require such data to be stored and processed in Europe, where presumably it would remain outside the grasp of non-EU government officials.

In advancing such arguments regarding the need for “immunity to non-EU laws,” European government officials and industry leaders have often relied on a flawed reading of the CLOUD Act, a Trump-era statute that clarifies the legal framework for U.S. law enforcement requests for data that is held by telecommunications service providers. Many Europeans think that the CLOUD Act allows U.S. law enforcement agencies free access to data stored anywhere in the cloud by U.S.-based CSPs. European critics of the CLOUD Act believe that the statute permits U.S. law enforcement officials to arbitrarily access EU person data, even when that data is stored in a data center located in Europe, so long as the CSP itself is headquartered in the United States.

This understanding is mistaken on multiple levels.

First, the CLOUD Act does not discriminate based on nationality. The statute applies to any communications service provider subject to U.S. jurisdiction, including those based in the EU. Recall that service offerings of only five CSPs (all of them French) have been certified under the SecNumCloud scheme and are considered “trusted” under French domestic cybersecurity standards. At least three of those firms (3DS Outscale, OVH, and WorldLine Cloud Services) do business in the United States, are therefore subject to the CLOUD Act, and accordingly are not “immune to non-EU laws.” (A fourth, Cloud Temple, also maintains offices outside of Europe.) To the extent the sovereignty-based approach vastly privileges large EU-based cloud service providers (that have global ambitions) over smaller ones, it is difficult to see how those EU-based providers could satisfy the requirement of being “immune to non-EU laws.”

Second, the CLOUD Act requires service providers, when served with appropriate legal process, to disclose to the U.S. government relevant information “within such provider’s possession, custody, or control,” regardless of whether such information “is located within or outside the United States.” This language makes explicit in U.S. law the long-established international law principle that any company subject to a particular country’s jurisdiction can be required to produce data the company controls, regardless of where the data is stored at any point in time. This principle is certainly not unique to U.S. law; French courts, for example, have long permitted French law enforcement to obtain data located outside that nation so long as it is retrievable from a computer located in France. In fact, the power under domestic law to compel production of data that is within a provider’s “possession or control,” irrespective of where the data happens to be stored, is a requirement of the Budapest Convention on Cybercrime, which over 65 nations—including nearly every EU member state—have ratified. Notably, the same principle undergirds both the recent OECD declaration and the EU’s newly enacted e-evidence regulation (“application of this Regulation should not depend on the actual location of the service provider’s establishment or of the data processing or storage facility”). Of course, if the relevant information is stored outside of the “possession, custody, or control” of the entity that U.S. law enforcement serves with legal process, then that marks the end of the inquiry.

Third, the notion that U.S. law enforcement can capriciously access the content of sensitive EU data stored by U.S.-based providers is simply false. Again, U.S. law in this context does not discriminate based on nationality. In order to gain access to the contents of any person’s stored communications data through service of process on any CSP within its jurisdiction (without notifying the user), U.S. law enforcement must secure a warrant. The warrant must meet demanding, privacy-protective U.S. constitutional requirements. For instance, the warrant must be supported by an affidavit sworn under penalty of perjury showing probable cause that the place searched will contain particular things subject to seizure. This affidavit, in turn, must state with particularity the crime that is alleged, the information to be disclosed, and the evidence to be seized. The warrant package as a whole must then be submitted to, and approved by, an independent judge. Thus, when U.S. law enforcement accesses the contents of, say, a French citizen’s emails stored by a U.S.-based cloud service provider, not only must the government satisfy the same standards used to access a U.S. citizen’s data, but that showing is more rigorous than what the French government would have to make to access that same person’s data if it were stored with a SecNumCloud-certified provider.

Fourth, the CLOUD Act itself recognizes the need for CSPs to protect the confidentiality of their customers’ data and creates mechanisms for providers to do just that. For example, the statute recognizes procedures that allow CSPs subject to U.S. jurisdiction, irrespective of where they are headquartered, to challenge certain U.S. government data demands in court. Where, for instance, a U.S. government request conflicts with another country’s laws (like the GDPR), the CLOUD Act recognizes the right of the provider to challenge that request on traditional conflict of law principles. In addition, the statute is encryption neutral, which means that CSPs remain free to provide their customers with encryption services that render the data they store unintelligible to the provider. This, of course, has obvious implications for U.S. law enforcement’s ability to access that data through service of process on the provider.

Fifth, U.S. law enforcement and national security officials do not seek access to “industrial data” in order to pursue U.S. commercial advantage. Data can be secured under the relevant legal authorities, including the CLOUD Act, only for authorized public safety purposes, and there are significant penalties for its misuse. Even as the U.S. Department of Justice forges closer collaboration with “economic” agencies like the U.S. Department of the Treasury and the U.S. Department of Commerce—and even as those agencies seek information from foreign firms and deploy novel enforcement capabilities of their own—the relevant data would not be shared with the U.S. private sector to advance national economic or commercial goals. Other nations may regard economic espionage differently, but such are the rules and norms in the United States.

Finally, U.S. federal law enforcement has adopted a policy stating that when prosecutors seek information that an entity has stored with a CSP, they “should seek [that] data directly from the enterprise, rather than its cloud-storage provider, if doing so will not compromise the investigation.” One would expect U.S. authorities to seek access to sensitive EU public-sector data in connection with only the most significant law enforcement investigations and only then after robust internal (and possibly interagency) discussion. Even at that point, the policy seems to require U.S. law enforcement, in all but the most exceptional cases, to seek the data directly from the relevant EU-based public-sector agency—an action that itself would surely be prefaced by extensive intergovernmental discussion and negotiation and would likely fall outside the scope of the CLOUD Act entirely.

The Path Ahead

This is a pivotal moment in the future of international data flows, as two competing visions of digital sovereignty continue jostling for primacy. The first vision recognizes the critical importance of the free flow of information across borders (at least among rule-of-law nations) for commercial innovation. And it acknowledges the need for government actors to efficiently access data stored outside their borders in order to advance domestic sovereign interests in public safety—even as it insists on robust baseline individual privacy and civil liberties protections and respects sovereign differences.

By contrast, the second vision promotes a nationality- and territory-based conception of data security and trust. That vision is not only deeply suspicious of cross-border jurisdictional claims and enforcement but also brazenly dismissive of other nations’ sovereign interests. Its most extreme adherents harbor citizens who commit crimes under foreign law, while unilaterally hunting down those citizens abroad whose alleged domestic crimes have gone unpunished. Advanced in international fora by nations like Russia and China, this vision endorses the view that governments should tightly control data concerning their citizens (and, increasingly, their economies) within their borders, even while (as the Chinese example makes clear) they freely collect and wield data concerning citizens of other nations for “geopolitical” and related purposes.

In Europe, the struggle between these two visions is playing out before our eyes. To be sure, the sovereignty-based approach differs in important ways from the Russian and Chinese models; as commentators have observed, “[T]he EU version of digital sovereignty does not give governments privileged access to technology and data, nor reinforce regime control over the digital economy.” But in broad outlines, the similarities are undeniable—and the fervor of the internal debates over the EUCS confirms the enormity of the stakes.

Indeed, several EU member states have departed from the French position and have voiced their concerns over the scheme’s autarkic turn. The governments of Denmark, Estonia, Greece, Ireland, the Netherlands, Poland, and Sweden observe in a non-paper submitted to the Council of the European Union that the proposed sovereignty requirements are “of a political nature” and pointedly ask of the “immunity to non-EU law” standard: “[W]hat is the goal of this criteria?” Private-sector organizations on both sides of the Atlantic have also come out strongly against the contemplated requirements. (Whether the EUCS’s draft immunity requirements are consistent with EU legislation and international trade commitments is a separate and equally significant question.) It appears the various EU member states have made efforts toward a compromise; a joint document was circulated internally earlier this year that reportedly set out “six scenarios” featuring immunity requirements at varying assurance levels.

Time may be running out. Earlier this month, the European Commission circulated ENISA’s latest draft of the EUCS to a technical working group as a precursor to finalizing the scheme. This document, which was leaked to the press, continues to impose significant data localization and control requirements under the high assurance level. Also, “[a]dditional safeguards have been introduced to put EU data outside the reach of third countries’ jurisdiction,” including mandatory EU choice-of-law and choice-of-forum contractual provisions. Notably, the draft high assurance level would also require the service provider “to include in [its] contract with the customer that it will only consider investigation requests issued under EU law or the national law of a member state”—an “immunity” formulation designed to engineer direct conflicts of law (or, more likely, to chase away global CSPs from seeking certification in the first place). Remarkably, the newly proposed “high+” standard goes even further by requiring providers “to put technical and organisational measures in place to ensure that investigation requests from other jurisdictions are not considered.” The draft scheme is a digital sovereigntist’s dream.

Finding a solution that rejects the sovereignty-based approach is critical, because an EUCS that excludes U.S.-based CSPs “would make the new Transatlantic Data Privacy Framework irrelevant, as U.S. firms would be precluded from managing a considerable amount of data in the EU, never mind transfer it overseas.” The entire transatlantic project premised on the free flow of data for innovation and security could be at stake.

And cybersecurity standards are simply one front in a broader offensive. European data privacy regulators have consistently construed the “immunity to non-EU laws” principle as a proxy for GDPR compliance. In the immediate aftermath of Schrems II, for example, the French data protection authority, CNIL, famously recommended that entities handling French citizen health data should avoid using U.S.-based CSPs. (A French judge ultimately, if reluctantly, disregarded this opinion, not least because he believed “European cloud providers weren’t able to offer the same [quality] services” as U.S.-based ones.) Even since the negotiation of the TDPF, with its seeming resolution of the key privacy law issues litigated in Schrems II, CNIL’s sentiment holds: Last year, the agency endorsed the latest SecNumCloud revisions based expressly on the idea that those revisions, including the Section 19.6 requirement that the relevant data “cannot be subject to non-European laws,” were compliant “by design” with the GDPR. Earlier this year, the European Data Protection Board (EDPB) doubled down on this idea, publishing a report on public-sector use of cloud-based services that stressed that government agencies wishing to store information in the cloud should consider whether the hosting CSP is part of a multinational group that falls within the scope of “third country laws” that “also apply[ ] to data stored in the EEA”—a thinly veiled reference to the CLOUD Act. If so, avers the EDPB, then the mere possibility of the use of such a service could subject the agency to enforcement proceedings for violating the GDPR.

What’s more, the “immunity to foreign law” principle could soon extend far beyond the realm of personal data covered by the GDPR. The European Commission’s Data Act—which also was proposed in early 2022 during the French presidency of the EU, and is likely to be approved and adopted in the coming weeks—covers non-personal data, “the most common type of data to be shared across borders[.]” Designed to protect European industrial data from the purportedly prying eyes of foreign (read: American) government officials, the Data Act’s proposed Article 27 appears to “extend the consequences of Schrems II to non-personal data” by requiring GDPR-style protection measures and adequacy analyses before such data can be transferred outside the EU. The imposition of these measures not only would reflect a hugely consequential weakening of the traditionally “rigid dualism” in European privacy law doctrine between personal and non-personal data but also would mark a high point in the implementation of the sovereignty-based approach. Indeed, if novel immunity considerations for cross-border transfers of non-personal data are combined with contemplated Data Act regulations that would “require cloud vendors to obtain an EUCS certification”—which, as explained above, could impose such immunity considerations at the storage phase, before the transfer is even contemplated—then the triumph of the sovereignty-based vision over the entire lifecycle of European data would be complete.

Respect for individual privacy binds Europe and the United States together. So, too, do extensive transatlantic commercial relationships and common security concerns. Certain European policymakers may feel as though the economic benefits of data flows move in one direction. But erecting “immunity” requirements—and justifying those requirements through flimsy security rationales—is not the answer. To the contrary, it is the free flow of data across borders, with appropriate consensus-based safeguards in place, that best preserves digital sovereignty and best promotes mutual trust and prosperity. Policymakers on both sides of the Atlantic have expended tremendous energy and resources in getting to the present moment. And much work remains to be done. They should capitalize on the current momentum and recognize the perils of alternative approaches.