During her speech before the World Economic Forum’s virtual meeting in Davos in January, European Commission President Ursula von der Leyen invited the United States to join Europe in writing a new set of rules for the internet: “Together, we could create a digital economy rulebook that is valid worldwide. It goes from data protection and privacy to the security of critical infrastructure. A body of rules based on our values: human rights and pluralism, inclusion, and protection of privacy.”
This invitation to collaboration comes at a time of remarkable diversity in how states are approaching internet governance. Beijing is advancing new internet standards to replace the global, open, interoperable ones. Moscow is continuing to clamp down on the web through a combination of online and offline coercive measures. India is advancing a data-protection framework with large carve-outs for state data collection against the backdrop of the Modi government’s repressive internet shutdowns. A Brazilian official who authored the country’s data localization proposal recently called data flows abroad a violation of the country’s sovereignty. In Europe, the previous watchword of “digital sovereignty” may be giving way to talk of “strategic sovereignty” in the digital sphere, but the underlying premise remains the same: creating an internet environment where European values proliferate. In the United States, the Biden administration is grappling with how to reinvigorate U.S. global engagement on technology while simultaneously managing new regulatory proposals for American tech giants.
This fractured policy landscape has prompted hope that Europe and a United States led by President Joe Biden might collaborate to facilitate a more consistent and predictable approach in internet governance, one that seeks to uphold the fundamental values of the internet. But the United States and the European Union are not as aligned on this question as some might claim. American internet governance has been described as everything from a privatized model to a hands-off-the-internet approach. In the EU, however, varying understandings of “sovereignty” online both reflect and shape the different political contexts in which member states are designing their internet governance models, which have historically been far more willing to embrace regulation than in the United States.
This divide matters for EU-U.S. technology cooperation, as recent shifts in the EU toward digital self-determination heighten the potential divergence between the Washington and Brussels in internet policymaking. How the visions of the internet in the United States and the EU bloc play out in the coming years, particularly under the Biden administration, will matter greatly for shaping the future of the internet, its freedom, and openness.
Europe’s internet shift
Between 2016 and 2020, the Trump administration stepped back from the United States’ historic leadership role on questions of internet governance. Domestically, the administration failed to devise a national plan that would address issues of competition, connectivity, and new technologies, including 5G. While the Trump administration took some action, it was sporadic and mainly driven by larger national and international political forces rather than any serious high-level commitment to ideas like internet openness or security. Internationally, the Trump administration not only abandoned but worked against years of effort by dedicated cyber diplomats to promote and protect the idea of an open, globally connected and interoperable Internet. This abdication of leadership left a significant gap that was felt across the global internet governance ecosystem. It enabled China to introduce a “New IP” proposal at the International Telecommunications Union (ITU) to make internet traffic more easily state-controlled and gave Russia the opportunity to spearhead a United Nations General Assembly resolution on cybercrime that called for “countering the use of information and communications technologies for criminal purposes.” It was adopted by 79 votes to 60 with 33 abstentions, despite opposition from several major Western powers.
In Europe, this leadership vacuum was filled by legislative proposals for internet governance driven by two different fears. The first was a philosophical one regarding Europe’s ability to exert more political control over information and the internet. The other was a pragmatic desire to avoid being stuck in the middle of a toxic rivalry between the United States and China. Both fears were articulated as part of what von der Leyen last year called “tech sovereignty”: the “capability that Europe must have to make its own choices, based on its values, respecting its own rules.”
But Europe’s people-centric idea of sovereignty, albeit relevant to a world recognized by territorial borders, is difficult to reconcile with an internet that has little respect for these physical boundaries. The EU’s signature internet regulation, the General Data Protection Regulation, has centered its rules around citizens and users, the political community formed by Europe’s “people,” and granted the European Union a measure of internet sovereignty via regulation. This last point is especially important: The European Union may have a seat at the table in international fora, but its individual member states are ultimately the sovereigns, not Europe as a whole.
Europe’s move toward digital sovereignty and self-determination
The geopolitical shifts of the past four years have caused many in Europe to value strategic self-determination and limiting dependence on foreign powers. In a March letter to von der Leyen, four European leaders, including Germany’s Angela Merkel, articulated this desire: “We believe that Europe needs to recharge and complement its current digitisation efforts with a self-determined and open digital policy which includes digital sovereignty as leitmotif.” The statement is notable for several reasons: It abandons the phrase “cyber sovereignty” and its evocations of Chinese and Russian internet control; positions Europe as the exporter and not consumer of policy; and expresses a willingness for a European leadership role regarding internet governance questions.
Europe might be the first to set the rules of the online game, but this alone cannot win the game. Because the internet is founded on and continues to create interdependencies between nations, eliminating dependence on other countries is not just challenging but to some extent contradictory. For instance, European Union privacy rules and limits on cross-border data flows have necessitated the establishment of adequacy decisions and other agreements to enable data to continue flowing across borders. Interconnections and interdependencies between countries have become pervasive and will relatively remain so in a globally interoperable system.
Given this limitation, Europe has focused on regulation and, over the past few years, has managed to establish itself as the de facto global regulator for the internet on a number of issues. When it came into force in 2018, the GDPR represented the world’s most ambitious privacy regulation. Its impact was felt globally, so much so that some 80 countries around the world have implemented GDPR-like statutes. The recently released Digital Services Act package, which addresses rules and responsibilities for online platforms and rules on competition policy, continues the trend of European rule-making leading the way internationally. Meanwhile in Brussels, the digital policy agenda is crowded with issues that range from online terrorism to cybersecurity, data governance, and encryption. All this policy activity has placed Europe at the heart of internet governance discussions, but not necessarily in a way that fully satisfies either Europe or its allies.
Regulation alone is not enough. Many European observers have adopted the view that in order to be competitive in the tech sector, Europe needs to invest in infrastructure. In the past year alone, Europe has embarked on a series of activities that hint at its wish to become an infrastructure pioneer, while also building the legal framework to support it. GAIA-X, the federated Franco-German cloud initiative is an example; proposals for a European DNS—no matter how poorly thought out they are—are another. In and of itself, building infrastructure is not bad: It could contribute to increased innovation. But many key questions remain, especially the feasibility of such grand ideas in practice.
Europe’s main challenge is that it continues to be technologically dependent on both the United States and China, placing it in the middle of a technology conflict that will most likely continue and may escalate. Europe faces two different dependency hurdles. The first is its dependence on China. The EU’s economic links with China’s tech sector are pervasive, and Chinese software and hardware are used throughout the EU internet ecosystem. Europe knows that China’s cheap equipment and financial promises come with attachments and tradeoffs that Europe is struggling to make in a coordinated fashion. For example, Europe’s indecisiveness and lack of a harmonized strategy among its member states with regards to the deployment of 5G equipment from Huawei, is a case in point. Germany and other countries seem keen to continue some sort of collaboration with China, albeit within limitations, whereas countries like Italy have prevented national operators from making deals with Huawei.
The second dependency hurdle is with the United States. European policymakers understand it is impossible to cut ties with America’s digital companies altogether. Instead, they are focused on how these companies should behave within its borders. By taking advantage of its economic standing, Europe drafts regulation that aims to shape the business models of big technology companies. The impact of this can be quite profound if one considers the opportunities it creates for Europe as a global regulator. However, this also raises a number of questions for cooperation with the United States. When member states are focused on regulation in ways that are still notably different from counterparts in the United States, it begs the question of just what kinds and degrees of internet strategy cooperation are most realistic for the U.S.-EU relationship.
This approach seems to be paying off, but not without hiccups. Europe’s experimentation with regulation allows it to set the agenda on complex internet governance questions. Despite its unintended consequences, the GDPR continues to be the most influential privacy regulation in the world. In contrast to the chaotic debate in the United States over Section 230 of the Communications Decency Act, the DSA at least provides some clarity on how regulators envision the roles and responsibilities of online platforms. With both the DSA and the GDPR, European policymakers have resisted regulation that aims to make sweeping changes to the internet’s core properties. But this is not a guarantee for the future. As Europe becomes more inward looking, it may push further in its approach to asserting a measure of online sovereignty.
Similar to other countries around the world, Europe is facing some hard facts. The internet is becoming less—less global, less interoperable, less open. The internet remains unable to resist the centralization of economic power to a few big players and has become increasingly weaponized through such activities as disinformation campaigns. This type of behavior will most certainly intensify and, as it does, Europe will need to make some crucial choices. What kind of an Internet does it want?
Sooner or later, the United States will face inevitably the same dilemma. This is a point where both allies will converge: recognizing that historically hands-off approaches to the internet no longer suffice in an age of harmful company behavior, internet insecurity, and authoritarian affronts on the open internet. But, ultimately, the biggest obstacle for collaboration will be their divergent views on how regulation should shape the internet: the United States will most likely continue to insist on a market-based approach, perhaps with some minimal interventions, while Europe will persist in a more institutional-oriented process. This schism will be difficult to bridge because it is part of the countries’ historical and cultural background.
Yet, it can also act as an opportunity. Realizing this difference should encourage both actors to turn their attention to the internet itself. Their common, shared goal can be to rally behind the values that have defined the internet since its early days: its architectural design. The critical properties of the internet can become the starting point and the shared understanding in moving forward, regardless of which approach each decides to follow. This would place both allies in stark contrast to countries like China and Russia.
Much policy discussion has focused on strong cooperation prospects between the European Union and the United States on internet strategy. While an objective worth pursuing, it does not mean the shifts towards digital self-determination in the EU can be ignored. Focusing on these trends, rather than treating all internet “democracies” as the same, is critical to forging multilateral cooperation on protecting an open, global, and interoperable internet.
Konstantinos Komaitis (@kkomaitis) is a senior director for policy strategy and development at the Internet Society.
Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative.