Digitale Souveränität in einer Welt wachsender Abgrenzung

A trendy term in recent years has been "digital sovereignty" - a term with different connotations in different contexts. In our article, we will describe these and work out what influence digital sovereignty has on large-scale software use.

From the perspective of international law, the term "sovereignty" describes the ability of states to freely determine the type of government, legal system and prevailing social order within their territory - this is called internal sovereignty. External sovereignty, on the other hand, is the basis for the independence and equality of all states among themselves. In the traditional understanding of sovereignty, the focus is clearly on the power of states within their own territorial borders - a concept which seems to contradict the flexible structures of the Internet. Digital communications and applications seem to move in a space without legal governance and state control. States have adapted themselves and their legislation to make it applicable to the digital space.

During the last two years, the pandemic as well as Russia's war of aggression on Ukraine clearly demonstrated society's dependencies on a few producers with monopoly-like positions. This is most clearly evident in everyday life through the lack of availability of haptic products (e.g., due to production stops in China), but also in the digital space the dependency on a few technology providers has a major impact on the ability of individuals, companies and also states to act. Prominent examples of influence at the digital level include Snowden's revelations, the Cambridge Analytica scandal, and the pre-Brexit disinformation campaigns. This dependency is contrasted by the concept of Digital Sovereignty, the empowerment of the state and the individual for (digital) self-determination without restriction by other states or companies. This also includes the ability to make autonomous decisions regarding the digital infrastructure used and technological developments.

There are different understandings and interpretations of digital sovereignty. Some speak of independence from monopolistic manufacturers, while others refer to the free use of the Internet and unhindered data traffic. China was the first country to propagate the concept of digital sovereignty, but with the focus that the Internet undermined state sovereignty by giving democratic movements room for exchange. This nation-state isolationist approach was adopted by other authoritarian states such as Russia.

This involves protecting "one's own" Internet from external influences on the one hand, and access to data generated and processed in one's own country on the other. In China, several laws have been passed for this purpose: the Cyber Security Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). The regulations enforce that data collected or processed in China is also stored within the country. Consent must be obtained from government agencies to export data. This gives the government control over the whereabouts of data related to China, the Chinese market, and the activities of foreign organizations in China.

At the same time, the "Great Firewall of China" can also keep information out of the country. This works through legislative activities as well as technical means of blocking access to foreign websites and slowing traffic across national borders. This enables the pushback of Western influence on the Chinese Internet.

Parts of these laws (and some of their technical implementations) have become export hits under authoritarian governments. Russia, for example, has taken similar measures to protect its own Internet and preserve Russian data, and Brazil has also passed laws modeled on this system.

To operate corporate networks, service providers must sometimes be used in these economic environments to ensure the operation of, for example, Azure environments. The best known example here would be 21Vianet for the Chinese market.

At the other end of the democratic spectrum, however, different currents are also apparent. While Western countries generally connote the concept of digital sovereignty democratically as the ability "to make one's own decisions in accordance with one's own values and rules" (Ursula von der Leyen when she took office as President of the EU Commission), differences between the USA and the EU become apparent.

The U.S. tends more toward a kind of surveillance capitalism, an economic system focused on the commercialization of personal data for profit. The EU, on the other hand, sees the data found on the Internet, especially the data of its citizens, as an asset to be protected from arbitrariness and corporations. Therefore, regulatory power must be used to gain control over the infrastructure, which is clearly reflected in concepts of data localization (including restricting storage, movement, and processing of data) to protect data from outside influence.

The European way with a focus on citizens' rights and self-determination is reflected in the recently enacted Digital Services Act, Digital Markets Act, European Action Plan for Democracy, and Data Governance Act, which open up multiple opportunities to create regulations in the digital space. The EU's and its member states' efforts to exert control over the digital space are limited by the great material and immaterial power of the digital companies that control it. In addition to the dependence on private sector companies comes the challenge that these companies are also influenced to varying degrees by the laws and policies of their respective countries of origin.

Countries have therefore taken different measures. For example, Germany has begun to expand its cyber defenses and is trying to reduce the dependence of public administrations on proprietary software providers. In addition, there are efforts to strengthen the competitiveness and independence of Europe as a location by building up key competencies and technologies (development of software & hardware, Big Data). This is because the production of technology in one's own country, or in the European association of countries, ensures access even in times of crisis. Chinese companies currently dominate the telecommunications infrastructure, for example, and thus expose the critical infrastructure of states to political and technological risks. As a complement to state digital sovereignty, the focus is also increasingly being placed on citizens, for example by strengthening digital competencies and implementing user rights, transparency and consumer-oriented data protection (informal self-determination).

A study commissioned by the BMWi has shown that digital sovereignty and data sovereignty are central to the innovation and competitiveness of the German economy. This is made clear by the statement that more than 75% of companies feel technologically dependent on other countries, and in at least one technology field on a non-EU supplier (80%). As a countermeasure, the entire competence chain, starting with hardware, applications, data, AI and platforms, would have to be mapped in Europe. Currently, the EU is only the leader in network technology (Nokia / Ericsson), but competition from the Far East is steadily catching up in this market.

In the areas of operational systems and emerging technologies such as quantum computing and AI, the EU is currently lagging behind the USA and China. The next decade will be crucial for shaping the digital space and the EU must actively participate in the development of digital standards. The EU's problem is not, as with the US, the lack of regulation regarding the handling of data, but rather the lack of ability to enforce it. Companies like Google and Facebook are fortunate that their services are not (or at least do not appear to be) substitutable, so they continue to be used anyway. Therefore, when realigning EU capabilities, it is important to pay attention to the interoperability of IT systems, data sovereignty, and the location of the technology provider. An example of a European project is the next generation European data infrastructure of the Gaia-X cloud environment.

At the latest since 24.02.2022, with the Russian war of aggression against Ukraine, the business of companies with branches or subsidiaries in the Russian Federation has changed. Not only import and export of physical goods has been made more difficult or even completely prevented by sanctions. The operation of IT systems in Russia is also currently fraught with challenges. Many well-known vendors, such as Microsoft or SAP, but also hardware manufacturers such as Intel have partially or completely suspended their operations. SAP, for example, no longer operates its cloud services in Russia and no longer provides support for customers. In addition, there are sanctions on certain hardware and software products, such as microchips and other IT products, which can be used for military purposes (so-called "dual-use goods"). These software products could include control solutions for rocket engines, but not commercially available office programs. Russia itself is also slamming the door in the face of Western vendors. For example, no non-Russian antivirus programs are to be used in Russia from 2025. Accordingly, there is pressure from both sides, the sanctioning and the sanctioned state, to segment their own IT portfolios.

The noose around Russia tightens further with each additional sanctions package, and the longer the war continues, the longer non-Russian software products will run without support. Many products and services will be affected by sanctions sooner or later and business, especially in the digital sector, will become much more difficult in the long run. If you are not able to convert your own IT in Russia to Russian and Chinese software (at least in many areas), you will face obstacles without support at a certain point.

Digital sovereignty is an unwieldy topic; when it comes to defining the term alone, the answer quickly ranks from "it depends" to "it's complicated". This is because one can speak of manufacturer independence as well as independent use of the Internet and free data traffic. But what is the same for both topics is that true digital sovereignty for companies can only be ensured through a free democratic framework. Free data traffic, access to information and a genuine choice in the use of hardware and software are secured by a state with a free democratic basic order. In countries where this is not the case, a company must adapt accordingly (e.g., through service providers and third-party vendors) or withdraw from the market until reforms allow it to resume operations.

Authors: Lea Mühlenschulte and Tobias Philipsen