The ebb and flow of trans-Atlantic data transfers: It’s the geopolitics, stupid!*
The following is a guest post to the FPF blog from Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security Council member.
Guest blog posts do not necessarily reflect the views of FPF.
There is a call for a rational debate on trans-Atlantic data transfers. Frustrations increase as companies work towards Schrems II compliance by executing mitigating measures to ensure U.S. government entities cannot access their data. Yet, EU data protection authorities (DPAs) continue to block their way. The DPAs increasingly adopt an absolutist approach, whereby mitigating measures are disregarded irrespective of the actual risk for data protection after transfer. Industry organizations are frantically advocating for a new EU-U.S. Privacy Shield to continue trans-Atlantic transfers, arguing that EU data protection laws have always been about enabling personal data to flow while protecting the rights and freedoms of individuals. If only we could have a rational discourse to find the right way forward, as the GDPR may well be interpreted in ways that are not in conflict with the information economy.
Data protection experts focus on the merits of the state surveillance aspect of transfers. Emotions run high as criticism of the DPAs on the U.S. state surveillance powers are like the pot calling the kettle black as the state authorities of some of the Member States may well have similar powers (or use these in a similar way). Discussions further focus on the risk-based approach of the GDPR, highlighting the theoretical risks of access after the mitigating measures are implemented.
These discussions are no longer on point. Data transfers are by now a geopolitical issue. A case in point is the announcement last week by U.S. President Biden and EU Commission President Ursula von der Leyen that they reached a new agreement in principle on trans-Atlantic data transfers. A week ago a renewed Privacy Shield seemed unattainable, but all became liquid under pressure of the Russian invasion of Ukraine. The U.S. and EU are strengthening ties at an unprecedented scale, most notably by the creation of an energy task force to help the EU avoid using Russian oil. In light of the geo-political threats to the EU, the U.S. is the EU’s main ally and U.S. government access powers seem a relative minor worry; vice versa, where the EU is your main ally, protecting also the personal data of EU citizens seems a minor concession.
The details of the renewed transfer EU-U.S. transfer agreement will take time to develop, and for sure, we will see a lengthy third round of challenges by Mr. Max Schrems before the EU courts. In the meantime, compliance with Schrems II for data transfers to the U.S. is mission impossible.
The bigger geopolitical picture is that, also with a renewed trans-Atlantic transfer agreement, companies are currently caught between the European Commission’s push for European digital sovereignty and the global business models of the large digital services providers. Companies are well-advised to apply the serenity prayer–accept what you cannot change now—individual companies will not be able to force fundamental changes in the current ecosystem of these global players—and concentrate on what you can influence.
I predict that intercompany transfers that are required to run your business will be able to continue as the GDPR–as rightly advocated–facilitates data flows. The renewed trans-Atlantic agreement will facilitate that. Companies should focus on implementing mitigating measures for these transfers. Transfers that are not inherently required by the services provided by the large digital services providers, will be addressed by the EU’s digital policy. This article discusses the threats to EU digital sovereignty to help companies better understand the EU digital policy and its disruptive impacts, especially on data transfers.
2. Threats to EU digital sovereignty
The European Union (EU) feels the threat of what is coined digital colonialism, where EU member states are increasingly dependent on digital infrastructures that are in the hands of a handful of dominant foreign market players.
The digital identity of most European citizens depends on foreign email addresses, and 92% of European data resides in the clouds of U.S. technology companies, of which 80% are with only five suppliers. With the EU having no large digital platform companies, data transfers are a one-way street. Besides supply chain dependencies, these companies operate proprietary ecosystems, which offer limited interoperability and portability of data and applications, resulting in EU data being locked in and having little value for artificial intelligence-driven innovation.
The realization has set in that Europe’s digital dependencies are so great that its digital sovereignty is under pressure. The fears are justified; EU sovereignty (as the sovereignty of any state around the world for that matter) is under pressure due to a toxic combination of disruptive digital transformation, the exponential growth of cyberattacks (in which smaller countries and non-state actors now also enter the global battlefield), and rising geopolitical tensions, leading to a sovereignty gap.
The sovereignty concerns have led to a U-turn in EU policy. Until recently, Europe favored the open, liberal market economy, and EU research had to be open to the world. Restoring Europe’s digital sovereignty is now a core ambition of the European Commission (EC). Whereat first digital sovereignty was discussed in the context of cybersecurity and defense, the discussion now extends to concerns about the economy and society-at-large.
The ultimate challenge is how Europe and its member states can retain control over their economies (control over essential economic ecosystems) and their democracies, and the rule of law (trust in their legal system and quality of democratic decision-making) in the digital world. Due to the multifaceted nature of the causes that pressure our digital sovereignty and rapid geopolitical developments, there is no one-size-fits-all solution. To understand the series of EU policy initiatives to restore Europe’s digital sovereignty, it is essential to know why Europe’s ability to make decisions autonomously is threatened.
3. What are the threats?
3.1 Disruptive digital transformation
Friend and foe agree that our society is undergoing a digital revolution (in official terms: the fourth industrial revolution) that will lead to a transformation of our society as we know it. In addition to all economic and social progress and prosperity, every technological revolution also brings with it disruption and friction. The first law of technology is that it is not good, not bad, but also not neutral. The new digital technologies (and, in particular, artificial intelligence (AI) and quantum computing) are in and of themselves already disrupting societies and creating new vulnerabilities –weakening control over innovation and knowledge can jeopardize sovereignty. For example, AI and encryption will play an increasingly crucial role in cyber resilience. If there is not enough innovation, there will be new dependencies.
Example – Encryption
Without proper encryption, we will not be able to protect the valuable and sensitive information of our governments, companies, and citizens. Current encryption will not hold against the computing power of future quantum computers. We will, therefore, have to innovate now to protect our critical information in the future. This is not only relevant for future information, but also for current information. Do not forget that currently hostile states systematically intercept and preserve encrypted communications in anticipation that these may be decrypted at a later stage and analyzed by deploying AI. We, therefore, have to invest in post-quantum encryption now in order to be able to protect strategic information that requires long-term protection.
Current EU research investments in quantum computing and AI are dwarfed by the billions invested by Chinese and U.S. governments, combined with the investments from large U.S. and Chinese tech companies, such as Google and Tencent. Where foreign companies are at the forefront of (further) development and implementation of new technologies, such as AI and quantum computing, but also satellite and 5G networks, potentially new dependencies arise. These dependencies go beyond the specific technological applications themselves. For example, to be able to make large-scale use of data analysis by means of AI, enormous computing power is required. It is expected that the cloud infrastructure required for this will become the foundation for the European innovation and knowledge infrastructure. Maintaining control over this is an essential part of the EU’s digital sovereignty.
3.2 Increasing cybersecurity threats
An important dimension of digital sovereignty is the cyber resilience of our critical sectors, processes, and data. The ever-increasing cybersecurity threats–in which smaller countries and non-state actors are also entering the global battlefield–undermine our digital sovereignty. These concern the entire spectrum of direct threats to our vital infrastructure (sabotage), systematic theft by foreign states of intellectual property from our knowledge-intensive industries (economic espionage), digital extortion (ransomware attacks), targeted misinformation (fake news), and systematic infiltration of social media to influence elections and democratic processes.
As far as cyber threats are concerned, digital sovereignty cannot be separated from the three basic principles of information security, also known as the CIA of cyber security: confidentiality, integrity, and availability. In these three domains, autonomy must be safeguarded, not only at the level of a specific system in a specific sector (such as an information communications and technology (ICT) system in the criminal justice chain) but also in the larger framework of the economy and democracy.
Examples: Control over essential economic ecosystems
Economic espionage: the systemic theft by hostile states of intellectual property and know-how of our high-tech companies and universities undermines Europe’s future earning capacity.
Cloud infrastructure: the EU is mainly dependent on digital infrastructures owned by a number of major foreign market players, which offer limited portability and interoperability of data and applications. For innovation with AI, you need large quantities of harmonized data and computing power to process these data. Individual companies do not have sufficient data to innovate, and, therefore, the data of companies in a specific industry sector will have to be combined. This is currently difficult as companies’ data are stored in silos in the clouds of foreign tech providers. As a result, these have limited availability for European innovation. Access to harmonized data and cloud infrastructure will become the foundation for the European innovation and knowledge infrastructure. Maintaining control over this is an essential part of digital sovereignty.
Examples: Control over democratic processes and the rule of law
Manipulation of the election process: when our governments are not in control of critical democratic processes like elections, it mainly affects the internal legitimacy of the state (the trust of citizens in the state). However, when a state is not in control of the election process because it has been infiltrated and manipulated by foreign powers, its external legitimacy may also be compromised. For example, during the pandemic, both China and Russia blatantly pushed “fake news” to undermine our governments’ COVID-19 responses. This undermined not only the internal legitimacy of our governments but also their external legitimacy. Whereas before COVID-19 China and Russia at least tried to hide their involvement in cyberattacks, they are now doing so blatantly. It shows Europe’s weakness; these states do not fear that retaliations will be forthcoming, undermining the EU’s external legitimacy.
Infiltration of a vital government process can also undermine trust in the rule of law. Illustrative is an incident in Germany. In January 2020, Der Spiegel reported that the Berlin High Court (responsible for terrorism cases) had been systematically infiltrated by a Russian hacker group probably sponsored by the Russian government, identified as APT 28 (Advanced Persistent Threat). This hacker group had previously been held responsible for the infiltration of the German Bundestag. The attack focused on data exfiltration, accessing the entire database with identities of suspects, victims, witnesses, and undercover agents, and informants. These types of infiltration both undermine a governments’ internal and external legitimacy.
3.3 Increasing geopolitical tensions
EU policy options are seriously hampered by the increasing geo-political tensions. The EU increasingly finds itself the piggy-in-the-middle in a bipolar world. Digital technologies have become the battleground for the race for global leadership between the U.S. and China (aka the tech cold war). The battle is mainly about leadership in the field of 5G/6G, quantum computing, computer chip technology, and AI. Both the U.S. and China have chosen the route of tech protectionism, regularly drawing the national security card to justify addressing critical supply chain issues (exposed by the pandemic) by bringing manufacturing back to their countries, imposing stricter export controls of critical technology, and stepping up controls of foreign direct investments (FDI). Recent U.S. executive orders ensure that almost any ICT-related activity in the U.S. connected to China is now subject to regulatory review by the U.S. government. Not surprisingly, China is retaliating.
The restrictions imposed by the U.S. and China play a role throughout Europe in, for example, the choice of suppliers for 5G equipment, for which Huawei was initially an important potential candidate. Over time, restrictions will likely extend to other equipment, such as Huawei servers that support cloud services, the presence of Chinese suppliers in the Internet of Things (IoT), cameras, airport scanners, and other surveillance equipment, and drones of Chinese origin. Giving in to U.S. pressure will potentially in turn lead to further Chinese pressure on European governments, including threats of Chinese import restrictions on European equipment and products. This ultimately affects European digital sovereignty and makes it more urgent for the EU to develop its own offerings as well.
3.4 Data as a weapon
Concerns of the superpowers go beyond ICT-supply chain dependencies and extend to concerns about what their adversary can do with the data of their companies and citizens (they consider data as a weapon), resulting in bans on the export of important data outside their territories.
President Trump kicked off tensions by banning popular Chinese apps – such as TikTok and WeChat – from the U.S. app stores because these would undermine its “national security, foreign policy and economy.” Trump’s ban was met with severe skepticism; it was considered part of the trade war with China, more than based on true concerns about the privacy of U.S. citizens. However, subsequent reports about the massive mining by China of Western social media data to equip its government agencies, military, and police with information on foreign targets, should give anyone pause. President Biden dropped President Trump’s ban, only to replace it with an executive order that provides powers to protect sensitive data of U.S. citizens from foreign adversaries.
In response, in November 2021, China issued two pieces of sweeping privacy legislation, banning all exports outside China of “important data,” being any data that may endanger national security or public interests. Reviewing the categories of data caught by this definition shows that it is difficult to envisage what data could still be exported (e.g., covered are already personal data relating to more than 100,000 citizens). More telling is that China is willing to crack down on its own tech companies to prevent data of Chinese citizens from ending up in the U.S. In June 2021, when Didi, the Chinese equivalent to Uber, got listed on the New York Stock Exchange, Chinese regulators retaliated by banning the Didi app from the Chinese app stores, alleging that Didi was illegally collecting users’ personal data. China subsequently announced stricter control over foreign listings of Chinese companies.
Example – concern about China harvesting biological data
In January 2021, it was widely reported in the U.S. media that at the outbreak of the pandemic, the world’s largest biotech firm (based in China and with strong ties to the Chinese government) made an offer to the governors of six U.S. states to help build and run state-of-the-art COVID-19 testing labs against very favorable conditions. So good that it seemed like an offer the states could not refuse. However, when the governors compared notes, they concluded that some offers are indeed too good to be true. The ulterior motive of the offer was likely to obtain biometric information of large parts of the American population to be used for Chinese DNA science, to develop vaccines, and precision medicine. The offer led U.S. officials to issue public warnings to hospitals and governmental agencies that “Foreign powers can collect, store and exploit biometric information from Covid tests.” The Chinese quest to control biodata and control health care’s future is also called the new space race.
The concerns about large-scale harvesting of social media data extend beyond the individual privacy of citizens, they also concern the protection of our collective data. Analysis of data of a large enough portion of a population will be predictive for the entire population. The General Data Protection Regulation (GDPR) does not provide protection here. For example, if sufficient EU citizens provide consent for analysis of their DNA by a Chinese company, this will potentially impact us all. Concerns about the Chinese harvesting of social media data (via apps like TikTok) become more understandable when one considers that hereditary data (from DNA) can now be combined with socioeconomic data (information about how we live, what we eat, when we exercise and sleep). With information about heredity and environment, suddenly precision medicine will be possible, potentially bypassing doctors. China itself is well aware of the risks, and clamped down on any access to their biological data and samples.
Note that where both the U.S. and China have large digital service providers importing EU data and limit exporting their own data, data transfers by the EU are increasingly a one-way-street. In response, we see the EU also reconsidering its policy options, resulting in data localization requirements creeping in at, for example, the EU standard setting level for cloud services and data export restrictions on non-personal data under the draft Data Act, stricter even than under the GDPR for personal data.
4. Europe’s push for digital sovereignty
The European Commission (EC) acknowledges that Europe’s sovereignty will have to be supported by a “smart” combination of measures as becoming self-sufficient is not realistic for Europe, and also not desirable. With the EU policy measures, the EC is aiming to pave a third way, aiming to avoid falling into the trap of tech protectionism. The policy is, for example, not to exclude foreign digital providers, nor for Europe to build its own hyperscalers. And rightly so, if you have concerns about vendor and data lock-in with current big tech companies, you will have similar concerns with their EU equivalent. Rather than blocking foreign suppliers, EU digital strategy is about breaking through vendor/data lock-in by a policy based on open data, open infrastructure, and open source.
Note that concerns about vendor and data lock-in are not limited to the EU. Governments around the world (including the U.S. and China) are currently considering their policy responses and antitrust investigations are underway on all continents. The dominant positions (winner takes all) are a sign of the times and should not be taken as a given. As said, our society is undergoing a technological revolution, which brings along disruption and friction. History shows that whenever new technologies disrupt society, it needs time to adjust and regulators always play catch-up. At this time, the digital society is still driven by the possibilities of technology rather than social and legal norms. These frictions will ultimately be addressed. For example, the first industrial revolution brought child labor, abuse of workers, and the skies of London were so full of soot that people fell ill. The barons of the new industry (steel, oil, copper, and coal) reigned supreme, with worsening inequalities due to their monopolist positions. Ultimately many new laws were introduced, most notably the first antitrust regulation, which broke up the monopolies. Illustrative here is that President Biden, when introducing his Executive Order on Promoting Competition in the American Economy, made several references to the importance of abiding to the original principles of antitrust regulation also in the new digital economy:
“It is the policy of my Administration to enforce the antitrust laws to meet the challenges posed by new industries and technologies, including the rise of the dominant Internet platforms, especially as they stem from serial mergers, the acquisition of nascent competitors, the aggregation of data, unfair competition in attention markets, the surveillance of users, and the presence of network effects.”
My point here is that governments around the world (including the U.S., China, and the EU), are currently considering their policy response and antitrust investigations are underway on all continents. Once these have done their work, the world will look very different indeed, which includes international data transfers. A sign of the times is Microsoft’s announcement in May 2022, to create an EU boundary of the Microsoft Cloud, promising all EU customers to process and store all their data in the EU by the end of 2022. A similar commitment has been made by Zoom.
4.1 Open data
The cornerstone of EU digital policy is the EU Strategy for Data, which aims to democratize access to data assets and drive data sharing in open digital ecosystems across the whole EU economy. It also aims to create a single market for data to be exchanged across sectors efficiently and securely within the EU in a way that fits European values of self-determination, privacy, transparency, security, and fair competition. The centerpiece of the European Data Strategy is the concept of European data spaces, bringing together EU data of nine defined sectors (including financial, health, and government) so that the scale of data required for AI-related innovation can be achieved. The design of the data spaces will be based on full interoperability and data sovereignty, whereby users will be provided tools to decide about data sharing and access. With the actual parties that generate the data regaining control, large hyperscalers will no longer be able to achieve vendor/data lock-in in their proprietary eco-systems. In this context also fits the Data Governance Act, opening up public data for innovation through independent intermediaries, and the draft Data Act, providing a harmonized framework for all data sharing, conditions for access by public bodies, portability and interoperability requirements for cloud services, and data export restrictions for non-personal data even more strict than those prescribed by Schrems II.
4.2 Open infrastructure
Another flagship initiative is the GAIA-X project, which is aimed at achieving interoperability between cloud offerings to achieve the required scalability of the cloud infrastructure for AI-related innovation, not by creating Europe’s own vertical hyperscalers but by networking (making interoperable) the current European offer of cloud infrastructure, enabling clients to scale up within that network (i.e., scaling up in a horizontal way). This is achieved by setting common technical standards and legal frameworks for the digital infrastructure and standardizing contract conditions. This form of interoperability goes beyond portability of data and applications from one vendor to another to prevent vendor lock-in; it really concerns the creation of open APIs, interoperability of key management for encryption, unambiguous identity, and access management, etc. Cloud providers will be expected to offer a choice as to where personal data are stored and processed.
The GAIA-X project is not a comprehensive European policy, but it is a concrete realization of the open interfaces, standards, and interconnection needed for the European policy and is explicitly based on principles of sovereignty-by-design. The project is open to foreign suppliers as long as they embrace the principles. From a digital sovereignty perspective, the GAIA-X project is a logical and promising initiative that is gaining more and more traction. The expectation is that once the design principles are agreed upon, these may well become mandatory for all cloud services in Europe. Some of the elements (portability and interoperability requirements and data export restrictions for non-personal data) are already included in the draft Data Act.
4.3 Open source
The EC has an active open source software strategy, where open source solutions are preferred when equivalent in functionalities, total cost, and cybersecurity, which facilitates decentralized and federated services that can be independently audited, contributing to public trust. Open source technologies can further be worked on collectively, which provides benefits of scale (combining the EU R&D to potentially match the R&D budgets of the big tech companies), but also ensures self-sovereignty as open source can always be subsequently forked individually for specific solutions.
History shows that whenever new technologies disrupt society, it needs time to adjust and regulators always play catch-up. At this time, the digital society is still driven by the possibilities of technology rather than social and legal norms. This inevitably leads to social unrest and calls for new rules. Threats to EU digital sovereignty have led to a flurry of EU digital policy measures that will disrupt the digital landscape as we know it by working towards open infrastructure, open data, and application of open source technology.
The data transfer debate is no longer a culture war about differences in what are acceptable state powers to access data, but about being in control of the digital infrastructure and data required for EU digital innovation. The invasion of Ukraine by Russia, will only strengthen the EU’s resolve to become more independent. Once EU digital policy has done its work, the world will look very different indeed. The EC well recognizes the value of data transfers where required for running a cross-border business. Companies are advised to implement Schrems II compliance there. These transfers will ultimately be facilitated by the renewed trans-Atlantic transfer agreement when it materializes and is upheld before the EU courts. For the rest, companies will have to wait for how EU policy settles and how this impacts the global service models of the large technology providers.
 * This article draws on an earlier article: Timmers, P., and L. Moerel, 2020, “Reflections on digital sovereignty,” E.U. Cyber Direct, January 15, https://bit.ly/3s7sz2K, originally written in assignment of the University of Utrecht 2020 Annual Constitutional Law Conference: Constitutional law in the data society. https://www.c-span.org/video/?519026-1/us-europe-agree-plan-reduce-russian-gas-dependency.
 Kwet, M., “Digital colonialism: US empire and the new imperialism in the global south,” Race & Class 60:4, 3-26.
 Amiot, E., I. Palencia, A. Baena, and C. de Pommerol, 2020, “European digital sovereignty: syncing values and value,” Oliver Wyman, https://owy.mn/3LOpGf7.
 Digital Services Act package, Inception Impact Assessment, https://bit.ly/34TSe6u.
 For definitions see: Timmers, P., 2019, “Strategic autonomy and cybersecurity,” E.U. Cyber Direct, May 10, https://bit.ly/3v67gAu.
 Timmers, P., 2019, “Challenged by ‘digital sovereignty,’” Journal of Internet Law 23:6, 1, 18.
 See for in-depth discussion see Timmers, P., and L. Moerel, 2020, “Reflections on digital sovereignty,” E.U. Cyber Direct, January 15, https://bit.ly/3s7sz2K.
 For an accessible book, see Brynjolfsson, E., and A. McAfee, 2014, Second machine age: work, progress, and prosperity in a time of brilliant new technologies, W.W. Norton & Company, which gives a good overview of the friction and disruption that arose from the industrial revolution and how society ultimately responded and regulated negative excesses and a description of the friction and disruption caused by the digital revolution. A less accessible, but very instructive, book on the risks of digitization and big tech for society is Zuboff, S., 2019, The age of surveillance capitalism, Public Affairs, [hereinafter: Zuboff (2019)].
 Kranzberg, M., 1986, “Technology and history: “Kranzberg’s laws,”” Technology and Culture 27:3, 544-560.
 Van Boheemen, P., L. Kool, and J. Hamer, 2019, “Cyber resilience with new technology – opportunity and need for digital innovation,” Rathenau Instituut, July 20, https://bit.ly/3LN7YsB. See also the Dutch Cyber Security Council Recommendation, 2020, “Towards structural deployment of innovative applications of new technologies for cyber resilience in the Netherlands,” CSR Opinion 2020, no. 5, p. 3.
 See for an overview of U.S. and Chinese research investments, Smith-Goodson, P., 2019, “Quantum USA vs. quantum China: the world’s most important technology race,” Forbes, October 10, https://bit.ly/3sWJowv.
 In October 2019, Google claimed to have reached quantum supremacy with its Google quantum computer called Sycamore (https://go.nature.com/3JIJ9vL). On December 3, 2020, Chinese quantum computing researchers also claimed quantum supremacy (https://bit.ly/3vckY4W).
 Keen not to fall behind major U.S. tech firms in quantum computing, the Chinese company Tencent announced that it plans to invest U.S.$70 bln in infrastructure and quantum computing (https://bit.ly/3s7RkMc).
 Timmers, P., 2020, “There will be no global 6G unless we resolve sovereignty concerns in 5G governance,” Nature Electronics 3, 10-12. See also the German “Industrial strategy 2030. Guidelines for a German and European industrial policy,” (https://bit.ly/3t1c7Am) in which it is recognized that insufficient grip on new technologies poses a direct risk to the preservation of the technological sovereignty of the German economy.
 Sanger, D. A., 2018, The perfect weapon: war, sabotage, and fear in the cyber age, Scribe U.K.; Kello, L., 2017, The virtual weapon and international order, Yale University Press; Corien Prins also points out that the new digital weaponry is changing the (geopolitical) order: “The balance of power is shifting, now that smaller countries can also enter the global battlefield. Without having to engage in a large-scale military confrontation or actually enter the territory of another state. In short, it is relatively easy to develop great clout,” https://bit.ly/3JOI8Td.
 Kiesel, R., A. Fröhlich, S. Christ, and F. Jansen, 2020, “Russische Hacker könnten Justizdaten gestohlen haben,” Der Tagesspiegel, January 28, https://bit.ly/3v8I1xB.
 FACT SHEET: Biden-Harris Administration bringing semiconductor manufacturing back to America,” The White House, January 21, 2022, https://bit.ly/3h7Da7G.
 Congressional Research Service, 2021, “U.S. export control reforms and China: issues for Congress,” January 15, https://bit.ly/3s7pe3D.
 FACT SHEET: Executive Order addressing the threat from securities investments that finance certain companies of the People’s Republic of China, The White House, June 3, 2021, https://bit.ly/33GprBz.
 Executive Order on addressing the threat posed by TikTok – The White House (archives.gov), August 6, 2020 (https://bit.ly/3LRNzlZ); New York Times, 2020, “Trump’s attacks on TikTok and WeChat could further fracture the internet,” September 18, https://nyti.ms/3sUMtxj.
 See Position Paper of the Dutch Online Trust Coalition on regulatory developments at ENISA originating from the Cyber Security Act, https://bit.ly/33IyB0y.
 Proposal for a Regulation on harmonised rules on fair access to and use of data (Data Act), COM(2022) 68 final.
 See Timmers and Moerel (2020) for three approaches to achieve digital sovereignty: risk management, strategic partnerships, or working together on a global level to find solutions in the common interest (global common goods).
 See for overview: https://bit.ly/3h62B9D.
 Moerel, L., Big Data Protection: How to Make the Draft EU Regulation on Data Protection Future Proof (oration Tilburg), Tilburg: Tilburg University 2014, p. 21.
 See for overview: https://iapp.org/news/a/on-the-precipice-why-privacy-and-competition-regulation-face-a-transformative-moment/?mkt_tok=MTM4LUVaTS0wNDIAAAF_J4j_X_RcqZLQlmI7sPVsOiXT9MzvbQg7D4iJTfeCSkaEnHp9we2ubNQ3-Phw-t2WvX2_-gFvJ8ax4MoU4aHvbHQBw4lKAtbIr9zbeQ2iLRQs.
 European Commission, 2020, “A European data strategy,” COM(2020)66, February 19.
 See for overview of the data space design principles: “Design principles for data spaces,” position paper, https://bit.ly/3p79v2O.
 Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act), COM/2020/767 final.
 Proposal for a Regulation on harmonised rules on fair access to and use of data (Data Act), COM(2022) 68 final.
 “A Federated data infrastructure as the cradle of a vibrant European ecosystem,” the GAIA-X project initiated by the German and French governments, October 2019, based on principles of sovereignty-by-design.
 In the Netherlands, a coalition of TNO and a number of industry associations are actively contributing to the GAIA-X project, https://bit.ly/3p7hbSx.
 Communication to the Commission Open Source Software Strategy 2020 – 2023 Think Open, C(2020)7149 final, https://bit.ly/3BNhozx.