This article first appeared in Strategic partnership for a secure and digital Europe published in November 2022, with a foreword of the Slovenian Minister of Digital Transformation Dr Emilija Stojmenova Duh, by the Centre for European Perspective (CEP) in partnership with the Atlantic Council, Europeum, The Kosciuszko Institute and ECIPE. It is republished here with the kind authorisation of the editors.
In an article published in November 2021 dedicated to the important concept of ‘European Digital Sovereignty’, I defended the idea that the European Union (EU), beyond its regulatory action in the digital sphere, should also consider working closely on some issues with certain democracies that share several of Europe’s human rights values. Paul Timmers had previously expressed this idea by talking about ‘strategic partnerships’ and by emphasising that Europe’s quest for ‘strategic autonomy’ should be coupled with an awareness of ‘strategic interdependence’, which would:
‘include strategic partnerships with like-minded countries, as well as efforts to push for a global consensus on issues of ‘global common good,’ including keeping an open internet and information exchange across the world’
According to Timmers, strategic partnerships address the sovereignty gap by collaborating with like-minded, trusted partners in key areas. The starting point is identifying the who and what: who is ‘like-minded’, and what are the key areas? As he explained:
‘“Like-mindedness” is based on shared values, whether these pertain to the individual (such as respect for privacy and autonomy) or to the economy (liberal market economy) or to society and democracy (independent judiciary, freedom of expression, free elections) or to international relations (respect for the system of sovereign states and multilateralism)’.[1]
This idea of ‘shared values’ became much stronger after the invasion of Ukraine by Russia in February 2022. In an article published shortly afterwards, Alex Joel wrote:
‘As we witness Russia’s invasion of Ukraine and the world’s response, I am reminded once again that what unites democracies is so much stronger than what divides us. Our common beliefs, values, and commitments shine clearly across the miles and oceans that lie between us. Yet it can be so easy to lose sight of those commonalities and become distracted by what seem now to be minor differences’.
The objective of the present paper will be to assess whether the strong alliance between the EU and the US in terms of their reaction to Russian aggression in Ukraine could, indeed, lead to a broader ‘strategic partnership’ that promotes certain key values in cyberspace and the digital sphere through regulatory cooperation. The first part of the article will briefly discuss some of the opportunities and hurdles involved in a strategic transatlantic partnership in the digital sphere (I). The second part of the article will attempt to identify the different mechanisms that could be used to promote regulatory cooperation in the tech sphere (II).
I. Transatlantic ‘Like-mindedness’?
There is no doubt that ‘like-mindedness’ is a somewhat relative concept that depends on the issues and values at stake.[2] Serious disagreements about whether to regulate and how to regulate certain specific areas of the digital sphere persist between the EU and some of its closest allies, starting with the US. Such disagreements can also be linked to the broader spectrum of EU-US trade relations and interests. Bilateral trade and investment ties between the two sides are long-standing, strong, and extensive, but frictions often emerge between the partners due to the high level of bilateral commercial activity and different policy approaches to certain specific issues, including those that concern the digital sphere.
During the Trump Administration, EU-US trade ties were fraught. President Biden, however, emphasised from the outset his support for the EU and ‘his commitment to repair and revitalise the U.S.-EU partnership.’ In 2021, the two nations came together to address a series of issues that had provoked a great deal of friction, such as the WTO Boeing-Airbus subsidies dispute, digital service taxes, and US steel and aluminium tariffs and launched new modes of cooperation, notably the US-EU Trade and Technology Council (TTC) to which I will refer in the second part of this article.
Despite these efforts, contentious trade issues remain between the EU and the US. For instance, the US has long criticised what it considers to be EU regulatory barriers to agricultural trade. Conversely, the EU is currently upset about the US’s so-called Inflation Reduction Act, which gives tax credits and financial incentives to US consumers so that they may buy greener cars that are ‘made in the US’. European trade officials are angry about what they see as yet another example of American economic protectionism, which could force EU automakers to double down on their American production while harming investment and jobs within the EU.
In contrast, US officials claim that ‘Brussels was on shaky ground with its accusations of protectionism given how the bloc was promoting its own “digital sovereignty” concept, which includes prioritizing European alternatives to primarily American technologies’.[3] Interestingly, it is precisely the field of the digital economy that the US considers the EU to be increasingly adopting measures that mostly target US companies. Nigel Cory, of the US Information Technology and Innovation Foundation, echoed these concerns by arguing, for instance, against certain EU Member States’ or even ENISA’s attempts to introduce ‘sovereignty requirements’ and an ‘immunity from non-EU laws’ condition in their cloud cybersecurity certifications, by arguing that the ‘EU Is Using Technology Standards as a Protectionist Tool In Its Quest for Cybersovereignty’.
Another area where great friction between the EU and the US exists concerns transatlantic data flows. The Court of Justice of the European Union (CJEU) issued its Schrems II judgment in July 2020, invalidating the EU/U.S. Privacy Shield and creating uncertainty about the use of Standard Contractual Clauses for transfers of personal data to third countries (see analysis here, here, here, here and here). In light of the legal uncertainty and the increasing tensions concerning transatlantic data transfers resulting from the intensification of enforcement actions by European data protection authorities (DPAs) since Schrems II (such as this and this), there was both a strong reason to reach a new EU/US agreement and also a stated willingness on both sides to do so.
In March 2022, the Presidents of the US and the European Commission jointly announced a political agreement for a new ‘Transatlantic Data Privacy Framework’ (TADPF) to ‘foster trans-Atlantic data flows and address the concerns raised by the CJEU in the Schrems II decision of July 2020’. However, it was only six months later that the legal instruments that were intended to implement this political agreement were publicly announced. To be more specific, on October 7th, 2022, President Biden issued an ‘Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities’ (‘EO’), and the Department of Justice supplemented this with a new regulation. As explained by the White House, ‘Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship’. The TADPF intended to ‘restore an important legal basis for transatlantic data flows’ by addressing the two concerns that the CJEU raised in Schrems II, namely, on the one hand, the existence of binding safeguards that limit access to data by US intelligence authorities to what is ‘necessary and proportionate’ to protect national security and, on the other hand, the establishment of an independent and impartial redress mechanism, to investigate and resolve complaints that concern access to European data by US national security authorities. Max Schrems announced that he would very probably legally challenge the new arrangement. The European Commission believes that the CJEU ‘will not strike down the agreement again’ and intends to publish its draft adequacy decision at the end of November. It remains to be seen whether the new arrangement will be validated by the CJEU or whether this major area of friction will remain. Indeed, the US Chamber of Commerce has warned that ‘without secure data flows, meaningful progress on many other critical elements’ of the EU/US cooperation agenda ‘is not possible’.
Despite all these areas of friction, the EU and the US could still try to strengthen cooperation in several significant areas where convergence exists in order to promote common values based on democracy, human rights and a rules-based international system. Indeed, while waiting to converge on other issues, the EU and the US could work together on issues such as cybersecurity and resilience (including those that relate to the Internet of Things); the fight against cybercrime; the fight against illegal online content and disinformation; protection against foreign cyber interference; the protection of freedom of speech and access to information; setting global democratic standards and safeguards for access, by law enforcement and intelligence agencies, to data held by the private sector – a topic for which an extremely important process is currently underway at the OECD, as we will see; a human-centred approach to artificial intelligence; and, most importantly, an open, free and global internet, at a time when more and more firewalls are being erected, and even the architecture of the internet is being challenged by some authoritarian countries in certain standardisation bodies.
Another issue where the EU and the US seem to be in agreement concerns the need for a multi-stakeholder approach. The concept of strategic partnerships should not exclude the private sector. Tech companies should remain the principal target of global regulation so that several issues can be dealt with adequately, such as privacy and data protection; market dominance; power concentration; Zuboff’s ‘surveillance capitalism’; hate speech; or Commissioner Thierry Breton’s accusation that they are sometimes ‘too big to care’[4]. However, tech and other companies can also become, in some cases, precious allies in the promotion of values. Tech companies have, willingly or unwillingly, played a major role in the dissemination of certain European rules and values as a result of implementing, for instance, by means of the very way in which they engineer their products, the GDPR’s principles of ‘privacy by design’ and ‘privacy by default’. Initiatives such as the Paris Call on Trust and Security in Cyberspace show how advantageous it is to have a multi-stakeholder approach to the promotion of cybersecurity and resilience. Global companies could also play a crucial role, together with NGOs and civil society, in pressing governments to put in place effective tools, protections and safeguards when it comes to access by governmental authorities to data held by the private sector.
II. Mechanisms for Strategic Transatlantic Cooperation
Identifying key areas of convergence for EU/US cooperation in setting the rules for the digital world is one thing; trying to determine exactly how this regulatory cooperation would look is another. In this part of my article, I will attempt to briefly present at least six of the vehicles that EU/US regulatory cooperation could use in order to promote common values.
1) Bilateral Cooperation: the example of the TTC
One important vehicle of bilateral regulatory cooperation could be the Trade and Technology Council (TTC). The creation of the TTC was announced in June 2021, marking a significant step towards the reinforcement of the EU/US partnership after the ‘coldness’ of the Trump years. As its website announces, the different cooperation projects within the TTC are ‘based on our shared democratic values, including respect for human rights, that encourage compatible standards and regulations’.
At the inaugural TTC ministerial meeting in September 2021, the US and the EU established ten working groups on various topics including ‘Technology Standards’; ‘Information and Communications Technology and Services Security and Competitiveness’; ‘Data Governance and Technology Platforms’; ‘Misuse of Technology Threatening Security and Human Rights’; ‘Export Controls’; ‘Investment Screening’; and ‘Promoting Small and Medium-Sized Enterprises’ Access to and Use of Digital Tools’ – to name just those most closely related to cyber/data issues.
More details on the work of the TTC and its working groups are provided in Susan Ness’ article in the present publication. It suffices to recall here that, in the Joint Statement released after the second TTC meeting, which took place in May, 2022, in Saclay-Paris, a few months after Russia invaded Ukraine, the EU and the US characterised their partnership as a ‘cornerstone of shared strength, prosperity, and commitment to freedom, democracy, and respect for human rights.’ They stressed that ‘as recent events have proven, strong transatlantic bonds and cooperation on issues related to trade, technology, and security are more important than ever.’
The 3rd TTC meeting will take place in Washington, DC, on December 5th, 2022. The negotiators are feeling the pressure to put aside divergences and to start ‘showing results’, which include announcing common action against foreign interference, greater cooperation on artificial intelligence standards/rules and other outcomes. As Susan Ness concludes in her article, ‘deepening US-EU cooperation is a marathon, not a sprint’. It ‘remains to be seen whether the two partners can deliver’ on the lofty goals they fixed.
2) Common action in international organisations: the example of the ITU and the UN
A second vehicle for EU/US regulatory cooperation in the digital sphere is to undertake common action in order to protect shared values in international organisations. Two major recent examples could be cited in this respect.
The first is the alliance between the EU and the US in the International Telecommunications Union. This organisation, created in 1865, is the United Nations’ specialised agency for information and communication technologies (ICTs). It plays a major role today in setting international standards for ICTs and has become, as Politico noted, ‘ground zero in a battle for how internet networks work — everything from next-generation mobile networks to potential worldwide rules for autonomous cars’.[5] The EU and the US have realised both the importance of the ITU and the effort of some authoritarian states, such as Russia and China, to use international standardisation organisations as a means of promoting their model of the digital world. In a sign of successful transatlantic cooperation, the EU recently strongly supported Doreen Bogdan-Martin, the US candidate for the position of Secretary General of the ITU, who ran against a Russian candidate. The US, in return, supported Tomas Lamanauskas, the European candidate, for the post of the organisation’s Deputy Secretary General. As a result, both of them won with a comfortable majority.
Another example of cooperation in international organisations is the common action of the EU and the US to promote certain human rights values, in the context of the ongoing negotiations over a UN Cybercrime Convention.
On 28 February 2022, following a Russian initiative, the first session of the UN Ad Hoc Committee to elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes began with the intention of adopting such a Convention until 2024.
The EU and the US have various important concerns in relation to these negotiations.
The first concern is about the relationship with the Budapest Convention. Russia has always refused to join the Budapest Convention against cybercrime, accusing it of having established a principle that ‘might damage the sovereignty and security of member countries and their citizens’ rights’. Russia’s hostility to the Budapest Convention has therefore raised Western countries’ fears that the initiative brought by Russia could be intended to compete with the Budapest Convention. This is why the US, the EU, and other Western countries have underlined, in many statements to the UN, their full support of the Budapest Convention.
The second concern for the EU and the US is that some UN Member States could attempt to use the UN Convention in order to call into question certain well-established principles, especially in the field of human rights. This concern has been all the greater since Russia submitted a draft convention to the United Nations that introduced no less than 23 criminal offences, some of which could be challenging in terms of human rights and freedom of expression. The EU and the US argued that ‘substantive criminal law provisions must be clearly and narrowly defined, and be fully compatible with international human rights standards’ (EU 1st Session) and that ‘we should be careful not to treat traditional crimes as a ‘cybercrime’ merely because a computer was involved in their planning or execution’ (US 1st Session). Therefore, they agreed to restrict the number of offences to cyber-dependent crimes and to a limited number of cyber-enabled crimes (US 1st Session; EU 1st Session).[6] The fourth session of negotiations will take place in Vienna at the beginning of 2023, and the EU and the US, despite their divergences on some issues, seem intent on joining forces in the defence of human rights.
3) Promoting soft law on important matters: the example of the OECD
A third vehicle of transatlantic cooperation could be the proclamation of soft law principles within certain important international institutions such as the OECD.
The recent successful conclusion of the OECD international talks on a global taxation system for tech giants is a good illustration of how some international organisations, especially the OECD, could represent the appropriate fora for addressing the complexities of certain digital regulatory projects and finding satisfactory multilateral solutions.
Another example of successful action within the OECD was the adoption, in May 2019, of the Recommendation on Artificial Intelligence (AI) – the first intergovernmental standard on AI. The recommendation aims to ‘foster innovation and trust in AI by promoting the responsible stewardship of trustworthy AI while ensuring respect for human rights and democratic values’. Complementing existing OECD standards in areas such as privacy, digital security risk management, and responsible business conduct, the recommendation focuses on AI-specific issues and includes a series of principles concerning the responsible stewardship of trustworthy AI and calls on AI actors to promote and implement them. The OECD also hosts the newly launched Global Partnership on Artificial Intelligence (GPAI) in order to promote certain commonly shared values more easily and globally, such as the use of AI in a human-rights-friendly and ethical way.
The third field where the OECD is undertaking ground-breaking work, with the strong involvement of the US and the EU, is that which concerns government access to data held by the private sector. In December 2020, OECD countries quietly embarked on an unprecedented exercise to formulate common principles governing their access, for national security and law enforcement purposes, to personal data held by the private sector. The project is based on the premise that these democratic governments, despite divergences in their legal systems, share many commonalities in this area and that articulating these commonalities can help restore trust in data flows between countries but also highlight how they differ from authoritarian regimes that engage in indiscriminate access to individuals’ data. After some difficulties in 2021, work on this project continued in an intensive manner, and Politico reported on October 20th, 2022, that ‘there are wisps of white smoke on a deal’.[7]
4) Building multilateral ad hoc alliances: the example of using a task force to counter ransomware
Even outside the fora of existing international organisations, the US and the EU can build informal ad hoc alliances in order to act on certain important cyber/data issues. The latest example is the International Counter Ransomware Task Force (ICRTF), announced on November 2, 2022, following a meeting at the White House of the Counter Ransomware Initiative, which was established last year to strengthen global cooperation on countering ransomware attacks. The US and the EU, along with a group of 36 nations, have therefore decided to form this task force to counter ransomware attacks as part of a broader international effort to crack down on cybercriminals. The ICRTF, which will be led initially by Australia, will coordinate efforts to disrupt and counter ransomware payments, along with promoting information sharing between task force members. The ICRTF also intends to consider a model for ongoing collaboration with key private sector partners.
5) Strategic bicameralism
A fifth vehicle of regulatory cooperation could be based on a broader version of what two authors have called ‘strategic bicameralism’.
Jeffery Attik and Xavier Groussot introduced this term to primarily describe:
‘A process wherein the form of legislation is first adopted by the EU (by analogy to initiating chamber of a bicameral legislature) and then ‘proposed’ to the US (the responding chamber) for rejection or reconciliation’.
The priority (legislative initiative) given to the EU in this ‘bicameral’ paradigm is without doubt due to the fact that Europeans are often those who initiate regulatory action in a series of fields in a largely unoccupied regulatory space. In her remarkable book The Brussels Effect, Anu Bradford[8] describes how the EU today ‘promulgates regulations that influence which products are built and how business is conducted, not just in Europe but everywhere in the world’.
The influence of the EU in global digital regulation extends well beyond the important field of data protection, as the EU has in recent years been at the forefront of almost all global regulatory endeavours aimed at checking the powers of digital giants. From privacy to data protection, from competition issues, to taming ‘gatekeepers’ and platform dominance, to protecting copyright and publishers’ rights, from fighting hate speech and online disinformation to taking the lead on AI regulation, the EU has been a spectacular leader in digital regulation.
It goes without saying that if the US adopts some of the standards and rules initially proposed by the European Union, this could greatly enhance the ‘Brussels effect’ and help remedy several of its limitations (for instance, see here, pp. 24 ff).
Indeed, if the United States enacts legislation similar to those rules proposed for Europe, this could greatly enhance the global spread of such rules. As an example, the recent adoption of the ‘Digital Services Act’ by the EU, which ‘sets out an unprecedented new standard for the accountability of online platforms regarding illegal and harmful content’, has led several politicians in the US to piggyback on these proposals to force the social media platforms to do more on the other side of the Atlantic. It remains to be seen whether the new EU rules in this field will influence similar regulatory developments in the US, something that might be complicated for various reasons, including the feeling that some of the EU regulatory proposals may unfairly target large US technology firms.
In Attik and Groussot’s ‘trans-Atlantic bicameralism’ paradigm, it is the EU that takes the initiative. They note that ‘the privilege of a legislative organ to initiate law-making is frequently more powerful than the subsequent right of the complementary organ to reform, endorse and ratify’, but they also suggest that a positive response from the ‘second’ chamber (the US) could be very helpful in terms of enabling the progressive elimination of conflicts and a ‘process of reconciliation’. One could argue that ‘trans-Atlantic bicameralism’ could also act in the opposite way, with the United States taking the lead in certain regulatory fields such as cybersecurity or protection of critical infrastructure and the EU following suit. It remains to be seen whether ‘strategic bicameralism’ will work in practice, in which specific fields and in what ways. This remains nonetheless an attractive idea, showing that regulatory cooperation can also occur through parallel domestic regulatory action.
6) New Treaties: the example of law enforcement cooperation
The final vehicle that could enable an EU/US strategic partnership is the conclusion of bilateral treaties. An example that could be given here is law enforcement cooperation.
Since the 9/11 terrorist attacks, the EU and the US have negotiated at least eight binding international agreements, which include agreements on law enforcement access to data (for a presentation, see here). On September 25, 2019, the EU and the US officially started negotiations on the conclusion of yet another very important transatlantic agreement on cross-border access to e-evidence with regard to judicial cooperation in criminal matters.
As explained elsewhere, the ongoing EU-US negotiations present many challenges. However, this is a typical example of a field where transatlantic cooperation could be extremely useful, permitting the enhancement of judicial cooperation in criminal matters, the protection of human rights, the fostering of legal certainty and the avoidance of conflicts between the legal orders of different countries.
* * *
In conclusion, a wide range of mechanisms can be used in to promote transatlantic regulatory cooperation in the digital sphere. The war in Ukraine has shown, once again, how important it is for the EU and the US to take the lead in promoting certain shared values, which are based on human rights, democratic accountability, and respect for the rule of law. Several important hurdles and disagreements however stand in the way of fruitful transatlantic regulatory cooperation. It remains to be seen whether the two sides will be able to find common, satisfactory solutions to these disagreements and divergent views, in order to be able to fully liberate the potential of a strategic transatlantic partnership in the digital sphere.
[1] Paul Timmers, “Challenged By ‘Digital Sovereignty’”, Journal of Internet Law, Vol.13, n°6, December 2019, at 15.
[2] See also Paul Timmers, ibid.
[3] See Barbara Moens, Mark Scott, “Von der Leyen tries to demine transatlantic trade dispute”, Politico,· October 26, 2022.
[4] Thierry Breton : « L’UE doit organiser l’univers numérique pour les 20 prochaines années », Le Point, September 27, 2020.
[5] M. Scott, C. Goujard, “Digital great game: The West’s standoff against China and Russia”, Politico, September 8, 2022.
[6] Many thanks to Professor Karine Bannelier for her help in drafting this passage.
[7] The author serves as external consultant for the OECD Secretariat on this project. The opinions expressed here are the author’s only and do not reflect the position of the OECD Secretariat or any OECD country.
[8] Anu Bradford, The Brussels Effect, Oxford University Press, 2020.
These statements are attributable only to the author, and their publication here does not necessarily reflect the views of the Cross-Border Data Forum or any participating individuals or organizations.