Over the past year, the European Union’s ambitious digital regulatory agenda has steadily advanced. The EU adopted the far-reaching Digital Markets and Digital Services Acts, and it is completing negotiations with the United States on a revised data transfer regime, christened the Transatlantic Data Privacy Framework (TADPF), that was necessitated by the Schrems II judgment of the Court of Justice of the European Union (CJEU). These developments have had a significant impact on transatlantic economic relations, even stimulating legislative initiatives on privacy and antitrust in the United States. One might think that resolving such contentious topics would set the stage for a quieter, more harmonious phase in the transatlantic technology policy relationship.
As EU regulatory activity resumes this fall, a lesser-known initiative – creating an EU-wide certification framework for ICT products and services (EUCS) – could cause renewed disturbance between Brussels and Washington, however. Under the EUCS proposal being developed by the EU’s cybersecurity agency ENISA, cloud service providers would be compelled to localize their operations and infrastructure within the EU and to demonstrate their ‘immunity’ from foreign law.
Europe’s concerns about the security of U.S. cloud services providers are in fact closely intertwined with its worries, expressed in Schrems II, about the privacy of Europeans’ information entrusted to these companies. In both cases, European policymakers fear the perceived extraterritorial reach of U.S. national security surveillance and law enforcement authorities. New cybersecurity regulation thus is seen as another way to safeguard Europe’s ‘sovereign’ interest in protecting data from foreign government access. It also would reinforce separate European efforts to bolster smaller, home-grown cloud service providers, including through the GAIA-X project to create an interoperable network “explicitly based on principles of ‘sovereignty-by-design,’” as a leading European technology lawyer has characterized it.