A Critical Appraisal of Digital Policy and Regulatory Legislation in EU

1. Introduction

The aim of this paper is to (1) provide an overview of the building blocks of EU policy and regulatory ambitions and activities in the digital domain, (2) provide a critical assessment of this set of policies and regulations, and (3) draw conclusions from the analysis undertaken here.

This document is structured in the following way

A quick scan of the EU digital policy activism
The more the better? – A critical appraisal
Europe’s Digital Dependency is a wake-up call

2. A quick scan of the EU digital policy activism

For three years, the EC is just rolling over with a tsunami of new regulations and we have not only GDPR, but by now also many others. This digital policy activism includes the production of both non-legislative (i.e., strategies, action plans, etc.) and legislative acts (i.e., already applicable regulations and directives, as well as proposals for such regulations or directives).

In its own words, the European Commission is determined to strengthen Europe’s digital sovereignty and set standards rather than follow those of others – with a clear focus on data, technology, and infrastructure. The plan ‘A Europe Fit for the Digital Age’ is one of the most important and includes 16 flagship initiatives (listed in no particular order): Artificial Intelligence Act, Data Strategy, Industrial Strategy, Chips Act, Digital Markets Act (DMA), Digital Services Act (DSA), Digital Identity (eID),[1] High Performing Computing, Digital Skills, Cybersecurity, Space (including a genuine European LEO satellite constellation), Connectivity, Contributing to European Defense, EU-US Trade and Technology Council, Cloud Strategy, Quantum Technologies Flagship (which includes Quantum Computing, Quantum Communication and others).

With these activities, the European Commission is, on the one hand, creating a very complex policy framework and, on the other hand, Europe has increasingly become a “global regulatory superpower” with far-reaching regulations and stricter consumer protection designed and implemented. These regulations have achieved international reach due to the “Brussels Effect” and their extraterritorial nature. This raises immediate questions: (1) How will the enforcement of such a complex regulatory framework be organized at the national and European levels, and (2) will this plethora of regulation be sufficient for Europe to successfully defend its prosperity and promote its innovative and industrial strength on this basis in the future? These questions will be addressed in the following Chapter.

Digital Strategy and Compass: The Digital Strategy for the new decade is presented in the Communication ‘Shaping Europe’s digital future’ released on 19 February 2020. It identifies four axes (technology for people; fair and competitive economy; open democratic and sustainable society; Europe as a global player) and contains a total of about 30 single priority actions. The Digital Strategy pays its rhetorical tribute to the mantra of sovereignty at the very beginning, when it states that “European technological sovereignty starts from ensuring the integrity and resilience of our data infrastructure, networks, and communications. It requires creating the right conditions for Europe to develop and deploy its own key capacities, thereby reducing our dependency on other parts of the globe for the most crucial technologies. Europe’s ability to define its own rules and values in the digital age will be reinforced by such capacities. European technological sovereignty is not defined against anyone else, but by focusing on the needs of Europeans and of the European social model. The EU will remain open to anyone willing to play by European rules and meet European standards, regardless of where they are based. Citizens should be empowered to make better decisions based on insights gleaned from non-personal data. And that data should be available to all – whether public or private, big, or small, start-up or giant. This will help society to get the most out of innovation and competition and ensure that everyone benefits from a digital dividend. This digital Europe should reflect the best of Europe – open, fair, diverse, democratic, and confident”

Digital sovereignty is framed as a need for Europe to cope with its weaknesses, and as a justification to set ambitions high to ensure resilient and open strategic autonomy. On 9 March 2021, the European Commission presented a vision and avenues for Europe’s digital transformation by 2030. The Commission proposes a Digital Compass for the EU’s digital decade that evolves around four cardinal points:

The Digital Compass first highlights the opportunities and challenges posed by the Covid-19 pandemic. It calls on Europe to pursue both empowering actions and address weaknesses and vulnerabilities, where digital sovereignty is mentioned: “[Europe] needs to carefully assess and address any strategic weaknesses, vulnerabilities and high-risk dependencies which put at risk the attainment of its ambitions and will need to accelerate associated investments. That is the way for Europe to be digitally sovereign in an interconnected world by building and deploying technological capabilities in a way that empowers people and businesses to seize the potential of the digital transformation and helps build a healthier and greener society. In the State of the Union Address in September 2020, President von der Leyen announced that Europe should secure digital sovereignty with a common vision of the EU in 2030, based on clear goals and principles. The President put special emphasis on a European Cloud, leadership in ethical artificial intelligence, a secure digital identity for all, and vastly improved data, supercomputer, and connectivity infrastructures”.

The target for semi-conductors aims at doubling the EU share in their global production by 2030, that is from 10% to 20%. This seems (over)ambitious given the current relative position of Europe compared to its global competitors. See also European Commission, Press Release of 8 February 2022 Digital sovereignty: Commission proposes Chips Act to confront semiconductor shortages and strengthen Europe’s technological leadership.

3. The more the better? – A critical appraisal

The digital plans (both non-legislative initiatives, legal acts, and legislative proposals) presented by the EC so far can be criticized in three regards.

First, an oversupply of regulations may indicate a lack of an overarching coherent vision and a widening gap between reality and political-economic ambition, particularly in terms of the investment required. Digital policy, industrial policy and innovation policy are not sufficiently aligned, and regulation is carried out largely in isolation. Telecoms regulatory authorities in the EU have become ever less relevant in the digital domain, as EU telecom firms get increasingly bypassed and left behind by large digital platform and cloud providers, and China’s techno-state policy. To make matters worse, regulatory authorities focused only on market conditions rather than the wider interests of competitiveness and digital sovereignty.

The reasons for the failure are threefold: (1) Regulators are not mandated to address the wider interests in the digital field, (2) they are not mandated to use a wider toolbox than traditional telecoms regulatory policy, and (3) a degree of blindness to the huge changes which has been made worse by institutional fossilization.[i] Telecoms regulatory authorities need to break out of their sectoral silo. Fortunately, many are willing to do so and 6G offers the opportunity.

It follows that a smart[ii] combination of regulation, innovation policy, and industry policy[iii] is needed to, (1) foster regulatory innovation such as anticipatory regulation, sandboxing, and agile policymaking in the telecommunications and digital ecosystem, and (2) ensure that regulation also helps foster innovation and strengthen the industrial environment.[2]

The second element concerns the enforcement of these very complex rules. On July 5, 2022, the Commission published a sneak peek of how enforcement will be organized. EU Internal Market Commissioner Thierry Breton previously said the Commission plans to hire about 120 staff to implement the DMA and bring in experts with a wide range of technical backgrounds. According to POLITICO, Olivier Guersent, the head of the commission’s competition department, acknowledged on Oct. 10, 2022, that the European Commission is struggling to find staff with the “right skills” to enforce the DMA in the future. One of the reasons is that it has been difficult to attract individuals with a technical background (particularly data scientists) to the European Union’s digital gatekeeper rules, as higher salaries are paid in industry. Staffing for the Commission’s future enforcement of the DMA has been a contentious issue. The European consumer group BEUC penned a letter to EU competition chief Margrethe Vestager in May, saying they are “concerned that the Commission will not be in a position to exercise its roles effectively unless it has sufficient human and technical resources, including IT tools and digital specialist expertise.” It is not an exaggeration to express doubts about the effectiveness of enforcement, because even with 120 staff, the Commission will be a David against the Goliath-like legal firepower of the big platforms. It will have to pick its battles very carefully.

It is interesting to note, however, that in the background, efforts are apparently being made to supplement the Commission’s obviously unsuccessful efforts to centralize effective enforcement with organized cooperation with the established competition authorities in large member states, such as Germany, France, and Italy.

The third element concerns the complexity, some inconsistencies and lack of coherence that the new legislative proposals will entail. This has been shown in the most recent and thorough critical assessment of digital legislation contained in a report delivered for the European Parliament. This report shows (pp. 53-72) that inter-play and inter-dependency of the AI Act with other pieces of legislation (on cybersecurity, privacy, liability, and in relation to both the DSA and DMA) can generate problems of regulatory coherence and uncertainty. It is also advisable to take a closer look at the direct and secondary effects in other areas as soon as specific areas are subject to new regulations.

4. Europe’s Digital Dependency is a wake-up call

A recent research report,[3] funded by the Konrad Adenauer Foundation (KAS) concluded, that Europe has not fully recognized its digital dependency yet. The results of measuring digital dependence suggest a sober reassessment of the status of “digital autonomy”. The Digital Dependency Index DDI has implications for various actors involved in digital policymaking at the national and EU level. The key message is that the degree of digital dependence of EU members is far greater, more pervasive, and multifaceted than often assumed:

European countries are falling behind in every dimension compared to China, South Korea, and the US. In the last decade, Europe’s digital autonomy has eroded as digital interactions have become more asymmetric with China (ICT trade dependence), with the US (infrastructure and platform dependence), and the East Asian region (IP dependence).

European capitals need to rethink their entire approach to digital technologies. If the goal of improving “technological autonomy” is taken seriously, a much more comprehensive and bold approach (policy-wise, timing-wise financially, and strategic vision) would be required.
European companies and governments should put a stronger emphasis on reducing their growing dependency on foreign IP in the ICT field.
Germany [and other European countries] should draw lessons from other “technological middle powers,” especially from South Korea and Japan.

These (and tons of similar) findings clearly show that the current regulatory governance and institutional set up is not sufficiently supportive for achieving digital sovereignty and strategic autonomy. Considering the amazing supremacy of the U.S. in the field of innovation, these facts should generate enough sense for urgency.

5. Conclusions

It seems obvious, that in the past few years policy and regulatory activism has characterized the action of the EU in the digital domain. This has led to an overwhelming complexity of policies and regulations, which sometimes lack coherence and consistency.

While preserving fundamental rights, protecting consumers and businesses, ensuring contestable markets, and an open democratic society are among the declared goals of much of the policy documents and legislative proposals, there is also the side effect of over-regulation and mismatch between declared objectives and the reality.

The drive to strengthen digital and technological sovereignty in all areas, even when this seems not very realistic (e.g., in the case of electronic chips) or when there is nothing to attribute control to (e.g., because Europe has never had such control, as in the case of online platforms), appears as a new form of “Tech-Gaullism”.[4] It is probably not an exaggeration to recognize in its elements of the thinking of EU Industrial Commissioner Thierry Breton, who was socialized with the Gaullist tradition.

Digital sovereignty and strategic autonomy do not come for free and require strategic policy decisions on the allocation of scarce resources (in particular the availability of investment funds) across a large range of actions. It seems that Brussels-effect euphoria – fueled by international recognition of the General Data Protection Regulation – has convinced EU policymakers that sovereignty and autonomy can be gained by regulating others, which is only half the story. Autonomy and sovereignty require building capacities, driving investment and innovation in the various digital domains. The AI Act, for instance, will regulate high-risk systems and protect individuals, but in itself does not ensure that European AI firms will become more innovative and will increase in number so that Europe will achieve a dominant position. By the way, post-Brexit UK finds itself in a similar dilemma: in line with the Brexit narrative, the UK wants to escape the “chains of EU legislation”, but on the other hand knows that AI needs to be regulated to prevent harm and at the same time wants to become the “best place on earth for the development of AI systems”.

While it is necessary to protect fundamental rights and European values and principles in the digital domain with the new regulations, these regulations are not sufficient to create the necessary industrial capacity and foster innovation. It remains doubtful that DSA and DMA will put Europe in a dominant position against foreign tech giants to create new sources of sovereignty and autonomy for Europe in the data economy. The overarching data strategy, together with the DGA (Data Governance Act) and DA (Data Act), aims to create new data spaces where European citizens can exercise a right over their own data and companies can use this data under certain conditions. This requires incentives for increased data exchange between companies (B2B), between companies and public institutions (B2G) or vice versa (G2B). However, such exchanges will not happen by themselves due to a new regulation, as it rather depends on the structure of incentives, in particular the availability of investment funding and clear business models that have yet to emerge.

One of the side effects of digital political activism at the EU level is the risk that the administrative burden – as seen in the example of the implementation of the GDPR – will increase enormously, especially for SMEs, and that innovations will be stifled,[5] as well as creating more uncertainty due to regulatory inconsistency and lack of coherence.

In conclusion, it seems that digital policy activism may be based on too much reliance on the broad impact of regulation and too little focus on business models, innovation policy, and investment. Regulation is only one part of the required policy measures; the other part is still incomplete. The answer to the question posed in the title of Chapter 3, “The more, the better” has always been controversial.[6] Without doubt, targeted regulation in certain areas, such as AI, is necessary to prevent harm to society and individuals. Overall, based on our analysis and experience, we believe that coherent and clear policies, combined with anticipatory and flexible regulation and the avoidance of prescriptive micro-regulation, should be core elements of a future regulatory policy. It should be remembered that while it is good to have a strong referee on the field, it is not the referee who makes the game, it is the strength of the players and how they work together that matters most to win the game.

6. Acknowledgments

This article could not have been written in its present form without the exchange with experts from the regulatory community and the academic community as well as specialists from the Brown-Bag-Lunch (BBL Group). I am very grateful to all those who contributed to the creation of this article and who inspired my thinking.

=== End ===

7. Explanatory Endnotes

[1] eID is a set of services provided by the European Commission to enable the mutual recognition of national electronic identification schemes (eID) across borders. It allows European citizens to use their national eID’s when accessing online services from other European countries.

[3] Maximilian Mayer and Yen-Chi Lu (2022): Digital Autonomy? Measuring the Global Digital Dependence Structure. Bonn. Center for Advanced Security, Strategic and Integration Studies.

[4] https://en.wikipedia.org/wiki/Gaullism

[6] Ibid., Chapter 1.

[i] Regulatory governance: The question of whether telecommunications regulation could not be institutionally combined with other policy areas to exploit substantive or financial synergies has repeatedly arisen in connection with public governance issues. In the past, there have been various approaches to this, such as the multisector regulator (the German Federal Network Agency BNetzA is a prominent example), or the widely used combination of telecom regulation with (electronic) media regulation. Experience shows that these approaches are outdated and only functional to a limited extent, since there is obviously no common denominator between these sectors due to different regulatory objectives and, moreover, the expected synergy gains could not be realized.

[ii] „Smart” refers to an agile form of organization in which project teams come together to find an adequate solution, depending on the complexity of the problem and whether the path to the solution is known. The “Stacey Matrix” (below) describes this approach in more detail. The opposite of “smart” would be a static, traditional form of organization dealing with the different aspects of ICT policy in vertical silos such as infrastructure, services, applications, etc.

The key point here is that the fast pace of technological development requires agile action and the teams of experts working on these issues are moving between the middle (“Complex”) to the top right (“Chaotic”) of the Stacey Matrix and therefore need to be organized and managed accordingly.

[iii] In a different context (collaborative ecosystems and cloud applications) authors of a recent article claim, “Our research suggests that competition policy, innovation policy, and industrial policy should be seen as complementary, particularly for supporting today’s collaborative ecosystems.”