The Europeans Are Coming

With faith that high-level meetings are reassuring symbols of comity, stability, and good relations, a delegation is coming from Europe on December 5 for the third ministerial meeting of the Trade and Technology Council (TTC). Officials tasked to 10 different working groups will square off with their interagency counterparts in the Biden administration. Transatlantic leaders have foreshadowed a number of positive joint statements that will be released during these meetings, but the most important conversations—on the Inflation Reduction Act (IRA) and on EU digital barriers—will be happening away from the cameras.

A good deal of ink has already been spilled about the European Union’s aggressive trade attack on the IRA. But if the TTC process is to accomplish “policy convergence” that will strengthen the global competitiveness of U.S. and European industry and bolster collective security in the face of the challenge China presents, the parties should engage on the labyrinth of new digital trade restrictions that Brussels has under construction.

With an increasing array of regulations clearly aimed at protecting European companies and impeding the success of U.S. technology champions, it is important that transatlantic leaders discuss these discriminatory proposals and measures at a diplomatic level before they are final. European officials such as Thierry Breton, European commissioner for the internal market, who is attending the third TTC ministerial, have made clear that they are seeking to adopt policies that restrain U.S. digital platforms. In October 2022, French president Emmanuel Macron proudly told the French news outlet BFM Business that he considered himself a protectionist at the European level. The newly created “early alert” mechanism within the TTC should be employed to insist that new EU legislation does not create discriminatory trade barriers that cause harm to U.S. companies and U.S. and European broader strategic interests.

This commentary highlights priority trade, technology and digital issues where U.S. negotiators should seek positive outcomes with their European counterparts, particularly as the European Union intensifies its bid for digital sovereignty. Although major elements of the European “digital decade” legislative packages have already become law, such as the Digital Markets Act (DMA) and Digital Services Act (DSA), member state agreement on other pathways forward is far from uniform. As CEPA, a transatlantic D.C.-based think tank, points out, “Some countries, most notably France and Germany, aim to see Europe pursue digital sovereignty by limiting data flows and subsidizing European companies. Others, led by the Nordics, see digital sovereignty as promoting European standards and values and reject most infringements on free trade.”

Digital Markets Act Implementation

The Digital Markets Act is landmark legislation finalized in 2022 that will add ex ante restrictions and requirements to the European Union’s existing legal structure for competition regulation, which traditionally has been based on evidence collected in case-by-case investigations.

The DMA has two premises: (1) that current competition policies have not delivered the desired result of reigning in the size, scale, and perceived dominant behavior of large U.S. online firms, and (2) that disciplining the business practices of large U.S. tech platforms is necessary for Europe to improve its performance in the digital space and prevent the erosion of competitiveness faced by traditional companies slow at integrating digital technologies. Many policymakers and the business community in the United States view the DMA not only as a direct attack on U.S. companies for being too big and too successful in Europe, but also one that will place sweeping restrictions and data disclosure requirements on U.S. companies without sufficient consideration of security, privacy, and consumer interests. The TTC meeting presents an opportunity to gauge how willing the Biden team is to insist on fair treatment for U.S. companies and transatlantic guardrails around the vision of Europe’s digital sovereignty hawks.

Targeted companies, termed “gatekeepers,” qualify as such if they meet three criteria. First, they must have a “significant impact on the market.” Significant impact refers to the company’s ability to achieve “an annual [European Economic Area] EEA turnover equal to or above EUR 6.5 billion in the last three financial years, or where the average market capitalisation or the equivalent fair market value of the undertaking to which it belongs amounted to at least EUR 65 billion in the last financial year, and it provides a core platform service in at least three Member States.”

A second criterion is that the company must “operate one or more important gateways to customers.” This translates into “more than 45 million monthly active end users established or located in the EU and more than 10,000 yearly active business users established in the EU in the last financial year.” Third, the company must have an “entrenched and durable position in its operations” or it is expected to achieve such a position in the future. This third requirement is fulfilled if the company has met the second criterion in the preceding three fiscal years.” This gatekeeper definition would clearly apply to Apple, Google, Meta, Amazon, and likely Microsoft—but seems to exempt large European companies as well as Chinese rivals like Tencent, Alibaba, Baidu, and ByteDance.

Digital Service Act Implementation

A companion bill, the Digital Service Act (DSA), creates new requirements for how tech companies treat content posted by users and businesses on platforms, video-sharing services, social networks, and e-commerce marketplaces. By establishing a new classification of companies called very large online platforms (VLOPs), and giving the European Commission some degree of discretion to determine which companies are subject to these requirements, there is a risk that the law will be deployed to treat similarly situated companies differently based on their size, potentially on a discriminatory basis. VLOPS are subject to more onerous restrictions on targeted advertising. Non-complying companies risk fines that could reach 6 percent of annual sales. Article 25 of the DSA defines VLOPS as platforms with several average monthly active recipients of their services in the Union equal to or higher than 45 million. The DMA also creates new data restriction, access, and portability obligations, and introduces interoperability requirements on a small set of U.S. companies. Fines can reach 6 percent of global sales, and offenders of the DSA and DMA could be blocked from mergers and acquisitions or be banned from doing business in Europe entirely.

European Cloud Cybersecurity Requirements

Europe is considering supplementing technical cybersecurity certification requirements with largely unrelated legal requirements to exclude U.S. and other non-European owned cloud and software providers from being able to compete for government cloud contracts and other infrastructure projects. France’s “Trusted Cloud Doctrine” and its cloud cybersecurity certification scheme, known as SecNumCloud, already require that cloud providers cannot be guided by non-EU laws and provides explicitly that any company that is more than 39 percent foreign owned is not eligible for certification to bid. As a result, U.S. companies must partner with, and transfer technology and control, to a local company in order to compete for cloud business with French public sector agencies and commercial entities considered “operators of vital importance.”

The European Commission is now working to finalize similar requirements for the EU-wide Cybersecurity Certification Scheme for Cloud Services (EUCS). Similar to SecNumCloud, under the EUCS as currently written, only companies with their head office and global headquarters in an EU member state and fully owned and controlled by an EU entity would be eligible for competing for these contracts. Sovereignty provisions that discriminate on the basis of ownership violate the European Union’s trade obligations under the World Trade Organization (WTO) Government Procurement Agreement (GPA) and to the extent applied to the private sector, the General Agreement on Trade in Services (GATS). France’s extant SecNumCloud measure would fall under these same obligations.

U.S. trade representative Katherine Tai has laid out U.S. concerns about EUCS to European Commission executive vice president Valdis Dombrovskis. Seven member states have also written to the commission to raise possible conflicts in law between the General Data Protection Regulation (GDPR) and non-personal data restrictions contemplated in the draft Data Act. Transatlantic leaders should tackle the development of internationally recognized cybersecurity standards and controls—and avoid discriminatory requirements that have the impact of making consumers and businesses in the European Union less secure—before the United States is compelled to challenge EUCS and SecNumCloud at the WTO for violating Europe’s GATS and GPA obligations.

Data Act

Introduced in February 2022, the Data Act borrows the discriminatory classification of “gatekeepers” designated under the DMA and states that users would not be able to utilize a new portability right established by the Data Act to transfer their data to such gatekeepers. Preventing users from migrating their data to certain providers runs counter to European consumer interests, including the public interest of allowing users to benefit from higher privacy, security, quality, and performance standards. The Data Act also creates new de facto restrictions for non-EU cloud service providers on the storage and transfer of non-personal data to third countries, which could pose serious problems for the recently agreed upon Data Privacy Framework to replace the Privacy Shield. In other words, the new framework, once finalized, could be used by companies to facilitate the transfer of personal data—but the Data Act would then restrict the transfer of any non-personal data held by the company, representing a substantial expansion in coverage of EU regulation over technology firms.

Another troubling aspect of the Data Act is a requirement that cloud service providers be held responsible for “functional equivalence” with a competitor’s offering. Under functional equivalence, a cloud provider would be required to facilitate the process of customers seeking to switch to another provider by ensuring interoperability between the features of the cloud providers service and those of its competitor. Because operators’ features differ significantly from one another, functional equivalence requirements would seemingly place an onerous burden on cloud providers and other economic operators. This system would force cloud providers and other economic operators to give a competing provider access to huge quantities of data, including sensitive know-how and possible trade secrets.

This “one size fits all” approach has been criticized by members of European Parliament. In October 2022, Adam Bielan, EU rapporteur of the internal market and consumer protection committee, opposed this “lock-in” effect and argued for exit strategies for customers and waivers for providers that operate on a testing basis. In November 2022, the EU Council extended the notice period for service transition from 30 days to two months.

The EU AI Act

The Regulation on Artificial Intelligence (the EU AI Act) regulates the use and the development of AI within the European market. The EU AI Act represents a first-mover attempt at horizontal regulation of AI, a regulatory method that the European Union aims to export via the so-called Brussels effect, whereby the EU promulgation of far-reaching digital policy is then exported abroad and adopted elsewhere. The EU AI Act builds on the model of earlier EU legislation, such the GDPR, which similarly sought to achieve first-mover advantage for the bloc. The EU AI Act generally takes a risk-based approach to regulating AI, which the EU AI Act rapporteur has described as a pyramid. Under this framework, there would be a tiered system whereby activities determined to have “unacceptable” levels of risk, such as government-run social scoring, would be banned. High-risk activities would be subject to scrutiny and regulation, whereas lower risk applications of AI would be left largely unregulated.

One of the debates in the parliamentary process has centered around the definition of AI. In its initial legislative proposal, the European Commission offered a very broad definition of AI. Two major camps have emerged in this debate. One side supports a broader definition of AI that emphasizes the European Union’s precautionary approach to digital regulation. The other side prefers a narrower definition that would better enable innovation and private sector growth. Both sides recognize the need for the ultimate EU definition of AI to conform as closely as possible to definitions being developed in international organizations such as the Organization of Economic Cooperation and Development (OECD).

Other debates in the EU AI Act include identifying prohibited practices and establishing rules for conformity assessment. As it currently stands, conformity assessments rely on self-assessments, a regulatory process that is more supportive of innovation. On the other side, some in the European Parliament are pushing for third-party assessments to enhance transparency and accountability. Within the TTC framework, the European Union and United States should work to establish common definitions of key terms in order to facilitate deeper future cooperation. These include explainability, trust, AI, and general purpose AI (GPAI). A lack of common definitions restrains progress on the scope of standards and regulations for AI. Furthermore, in an environment of heightened geostrategic competition with China, the European Union and United States need to engage and align within standards bodies on AI, including—but not limited to—the OECD.

Conclusion

The list above only details some of the new EU tech regulations that are heading the United States’ way. Economists have estimated that EU tech regulations could cost U.S. companies at least $97 billion, including $45 billion borne by small and medium enterprises.

With the electorate in Europe and the United States impatient and volatile about their governments’ inability to control inflation, secure access to energy supplies and institute more effective policies to protect the environment, it is important to recognize that now might not be the best time to stifle innovation and consumer-oriented products without fully working through the economic and security consequences of new digital regulation. Imposing overbroad restrictions on U.S. enterprises that are successful in Europe risks reducing margins and impeding the ability of firms on both sides of the Atlantic to invest in the next generation of innovative technologies. With prices rising and temperatures falling this winter, rushing ahead and refusing to drive a more strategic transatlantic approach regarding this tsunami of EU tech regulation will undermine the success of the TTC.

Meredith Broadbent is a senior adviser (non-resident) with the Scholl Chair in International Business at the Center for Strategic and International Studies in Washington, DC.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.

Image
Meredith Broadbent
Senior Adviser (Non-resident), Scholl Chair in International Business