In protecting Europe’s data, can EU regulation keep up with Chinese tech?

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

The European Union hopes Joseph Biden’s incoming administration will clarify the U.S. position on digital taxation within two months of taking office, a French Finance Ministry source said on Monday (30 November).

The EU is considering going ahead with a bloc-wide tax on digital services offered by companies such as Google and Amazon if a global deal to rewrite rules for cross-border taxation is not reached by mid 2021. [Shutterstock]

Europe’s strategic autonomy and its ability to protect its citizens’ data privacy could depend on whether the Digital Services Act can keep up with China’s influence over the technologies that shape our daily lives, writes Nicolas Tenzer.

Nicolas Tenzer is the chairman of the Paris-based Centre for Study and Research for Political Decision (CERAP).

As the European Union prepares a Digital Services Act that will strengthen its regulatory regime governing digital technology companies, as well as data protections like the 2018 General Data Protection Regulation (GDPR), it will have to contend not only with the American players like Google, Apple, Facebook, and Amazon, but also with Chinese companies who are rapidly cornering wide swathes of the tech sector.

Against the backdrop of Xi Jinping’s €1.2 trillion push to build a world-leading tech industry by 2025, both Europe’s strategic autonomy and its ability to protect its citizens’ data privacy could depend on whether the Digital Services Act can keep up with the People’s Republic of China (PRC)’s growing influence over the technologies that shape our daily lives.

Unfortunately, none of the EU’s national data protection authorities – be it Germany’s BfDI, Spain’s AGPD, or Ireland’s Data Protection Commissioner – are publicly voicing this fact.

Instead, whereas US companies like Google deservedly receive substantial fines or otherwise face enforcement action for violating European data regulations, Chinese companies have mostly managed to evade these regulators’ attention. The spectres of potential American monopolies have become the trees hiding the forest.

Chinese legal obligations incompatible with European security

The lack of attention to China is all the more startling given that, under the laws of the PRC, network operators are obliged to cooperate with Beijing’s “public security organs and national security organs” and the PRC’s notoriously expansive view of “national security.”

Such laws already permit surreptitious government “penetration tests” targeting any network in China. It is not difficult to imagine how they could facilitate Chinese espionage, or the Chinese security services’ running campaign of data theft from targets abroad.

Companies beholden to these laws already dominate the European equipment space, from telecommunications giant Huawei – whose lobbying campaigns in the European capitals have been relentless – to Shenzhen Da-Jiang Innovations (DJI), the world leader in commercial drones with 70% of global market share.

Other Chinese digital titans, including Alibaba and subsidiary Alipay but also TikTok, WeChat, and Tencent, are similarly looking to break into European markets.

European intelligence services recognise at least some of the dangers. As Bruno Kahl of Germany’s Federal Intelligence Service (BND) stated frankly last year in reference to Huawei: “The trust in a state company that has a very high level of dependence on the Communist Party and the country’s intelligence apparatus is not present.”

One year on, the German government is drafting IT security legislation that will exclude Huawei from its 5G network in practice, if not in writing – belatedly accepting the warnings from its own intelligence services only after “brutal” American pressure.

With focus on telecoms, drones fly under the radar

Many of the critiques made by Kahl against Huawei could also be applied to DJI. As detailed by the Heritage Foundation, DJI’s potential cooperation with the Chinese government is hardly an open question.

Instead, DJI is an active participant in the crimes against humanity being perpetrated against the Uighur population in Xinjiang, providing drones to the PRC’s police and paramilitary forces in that region through a strategic cooperation agreement for “stability maintenance.”

The same report explains how concerns over “backdoors” in Huawei’s networks should also apply to DJI. Multiple cybersecurity firms have uncovered security flaws in DJI software, including the collection of sensitive data but also the unauthorised and unsecured transfer of data to servers in China – where it is accessible to the Chinese state.

Even before these findings, federal government agencies in the United States grounded their DJI drones and now mandate the use of models from trustworthy American and European companies. The Australian government is also considering the potential dangers represented by malicious use of drones, amidst rising geopolitical tensions with China.

In Europe, DJI’s ability to undercut its competitors on price instead seems to outweigh security risks – not only for consumers but for military and police forces as well. The inaction on the part of data regulators like the BfDI and the AGPD, even after concrete violations of Europeans’ data privacy have been exposed, stands in stark contrast to their muscular handling of American tech companies like Google.

Europe’s structural disadvantages

Of course, the largest Chinese companies invest heavily on formal compliance with European data protection regulations, but given the nature of the PRC and the control it exerts over companies located in China, how can this pro forma adherence provide real reassurance?

Would Europeans ever be able to obtain recourse from Chinese firms if their data is compromised, especially if the Chinese state is involved? For the European Union to be consistent in asserting its digital sovereignty, it must take a harder line on this and other issues with Beijing.

In addition to data protections, there is also the matter of reciprocity and its role in distorting competition. Whereas China has forbidden access to its market to the likes of Google, Facebook, and Twitter, Chinese firms have been able to rise to global prominence free from outside competition, further aided by the pressure applied on European firms forced to “hand over technology” to local partners in order to operate in the Chinese market.

These existing handicaps make a common European approach to the challenges presented by digital technologies essential. There is simply no way for the EU to establish strategic autonomy in new technologies while security imperatives remain cantoned at the level of each member state, and where European companies looking to compete globally do not have a united EU behind them.

Will Europe wake up to the dangers?

It does appear several European governments, including Germany but also Sweden, France, and the United Kingdom, are belatedly waking up to the realities of dealing with the PRC, and not just on 5G.

Beijing’s repression of the democracy movement in Hong Kong, its obfuscation and subsequent weaponization of misinformation during the COVID-19 crisis, and its persecution of the Uighurs have all forced shifts in European thinking.

The EU-China Summit in June was also a turning point, with EU leaders Ursula von der Leyen and Charles Michel calling out China’s attacks on European cybersecurity – and other abuses – by name.

This awakening must extend to Chinese corporate actors as well. The threats to Europe impact not only competition – where Chinese firms may attain unassailable dominance over key sectors – but also Europe’s security and safeguards for fundamental freedoms.

Subscribe to our newsletters

Subscribe