View from Pakistan | Rise of Digital Sovereignty

This move by some countries poses a threat to inclusive global technological development

Usama NizamaniAfeera Firdous Usama Nizamani and Afeera Firdous

The term digital sovereignty, which interchangeably is also known as ‘internet sovereignty’ or ‘cyber sovereignty’, is starting to establish a strong foothold globally in the national politics, economics, and technological landscape.

Countries are beginning to exert influence over the internet as a sovereign issue, treating it similar to a territorial issue, with legislation, development of networks, localisation of data centres, decoupling of technology with other countries, regulation of content, and penalisation of cyber activities. The move to digital sovereignty, with almost disruptive pace, is displacing the previous cyber order. If unmitigated without inclusive, consensus-based norms and participatory development, a precarious and fragmented digital landscape awaits the world.


Early Preachers and Practitioners

The concept of digital sovereignty, Yuxi Wei, a scholar on cyber-security, notes, was first floated by China in a white paper titled The Internet in China in 2010. In 2011, it was once again mentioned, in the Code of Conduct submitted by the Shanghai Cooperation Organization (SCO) to the United Nations, and later in 2015. The Chinese President, Xi Jinping, in 2014 at the sixth summit of BRICS in Brazil, once again invoked the need for ‘cyber sovereignty’ as the internet posed a challenge to national sovereignty. China follows a two-tier outlook on internet-governance; one part of this governance relates to the regulation of the internet and network development in China, the second part relates to its global vision of the internet.

The governance of internet in China is carried out under overarching tenet of cyber-sovereignty, comprising seven integral principles: information sovereignty, key-information infrastructure protection, intercommunication between systems, independent choice of network development paths and network management model, independent internet public policies and legislation of information content management, non-interference in internal affairs through the internet, and discouraging use of cyber-attacks against other states.

At the global level, China aspires to become a ‘cyber power’ with a four-pronged strategy: denial of cyber hegemony to one country or a bloc; development of global network infrastructure across different regions to reduce the digital divide; promoting intercommunication between such network; and equal participation in the governance of international cyberspace.

China has also in line with the principle on cyber sovereignty, denied space to US-based internet-tech companies such as Google, Facebook, and WhatsApp from operating platforms in the country. While China calls for democratic participation in the global governance of the internet, it has not participated in multilateral forums, such as Internet Governance Forum. Similarly, western countries have not reciprocated to senior representation of multilateral initiatives launched by China, such as World Internet Conference, which is held annually in China. Russia, another country and founding member of SCO, has been taken on as early pioneer and practitioner of the concept.

Russia introduced a new law in 2019 to monitor the routes of the internet traffic, allowing state regulators to monitor and block content. The new system empowers the government to create a backup of local IP addresses, limit the flow of internet traffic through state-registered traffic exchange points, and cross-border data transfer can only be undertaken by licensed operators. The rationale cited for creating a register of IP addresses is to protect against subversive attacks against the internet in Russia and to develop an independent network of the internet. Critics, on the other hand, term it as ‘internet sovereignty’ law and argue it will grant powers to enforce censorship and enable surveillance by state. However, resort to digital sovereignty, due to its flexible scope of utility, has found resonance with other states also.


The New Converts

In recent years, a variety of technologies including 5G, Artificial Intelligence (AI), cloud computing, and Internet of Things (IoT) have become part of a country’s strategic assets. The challenge, however, for policymakers is to find the right balance between control and privacy rights. With the greater dependence on internet and information technologies, in post-Covid-19 world, and growing means of exploitation through these technologies, more countries and regions are adopting the concept of digital sovereignty such as the US, European Union (EU) and India.

The US has started to focus, more and more, on technological decoupling policies from China, digital decoupling is one component of it. With this strategy to maintain its digital sovereignty, the US is straining already stressed ties with China. Earlier this month, the US President Trump issued an executive order to ban Chinese social media apps, TikTok and WeChat, across the US in 45 days if both apps are not sold by their parent companies. The decision, if implemented successfully, will bear both immediate and long-term implications not only for companies, consumers, and the US-China relations but it will be a precedent for the future of the internet.

On 5 August 2020, the Trump administration also launched a comprehensive programme to ‘protect America’s critical telecommunications and technology infrastructure, safeguard citizens’ privacy and companies’ sensitive data from maligning actors such as China’. This programme is named Clean Network Programme and has five-pronged lines of action such as:

  • Clear Carrier to guarantee that Chinese carriers are not coupled with the US telecommunications networks;
  • Clear Store to take untrusted Chinese apps off from the US mobile app stores;
  • Clean Apps to stop Chinese smartphone manufacturers from pre-installing apps on their app stores, especially targeting Huawei app store;
  • Clean Cloud to prevent US citizens’ and businesses’ data from being stored and processed on adversaries’ cloud-based systems; and
  • Clean Cable to safeguard undersea cables from subversion.

In early 2020, Huawei, a Chinese telecommunication company, outstripped Apple and Samsung, by becoming the largest mobile phone vendor globally. Earlier, the US government started a campaign against Huawei and politically pressurised to ban the company from 5G networks. In July 2020, the UK banned Huawei from its 5G networks, citing its 5G equipment as national security risk, but decided to remove Huawei 5G kit by 2027. With that effect, the US also has restricted foreign semiconductor companies from selling chips developed or produced by US technology to Huawei, ‘an arm of Chinese surveillance state’ according to the US administration. It is also anticipated that the US government will ban Alibaba’s operations in the US. Since 2004, the US, among 30 other states, is part of a group of governmental experts (GGE) on developments in the field of information and communication technology (ICT) in the context of international security in First Committee of the UN General Assembly and has been preaching Free and Open Internet. But the US government is adopting, in practice, the Chinese stance in GGE discussion focused on ‘cyber sovereignty’.


According to Andrea Renda, a senior fellow at the Centre for European Policy Research (CEPS), above 90 per cent of data in the western world is stored in the US. EU policy-makers are concerned about non-European data services, especially extra-territorial ability given to the US law enforcement agencies under the 2018 US Cloud Act. In efforts to ensure that EU citizens’ data is protected, the European Parliament and Council agreed upon General Data Protection Regulation (GDPR) and replaced it with Data Protection Directive 95/46/ec in 2018. GDPR is the primary European law that regulates the companies to protect EU citizens’ personal data and permits free movement of that data within the EU. In addition to that, European Council adopted the new European Cybersecurity Act in 2018. In the aftermath of Huawei’s debate, the European Commission published an EU toolbox on 5G cybersecurity in 2020, to build a common approach for digital autonomy in the EU. For self-reliant digital transformation, EU shifted its focus on research-based AI and computing projects such as the Next Horizon (Euro 100 billion budget) and the Digital Europe (Euro 9.2 billion budget).

On the regional stage, India is preparing to follow in the footsteps of the US and EU to espouse the concept of digital/ cyber sovereignty. In July 2020, the Indian government has banned 59 Chinese mobile apps including TikTok, WeChat, and Helo. In a press release, Indian government stated that these Chinese apps posed threats to national security and sovereignty. Apart from that, Bloomberg predicted that soon India is going to restrict the operations of Chinese firms such as Huawei and ZTE to deploy their 5G networks in India. These moves might look coherent to recent border face-off between India and China, but India also appears to be embracing practice of digital sovereignty, irrespective of its costs, in South Asia.


Bandwagon and Challenges for Intermediaries

Perhaps the undesired situation may manifest when countries with emerging economies, through coercion or incentives, will have binary or confined options to partner with a larger technological partner: the US, China or the EU. This may result in another technological giant, citing national security, to impose sanctions or de-coupling from a smaller country. Internet-intermediaries and tech companies and suppliers—such as cell phone manufacturers, chip-making companies, applications, cloud service providers, mobile operating systems, telecom companies, and network equipment suppliers—may also be directed to quit business.

Companies relying on consumer data to improve their applications will find it hard to sustain or expand business. Local start-ups relying on foreign ventures may either be taken over or disappear. This will certainly result in untenable costs both for internet intermediaries, tech companies and larger economies engaged in such competition. In a globalised world, customers may also experience this technological divorce first-hand, when people will be unable to connect and communicate internationally, as platforms become operationally incompatible courtesy digital sovereignty. It will also bring about a delay in fast-pacing the improvement and quality experience of fourth industrial revolution technologies that rely on big-data.


What Lies Ahead

If regional blocs and countries cite digital sovereignty for exerting unprecedented influence on technologies, content, and consumer data, then the future for tech-driven connectivity and integration will be bleak. This should not mean that consumer privacy, data protection and accountability of power should be discounted. It also doesn’t imply, for reluctance or overlapping interests of stakeholders, internet intermediaries and tech companies not be held to account for questionable or ambiguous practices. It rather calls for broad-based and thematic-driven engagement on data-protection and norms: checks on access to data of foreign consumers by states from internet intermediaries and tech companies, the autonomy of internet intermediaries to not exchange data of consumers outside of territorial jurisdiction or non-citizens, bilateral exchanges (between states and tech companies) under multilateral arrangements for exchange of data on cases of national security and trans-national crimes, the prohibition of mass or profiled targeting of individuals for intellectual theft, profiling, or intelligence collection through applications, phishing scams, and myriad malware.

In the larger milieu, the prospect of a tech-war between the US and China may not bode well for countries aspiring for tech-driven prosperity. Especially, countries lacking technological base are likely to rely on Silicon Valley, Chinese tech firms, or venture capitalists from two countries to establish their technological base. Some may be compelled to look towards European firms, but with the strings attached on aligning their data protection policies and practices with EU’s model. And if anti-trust regulation on tech companies such as Facebook and Google is tightened by Europe, the scope and size for partnership with developing economies may also be affected.

Other relatively technologically-advanced countries aligned to either the US or China may fall in line with either side or attempt to exert some degree of autonomy. A fragmented and separated internet, confined along national or regional borders, can be avoided; if countries and multilateral institutions demonstrate will to develop actionable, pragmatic and compatible norms.

(Usama Nizamani is a consultant at Islamabad Policy Research Institute. Afeera Firdous is a Research Assistant at the Centre for International and Strategic Studies. The views are their own and do not represent their respective institutions’ positions)


Call us