Germany advocates regaining “digital sovereignty”

Published: 12 November 2020 Author: Stefan Talmon

In terms of information and communication technology (ICT), Germany, like most other States, is almost completely dependent on foreign providers. Most hardware and software critical to Germany’s digital infrastructure is developed and produced abroad. German corporate and government data are stored on cloud resources located abroad or owned and controlled by foreign corporations. The cloud platform industry is largely dominated by U.S. corporations such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud, or IBM Cloud, which are subject to U.S. law. For example, the 2018 U.S. CLOUD Act requires these companies “to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” This allows U.S. law enforcement authorities access to all the data stored on clouds operated by these companies.

Cloud solutions, however, are becoming increasingly important for networked factories, smart homes, driverless cars, or e-commerce platforms. For example, German car manufacturer Volkswagen is currently in the process of collating the data of all machines, plants, and systems from its 122 factories around the globe in an industry cloud on AWS. At the same time, Volkswagen, together with Microsoft, is building an automotive cloud, in which the data of all its vehicles will be stored and processed in the future. This has raised questions about industrial data security and personal data protection, but also about data access and ownership.

The dependence on foreign ICT and service providers gave rise to calls to regain German and European “digital sovereignty”. On 10 July 2019, Federal Minister for Economic Affairs and Energy Peter Altmaier said:

“Germany has a claim to digital sovereignty. That is why it is important to us that cloud solutions are not just created in the United States.”

At the same time, the Federal Minister of the Interior, Building and Community, Horst Seehofer, told daily Handelsblatt:

“We can only work with providers who adhere to our security standards and thus guarantee our digital sovereignty. […] Digital sovereignty will become increasingly important for Germany and Europe in the future.”

At the Digital Summit in Dortmund in October 2019, Federal Minister Altmaier introduced GAIA-X, a Franco-German government-backed European cloud and data infrastructure project that would lessen dependence on U.S. cloud providers. In preparation for the Summit, Federal Minister Altmaier said:

“Data are becoming the most important raw material of the future. The European economy urgently needs an infrastructure that ensures data sovereignty and broad availability of data whilst providing high security standards.”

This new European data infrastructure was to help countries regain their “digital sovereignty”.

German Chancellor Angela Merkel also weighed in on the topic, urging Europe to seize control of its data from U.S. companies. In the Chancellor’s opinion, Europe should reduce reliance on U.S.-based cloud services run by Amazon, Microsoft and Google. At an employers’ conference in Berlin on 13 November 2019, she stated:

“So many companies have just outsourced all their data to U.S. companies. I am not saying that is bad in and of itself – I just mean that the value-added products that come out of that, with the help of artificial intelligence, will create dependencies that I am not sure are a good thing.”

A fortnight later, she returned to the topic in her opening address to the 14th Internet Governance Forum in Berlin, saying:

“Of course, digital sovereignty is of great importance. However, it may be that across the globe today we mean different things, even when using the same term. In my understanding, digital sovereignty does not mean protectionism or governments prescribing what information may be disseminated – that is, censorship – but rather describes the ability, both as individual, as single person, and as society, to shape the digital transformation in a self-determined way.”

The concepts of “digital sovereignty”, “internet sovereignty” and “cyber sovereignty” are all of relatively recent origin and are sometimes used interchangeably. For example, the term “internet sovereignty” first appeared in a Chinese Government White Paper in June 2010. The term “digital sovereignty” was first used by the German Government in December 2013, when the Federal Minister of Transport and Digital Infrastructure called for Germans and Europeans to “regain their digital sovereignty”. Ten months later, Chancellor Merkel stated, “We have State sovereignty; and one would also like to have digital sovereignty in certain areas.”

Although the term “digital sovereignty” includes the word “sovereignty”, it is not a term of art in international law. In particular, it does not mean independence of any other State in digital matters in the sense of digital self-sufficiency or autarky. Sovereignty has been defined as supreme authority, which is independent of any other authority and, in particular, the authority of any other State. Sovereignty – so understood – is legal independence. There is no question of Germany being legally dependent on foreign private ICT providers or their State of incorporation. Legal questions of access to data, data security, and data protection are simply a consequence of the factual dependence on U.S. companies and their market dominance in the business of storing, processing and analysing data.

Digital sovereignty is about national ICT capabilities and competencies. Thus, in response to a parliamentary question, the Federal Government declared that it was setting up State infrastructures to guarantee Germany’s “digital sovereignty” in the following areas:

  • Establishment of a national research data infrastructure for data from science and research
  • Protection of IT and cyber security within the Federal Government and federal administration
  • Development of a federal cloud (since mid-2017, a federal cloud accessible through special secure networks has been available for use by the federal authorities)
  • Encryption of wired electronic communication, whereby all products are “Made in Germany”
  • Operation of a secure communication network for communication of the public administration

Digital sovereignty is not the same as cyber sovereignty. The latter refers to the extension of territorial sovereignty to cyberspace. It implies the exclusive right of the State to regulate and control the ICT infrastructure as well as data and information flows within its territory and between its territory and the rest of the world. The term “cyber sovereignty” thus has a legal underpinning in the concept of State sovereignty. It has been used to justify internet shutdowns, “Great Firewalls”, censorship, or the exclusion of ICT providers such as Chinese company Huawei from the building of the 5G network in certain countries.

The term “digital sovereignty” is used in political discourse – especially in the context of regaining digital sovereignty – as shorthand for the process of taking back control from U.S. tech giants like Amazon, Google and Microsoft. The idea is not new but, so far, German and European efforts to achieve digital sovereignty have amounted to little.

Category: Political independence

Print Friendly, PDF & Email


  • Stefan Talmon

    Stefan Talmon is Professor of Public Law, Public International Law and European Union Law, and Director at the Institute of Public International Law at the University of Bonn. He is also a Supernumerary Fellow of St. Anne’s College, Oxford, and practices as a Barrister from Twenty Essex, London. He is the editor of GPIL.

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.