[Event Report] The Debate on "Digital Sovereignty" in Europe and the Future of Platform Regulation Seminar: "Considering the Nature of 'Digital Sovereignty' via Contact Tracing Apps" (held on March 3, 2022)

The "Platform and the '2040 Problem'"Project, is positioned as one constituent of KGRI's "2040 Independence & Self-respect Project," with the public seminar "Considering the Nature of 'Digital Sovereignty' via Contact Tracing Apps" held on March 3, 2022, serving as one link in the chain for this initiative.

The contact tracing app for COVID-19 (coronavirus disease) infections used in Japan (COVID-19 Contact-Confirming Application; COCOA) was developed using Google and Apple APIs (Application Programming Interfaces). Meanwhile, in France, the government rejected the use of mega-platform APIs, instead opting to develop its own contact tracing app. "Digital sovereignty," which is now strongly advocated in the EU member states, was one factor underlying France's choice of course.

But just what is "digital sovereignty"? To get a better hold on this new concept, we invited two of the researchers leading the debate in France, Pauline Türk and Audrey Bachert-Peretti to report. KGRI DeputyDirector Tatsuhiko Yamamoto laid out the issues involved, which led into a discussion involving Masahiro Sogabe, an expert on constitutional and data legislation in Japan and France. What follows is a roundup of this debate on the challenges around contact tracing apps, taking in the rationale for the emphasis on "digital sovereignty" in France and the EU, and the guarantees around privacy rights in Japan.

＜Keynote Speeches＞

Pauline Türk
Professor of Public Law, Université Côte d'Azur.
Author of a number of books and articles, especially "The permanent parliamentary commissions and renewal of the Parliament under Vth Republic" (Dalloz, 2005) which was awarded by the Senate as the best thesis in 2004, and "The Digital Sovereignty" (Mare & Martin, 2017). Her major expertises includes Constitutional Law, Parliamentary Law and Information Law.

Audrey Bachert-Peretti
Associate Professor, Université de Lorraine
With depth and comparative insight on the separation of powers between the Parliament and the Justice in France and the Common Law countries, her thesis was awarded as the best thesis 2020 by the Association France-Amériques. She also contributes to the evolution of protection of privacy in the French constitutional jurisprudence.

＜Overview of Event Purpose＞

Tatsuhiko Yamamoto
Professor, Keio University Law School/KGRI Deputy Director
Publications include "Considering Privacy Rights" (Shinzansha, 2017), "AI and the Constitution" (Nikkei Publishing, 2018), and "How to Engage with the Digital Realm: The Pursuit of Information Health" (co-author, Nikkei Premier Series,2022). A leading figure in the Constitutional right to privacy in Japan, and also contributes to legal policy and practice.

＜Overall Discussion＞

Commentator:
Masahiro Sogabe
Professor, Kyoto University Graduate School of Law
Author and editor of a number of books, including "The Right of Reply and Freedom of Expression" (Yuhikaku, 2013), "Information Law: an Introduction" (2nd Edition, Koubundou, 2019), and "Commentary for Personal Information Protection Law" (Keisoshobo, 2021). An expert on Japanese and French constitutional law and information law. A Chairperson of the Human Rights Committee of the Broadcasting Ethics and Program Improvement Organization (BPO) and a co-chairperson of the Social Media Association of Japan (SMAJ), he is a leading person both inside and outside of the academic community.

Coordinating Moderator:
Haluna Kawashima
KGRI Project Associate Professor, Main coordinator and a sub-leader of the KGRI Research Project Keio 2040
Her interests include public health law and human rights law. Her publications in English are, for example, "Legal and Philosophical reflection on traditional medicine and patient's right to personal liberty" (Journal international de bioéthique et d'éthique des sciences, 32(3), 2021)

HALUNA KAWASHIMA: KGRI previously invited Professor Pauline Türk to hold an in-class seminar for the Z Holdings endowed course on "The Platform Economy and Sustainable Society" in December 2021, as we turned our attention to the concept of "digital sovereignty" being advocated in France and EU. We are now pleased to have Professor Türk and Associate Professor Bachert-Peretti joining us online to discuss the concept of digital sovereignty, with COVID-19 contact tracing apps orienting our discussions.

First, I invite KGRI Deputy Director Tatsuhiko Yamamoto to give an overview of the purpose of today's event, and report on the issues around contact tracing apps in the Japanese context.

Overview of Event Purpose: Tatsuhiko Yamamoto "Legal issues of the contact tracing app 'COCOA': The Perspective of Japanese Constitutional Law"

TATSUHIKO YAMAMOTO: To begin, I would like to offer an evaluation from the perspective of privacy rights of the smartphone contact tracing app COCOA (COVID-19 Contact-Confirming Application) developed by the Japanese Ministry of Health, Labour and Welfare.

The first point for evaluation is the emphasis on the self-determination of users, including the fact that the app stops short of collecting location information, and only encourages voluntary behavior modifications. While the usage purpose of the app is clearly determined and spelled out, from the perspective of privacy rights, the adoption of a tool of this nature was an important political decision in the fight to control infectious diseases and infections and necessitated legislation to be passed in the Diet.

To the extent that personal data will be handled, this will involve risks in the event of usages for purposes other than those specified or of data leaks. The government strongly endorsed use of the app; however, one would speculate that this should also have been an issue which was actively debated and given democratic legitimacy in the Diet.

In addition, the "COCOA" framework utilized Apple and Google's contact notification APIs, with the fact that the measures to combat infectious disease and infections were deployed in collaboration between the platforms and the national government. This compromises national sovereignty in so much as it represents containment by means of a buffering of the surveillance state apparatus. On the other hand, it also behooves us to scrutinize the violation of sovereignty represented by platforms being given priority over democratic decisions of parliament.

The question then arises as to what form the relationship between the state and platforms should take going forward. I personally believe that there should be a given level of cooperative governance facilitated by an appropriate degree of tension between the platforms and the state. I would speculate that we must rethink the positioning of the platformers, which are enormously influential on a global scale, and contrive a relationship which more closely resembles those found in international diplomacy over a relationship between the regulators and those subject to regulation in domestic legislation.

To date, the Constitution has framed other sovereign nations as equal partners in diplomacy. However, I believe that in the future it will be required to further mobilize democratic checks and balances by means of negotiating agreements, similar to treaties or concordat, which include the platforms.

Keynote Speech 1: Pauline Türk "Sanitary crisis management using digital tools in France and digital sovereignty: Government, Parliament, the Courts and the Platforms"

KAWASHIMA: Next Professor Türk from the Faculty of Law at Université Cote d'Azur, who has authored publications on digital sovereignty and is a leader of discussions in this field in Europe, will give a talk on the development of contact tracing apps in France, and the theory of digital sovereignty behind this development.

TÜRK: Today I will report on how digital sovereignty is perceived in France and the European Union, taking public health policy during the COVID-19 pandemic as an example.

There has been lively discussion around the issue of digital sovereignty since France's decision to introduce the Health Data Hub, a platform for medical data, in 2019. So how should we implement effective public health policies while ensuring that individual liberties are maintained in the use of personal data? This, the "ultimate question," came to the forefront with the adoption of digital tools and issues around public health policy during the COVID-19 pandemic.

The Health Data Hub is a digital platform to collate, analyze, and store healthcare data from throughout France. It was developed on the premise that the collected data would be used for medical and research purposes. The French government signed a contract with Microsoft Corporation in the United States and had planned to operate the system using the Microsoft Azure cloud service. The issue which this brought into focus was that, even though the data itself would be stored on servers in the EU region, the management of the data of French citizens would be in the hands of an American corporation. The supreme administrative court, the Conseil d'État, while accepting that the management of this digital platform was in itself legal, and considering the urgency of the health crisis, would issue a ruling which decreed that the contract be shored up to enhance security. The concerns of the french judge regarding the risk of data leakage to the United States have been increased after the invalidation by the European Court of Justice of the "privacy shied" supposed to protect European citizens (CE, n° 440916, 16/06/2020 Health data hub; CJUE 16/07/2020 Maximillian Schrems, C-311-18; CE n° 444937, 03/10/2020).

In addition to this example, the COVID-19 pandemic also oriented lively debates on digital sovereignty with regards to the contact tracing app TousAntiCovid and the digital platforms used for reserving vaccination slots.
When Apple and Google proposed a turnkey solution to states, called "explosure notification", France refused it and choosed a more "sovereign" technical solution, although potentially slower to implement. National public and private actors have been mobilized. Finally, the data are stored in France, and the protection mechanism applies, such as the control of the National commission for information technologies and liberties (CNIL), even if American operators are ultimately involved in some aspects of the application. This was about the contact tracing app.

Also, concerning the management of the appointment booking for the vaccination campaign, the same concern arose, with regard to the control of data provided by a European company (doctolib), which relied on the technical solutions of the american giant Amazon (AWS/Amazon Web Services). It gave rise to additional legal actions to protect personal data and digital sovereignty (CE, n° 450163, 12/03/2021 Interhop)

These positions can be attributed to the national character of the French people, which places extreme importance on individual freedoms, as well as their consciousness of personal rights. Efforts were accordingly made to respect individual freedoms, even if this should result in compromises with regard to public health and economic efficiency. How then should individual freedoms be protected in digital domains? It would give me great pleasure to begin discussions taking in the Japanese case studies.

Keynote Speech 2: Audrey Bachert-Peretti "Sanitary crisis management using digital tools in France and digital sovereignty: Government, Parliament, the Courts and the Platforms"

KAWASHIMA: Next, Associate Professor Bachert-Peretti of the Faculty of Law at l'Université de Lorraine will deliver a report on how the issues of digital sovereignty and privacy have been handled in decisions of the Conseil Constitutionnel, which is responsible for constitutional reviews of statutory laws in France.
(The following is a summary of the content of the lecture)

AUDREY BACHERT-PERETTI: I would now like to raise the issue of appropriate protections for personal data in the network space under the French Constitution.

Since the year 2000, the Conseil Constitutionnel has instituted the "right to information privacy" by means of a number of rulings in the context of the ongoing digital transformation (DX) of society. Moreover, they have ruled that the protection of personal data is linked to the "right to respect of private life". This is not really how the Conseil constitutionnel understand the right to privacy: the right to personal autonomy is protected through the notion of "personal liberty" and the "right to respect for privacy" is only related to the protection against the collection and divulgation of personal information, against home search and against the interception of private correspondence. The protection of personal data is linked to this right to respect for privacy, as a new component of it. As recognized by the French Constitution. However, a closer look at the rulings reveals that this protection is limited and cannot in its current form be deemed sufficient.

There are two main reasons for this. First, the Conseil Constitutionnel has a highly constrained definition of what constitutes a personal data breach. The Conseil Constitutionnel does not consider any form of collation of information as representing a breach of the rights and freedoms of citizens, nor recognize a case as constituting an infringement other than when the data can be linked back to individuals or specifically includes individual names. However, if we take into account the advances in contemporary data processing technology, any information has the potential to become personally identifiable data.

The second point is that the Conseil Constitutionnel holds that voluntary provision of personal information by users will preclude it from constituting a violation of their rights. Insofar as there is a power imbalance between those gathering data and the users, as remains the case with these huge platforms, there is surely a need to reconsider the efficacy of the consent provided regarding the provision of data. Furthermore, the imbalance also exists between the government which can and does collect data and citizens who can be forced to provide them.

The ongoing COVID-19 pandemic in particular has highlighted the limitations of the Conseil Constitutionnel's checks on digital tools. One of the reasons for this is that the government has taken the approach of "bypassing the Conseil Constitutionnel" by adopting the use of contact tracing apps by means of a decree rather than by putting it into law. As a result, the Conseil Constitutionnel has not had the opportunity to conduct a review owing to the nature of its authority to make judgements solely on the constitutional compliance of legislative/statutory provisions.

The Conseil Constitutionnel's stance on the protection of personal data is at odds with the independent agency in charge of protecting personal data in France, the CNIL (La Commission Nationale de l'Informatique et des Libertés) which strongly condemned the potential transfer of data from Health Data Hub to the United States by Microsoft Corporation. Despite the fact that the Conseil Constitutionnel is a key player in guaranteeing the right to data privacy, it can be assumed that it is not fit for purpose when it comes to its role in the protections of digital sovereignty.

Discussion: Issues in the realm of digital sovereignty and privacy protection

KAWASHIMA: I would now like to start our discussions. First, I would like to invite Professor Masahiro Sogabe of the Kyoto University Graduate School of Law,a leading specialist of Constitutional law and Information law as well as French law, to comment.

MASAHIRO SOGABE: I would like to make two major points: first, again, what is digital sovereignty? The idea of sovereignty originated in France, where the term was used as a concept to refer to independence from the Pope and the supremacy of the monarch within a country. It is a polysemous concept in that it is used in the form of "national sovereignty," "digital sovereignty," and so on.

Of these, the one raised in today's presentation is the independence of the state from platform companies. How to strike a balance between privacy and public health is a sovereign decision, an issue that should be decided democratically by each country. However, in the contact verification application API, that balance is determined by the platform, creating a problem in which the state cannot intervene. However, there are advantages to using the technology of these companies in terms of technology level and cost. So the question is how to reconcile the issue of digital sovereignty with the reality that platforms hold hegemony.

Apart from this, there is another way to view digital sovereignty as independence from other countries, not allowing other countries to intervene in the data of the people. On this basis, I felt it necessary to distinguish when expressing the phrase "not allowing other countries to intervene in the data of the people," whether it is a matter of sovereignty, in which the state does not allow other countries to intervene, or a matter of privacy, in which the privacy of individual citizens is being violated by other countries.

The second point is about privacy protection. In building an architecture for protection, it is necessary to discuss the perspectives of democracy and professional rationality, the legal formalism of whether it should be regulated by law, and the process of what actors should be involved and how they should be involved.

Regarding legal formalism, what criteria were applied to the fact that no statute was passed when the contact verification app was introduced in France, and it was developed later?

With regard to the process issues of the introduction of the app, what criteria were applied to the introduction of the app by the Parliament, the CNIL, the ANSSI (Agence nationale de la sécurité des systèmes d'information) from the security aspect, the CNUM (Conservatoire Numérique des Arts et Métiers), and many other actors were involved, but who decided on this arrangement? I would also like to ask if it is possible to streamline the involvement process by, for example, entrusting it to the CNIL.

TÜRK: I would like to comment on three points.

First, a few words on the democratic legitimacy of the apps. In France, the president and the government are responsible for making decisions and, in the normal course of matters, the French parliament will attempt to control the course of these decisions. On March22, 2020, a law relating to the declaration of a health emergency was enacted by the French parliament and emergency provisions authorized. Then, after a consultative debate in parliament (May 27), it was decided, by means of a May 29 presidential decree, to introduce the use of an app ("TousAntiCovid"). However, despite a parliamentary debate on the issue, at no point was the decision made to formalize the adoption of the app into law. In other words, the endorsement of parliament legitimized the government's introduction of the app by means of a resolution amounting to little more than an expression of their opinions.

Second, is a comment on the number of principals involved in the implementation process for the app.In addition to government services and agencies (ANSSI for instance), France has created several independent commissions or authorities to organize, regulate and encourage good practice (ARCOM, CNIL, ARCEP). They contribute to the protection of rights, and their legitimacy comes from their expertise and not from the election. But there is also criticism of both the number of these bodies and the decentralizing of authorities and duties which they represent. This is explained by the fact that the executive branch of the government, namely the President and the Council of Ministers, are so powerful that the French parliament is unable to compete with its authority, and independent administrative bodies are tasked with monitoring and controlling this executive branch. Among the actors of control and regulation, the parliament, although elected by the people, does not have the first role.

I also agree with your point that digital sovereignty and personal privacy are two separate issues. While today's discussions around contact tracing apps have focused on the protection of medical data, the concept of digital sovereignty is much broader and has several different aspects. It refers to the ability to self-determine in the digital space, to control one's destiny, individually and collectively, on digital networks.

The fact is protection of personal data, which does not appear, by the way, in the French constitution, is subject to in-depth protection ensured by both the constitutional judge and the European judge. But digital sovereignty is not a concept found in the French constitution or in European treaties. It's not a legal concept,it has no legal basis. That's why individual liberty, a concept emphasized throughout Europe and especially so in France, becomes the basis of cases against digital platforms. But digital sovereignty raises economic, political and strategic questions that go far beyond the sole issue of personal data.

BACHERT: Europe is now moving toward accountability of the "data handlers" for the protection of personal data. Meanwhile, the role of parliament in the adoption of the app was solely to endorse the government's decision to introduce its use, with oversight and control sourced to an external agent. In contrast to this, the CNIL is highly professional and meticulous in the analyses it undertakes with regard to the app technology. This points to the fact that, especially in the digital domain, issues must be scrutinized not just from legal perspectives, but also take into account institutional and technological facets.

KAWASHIMA: Professor Yamamoto, you might have a lot to say on the relationship between digital sovereignty and privacy?

YAMAMOTO: I would venture to say that this is related to the standards around privacy protection in each country. If a state finds itself in possession of an individual's data, the possibility of violations of privacy increases where the systems to protect that data are lacking. In other words, protecting digital sovereignty and the issue of privacy protection are not necessarily on an equal footing. On top of this, the high level of trust in the state which characterizes France has led to considerable overlaps between digital sovereignty and privacy protection. Meanwhile in Japan, I believe that it is imperative that we carefully assess the Committee on the Protection of Personal Information including scrutinizing its technical standards and credibility.

SOGABE: Even if the way to engage with the platform will vary depending on the circumstances of each country, I do not think it is very realistic for each country and the platform to negotiate on a one-to-one basis. There may be a way to discuss this in a multilateral framework, like the G7, for example.

TÜRK: Certainly, I agree that it is a good idea to discuss digital sovereignty in the form of multilateral negotiations. Even the organisation of the first world summits for the information society (SMSI) did not convince. However, the EU and U.S. are allies. And European countries are anyway obliged to rely on American technology and platform companies. We have many common goals and interests. Especially in a world where tensions have increased and democracy is under threat. This necessitates considerations from a variety of perspectives. But which countries should be brought around the table ? From our point of view, should the United States discuss with the European Union? Or with the countries that make it up?

As I said before, Digital sovereignty is a far broader issue than that of data protection, and will ultimately be viewed differently by country, as informed by factors such as their political history or culture. Brazil, Russia and China also have their own conception of what we call digital sovereignty!

Some people still see the state as a threat for their freedoms. For others, on the contrary, the State protects liberties, in the face of foreign powers and of economic powers. French citizens have confidence in the State, as an entity that provides protections for their freedoms and rights. This has its background in history. Political power was built in the face of religious power and fought to assert its exclusive authority. Then it became, after the French revolution, the guarantor of the sovereignty of the people and the protector of citizen's rights under the law. It explains the high sensitivity around the issue of another authority, such as the platformers, who are neither elected, nor responsible, nor inspired by the public interest, mediating in such matters.

YAMAMOTO: The relationship with platforms from overseas is an issue with which every country must deal. On top of this, I am concerned about the lack of transparency in negotiations between the platforms and the states, with Big Tech lobbying expenses reported to be at record levels. One suggestion would be to view these platforms as international entities invested with powers similar to those of nation states, and to increase their transparency by means of democratic controls. I felt that this could be one of the themes from the constitutional perspective.

BACHERT: We need to think more about the relationship between digital sovereignty and privacy. Another matter will be the question of how the role of expert organizations such as the CNIL should be positioned within this system. There will be an ongoing need to give this our attention.

KAWASHIMA: KGRI is hoping to continue its research on the issue of digital sovereignty. I would be delighted to have more chances to explore this in further depth with you. Thank you for your time today.

This symposium was held online with simultaneous interpretation on March 3, 2022.
※Affiliations and positions listed are those at the time of the event.