David Heinemeier Hansson

December 9, 2022

European Digital Sovereignty

All societies ought to strive for digital sovereignty. For the power and dignity of self-determination, according to the norms and laws of their culture. Independently of staying in the good grace of foreign powers. Without digital sovereignty, we cannot claim to be free in the 21st century.

I stake the claim that we in the Nordics, as well as we in the rest of Europe, are indeed not free under this definition of digital sovereignty. Neither in a broad human sense nor in a narrow commercial sense. We are hopelessly dependent on the good grace of foreign powers and corporations to operate the digital realm of our societies and our companies, and we've let our norms, laws, and ability to compete be overturned as a result.

This wasn't always the case. When I started working with the internet in the early 90s, it really did seem like we were going to have a worldwide web that was as diverse as it was distributed. Hell, when I was working in Denmark during the dot-com days, we even had our own search engine with Jubii.dk!

Back then, most companies even operated their own email infrastructure (even if it might have run Microsoft Exchange). And their websites were usually hosted on their own company servers too. At the dawn of the new millennium, the worldwide web was full of worldwide autonomy and independence.

But out of the rubble of the dot-com bust rose the centralization of all essential services. And from that, our present gilded age for digital monopolies. During that period, we slowly ceded our European digital sovereignty in return for American tech convenience and competence.

So what started out as a worldwide web of collaboration became a web of entanglement. We Europeans went from being part of producing the silk to ending up as prey in the net.

Or allow me another imperfect analogy: Europe became a digital colony. A region of 750 million people with few to no major, native tech services. Reduced to a vast pool of data, a captive collection of eyeballs, and potential in-app payment taxes for the great powers of the internet to contest.

This digital colony of Europe has been essential to building some of the most valuable, powerful, and entrenched conglomerates the world has ever seen. Trillion-dollar tech companies that today touch, if not control, all facets of modern life and commerce in our digital age.

What have we gotten in return? If I was glib, I'd say black mirrors and social media combs, but that's of course not the only truth. Software has been eating the world for forty years, I owe my entire career and fortune to its advancement, and we shouldn't give up on a game just because we haven't won the any real prizes for a long time.

But we should change our tactics, if we keep getting pummeled on home court. And that's exactly what's happening in Europe in its current sorry state as a digital colony.

What we're giving up by ceding all this control to American tech monopolies and conglomerates is not only a huge portion of our economy, which is getting funneled out of our region through double-dutch sandwiches, Irish one-percent deals, and subsidiaries in the Cayman Islands, but also our key parts of our humanity.

These transactions aren't just being settled in money but attention and data too. Extracted with the care of a Colorado shale driller. Leaving behind a wake of toxic public conversations, surveillance capitalism, and rapidly declining mental health amongst teenagers in particular.

It's a terrible deal on all possible parameters, and we've barely even begun to realize how badly we've been ripped off. So what's a concerned Nordic supposed to do? And a broader Europe after that?

Let me propose three radical ideas.

#1: Embrace Protectionism

Free trade is a fantasy. Some times it's a useful fantasy, but often it's also just a convenient cover for opening new markets in sectors where your region is strong, and closing them off where it is weak or needs nurture.

Nobody has shown this to better effect than the Chinese when it comes to digital services. China is the only great power with real independence in the digital realm, and they acquired that independence by shamelessly embracing tech protectionism.

Europeans might look at the outcome of that embrace with horror, and rightly so. China has used its digital sovereignty to institute an authoritarian surveillance and censorship state that no freedom-loving person could ever cheer for. But there's no denying its unique effectiveness in establishing an internal order built on Chinese norms and laws, however flawed to our eyes (and objective notions of freedom).

Europe should learn from this. Like we'd learn from any foreign power in a power struggle when trying to decide how to come out ahead in the next round.

The Americans also seem to have few qualms about this. There's an ongoing debate as to whether TikTok should be forced to sell its US operations to a US company or even banned in the country outright. The tariff regime that was introduced under Trump has largely continued under Biden as well. This is not a country that's shy about using its market power to open or close sectors as it sees fit.

And in so many other domains outside of tech, Europe isn't exactly a novice in protectionism either. The European Union revolves much of its activity around agricultural market protectionism. We seem keenly aware that ensuring European food production is strong enough to keep us self-sufficiently fed is a wise policy goal.

But when it comes to the digital domain, we often act as blue-eyed idealists about the myth of totally free markets. This is unwise.

It's also an illustration of willful ignorance. Just like our dangerous dependency on foreign energy. The fact that Europe allowed itself to face emergency energy rationing this winter is just the latest case in point.

That fact is this: Globalism is dead. If you didn't get the message from Wuhan, you hopefully got it from Moscow. Yes, accepting the end of paradigm is hard, but denying it will be harder still.

Europe needs to resettle its digital house on a foundation that won't crack the second trouble with China or Russia or even America emerges, as it inevitably will.

This might all sound like big geopolitical questions that small nations like Denmark, Sweden, Norway, and Finland are ill-positioned to engage with unilaterally. Let alone individual companies within these countries. And while that's true to some extent, we are also uniquely well-positioned to embrace protectionism on account of our small size, and agile political processes.

Take the case of Uber in Denmark. This is one of many examples where a large American tech-powered giant showed up to upend an industry, in this case taxis. The plan initially appeared to work, and Uber brought in gig-economy ethics to a labor market almost entirely unfamiliar with such a concept. This assault caused immense tension: What do we do now?

The answer: Protectionism! By using the Danish rules about seat sensors and taximeters, we were able to successfully eject Uber from the market. I'd argue we're much better off for it (although the brief scare surely did help motivate our native taxi industry to improve, so at least there's that!).

This was a good outcome anchored in a realist's understanding of markets and free trade. But we need to think much bigger if we want to make headway against the bigger, more menacing tech monopolies who are extracting data, attention, and wealth from our region.

Protectionism is the framework for our digital sovereignty. So where do we start?


#2: Outlaw the business model

The single most effective way we could use the principle of protectionism is by outlawing the business model of surveillance capitalism. Thus resetting the competitive landscape for everything from search engines to social networks, and thereby allowing native Nordic and European alternatives to be cultivated.

From Google to Facebook to Twitter, much of the American tech industry is built upon the violation of our European principles of privacy. Services that have achieved the holy grail of alchemy: Turning the worst, most divisive, most enraging content on the internet into gold. All by tracking every aspect of the eyeballs that view it, and selling that invasion of privacy to advertisers. It doesn't matter what kind of content sludge you serve, if you're able to monetize the eyeballs looking at it.

This business model is what makes these services so valuable, so viral, and so hard to unseat by European upstarts built on different ethics.

But allowing ads in Europe to be targeted on the basis of your personal data is a choice. And Europe could make a different one. We don't let alcohol and tobacco companies advertise in many venues and ways in much of Europe. There are rules around how you can advertise to kids. There are rules about what you're allowed to say in your advertisements almost everywhere. It's not like we have some ideological commitment to letting all advertisement in operate in all ways.

If we cut off the American tech companies from relying on a targeted-ads approach in Europe, we'd instantly level the playing field for European competitors, who'd find other ways to monetize their services. It's the kind of disruption that opens new possibilities for competition by unseating the advantage held by the incumbents.

Europe has already taken several swings at this privacy issue too. From the GDPR to the cookie disclosures to Max Schrems' legal victories in the European Court of Justice. These all revolve around the same European repulsion to having our private information used against us in the realm of commerce or in data dragnets, like those operates by American intelligence services.

The sad conclusion, though, is that despite all these movements, Europe still wavers on what it really wants. The cookie disclosure banners might have had good intention behind them, but they've ultimately been tuned out by consumers, and thus ended up ineffective at providing any real protection. Not the least because companies will find a million ways to extract some fig-leaf version of consent, if we let them.

The GDPR is perhaps the single piece of European legislation that has had some real effect. It's based on some solid European principles of privacy. It's codified a whole language that we can use to talk about processors, sub-processors, legitimate consent, and more. But enforcement is also almost entirely absent, in part because the whole regime is such a sprawling mess.

The same is true of the recently defeated Privacy Shield. Yes, great that the European Court of Justice has struck down this blatant subversion of our privacy ideals, but so far it's mostly just left a vacuum for companies unsure of what to do next. Are standard contractural clauses the answer? Or should we wait for Privacy Shield 2.0 with some platitudes from the Americans?

As long as Europe doesn't know what it wants, it obviously can't get it. So taking real, concrete, and big steps, like banning the business model of surveillance capitalism is were we must go, if we are going to make progress.

Otherwise it all just becomes kabuki theater that serves nobody but the lawyers and bureaucrats who pretend pushing out minor revisions to privacy policies or collecting enough meaningless checkboxes on their website actually matters. It doesn't.

Europe should put up or shut up about privacy.


#3: Become independent

But if we've relearned one thing over the past decade, it's that predicting grand political solutions can be a tricky business. Sometimes it seems like nothing is ever going to get done, and then suddenly it all happens at once. Europeans have slaughtered more holy cows on, say, energy policy this year than perhaps ever before. Who had the sentiment on nuclear power turning 180 degrees in the year 2022 on their bingo card? Not many.

So the best business can do is prepare for the general, tectonic trends, rather than try to time the earthquake itself. To me, it seems that the obvious consequence of globalism dying that we need to prepare for a far more independent Europe. A more self-sufficient one.

Let's not be like the companies deepening their ties in Russia after 2014. Or those continuing to invest in new production facilities in China after Covid.

It's basic risk management to anticipate that the world is heading towards a set of major regions drifting apart. So if you're still setting up your marketing infrastructure using Google Analytics, it's probably time to reconsider.

If you're excited about moving all your digital infrastructure onto clouds from Amazon, Google, or Microsoft, I think you should double check the long-term weather forecast. The further away you place your operations, be they in computing or manufacturing, the harder it's going to be to protect them when the long-haul lights of the world flickers.

Ultimately, the energy crisis from Russia's war on Ukraine, and the supply chain crisis from China's endless lockdowns over Covid, are wakeup calls for all other forms of commercial dependencies. If you think this is only about energy or only about physical supply chains, you're missing the bigger warning, and you'll be caught by surprise when the next quake hits.

The only way to get ready for the unexpected is to become self-sufficient. Europe as a region is more than large enough that it ought to not only pursue its own digital sovereignty, and big enough that it's embarrassing we haven't secured it yet.

The best time to plant a tree was 20 years ago. The second best time is today. Let's plant the political and commercial seeds we need to ensure Europe's digital destiny leads us to sovereignty now.

Originally delivered as a speech to the Nordic Perspectives and Fingerprints on the European Data Economy seminar in Copenhagen in November, 2022.

About David Heinemeier Hansson

Creator of Ruby on Rails, co-owner & CTO of 37signals (Basecamp & HEY), best-selling author (REWORK, It Doesn't Have to Be Crazy at Work, REMOTE), Le Mans class-winning racing driver, antitrust advocate, investor in Danish startups, frequent podcast guest, and family man.