Digital public infrastructure for sovereignty: What a “European” approach to DPI might look like

By Emrys Schoemaker - 19 September 2024
Digital public infrastructure for sovereignty: What a “European” approach to DPI might look like

Emrys Schoemaker argues that we must recognize that DPI is as much about governing for outcomes as it is about technology per se.

There is a striking addition to the newly announced line up of European Commissioners: the inclusion of ‘Tech Sovereignty’ in the newly appointed Henna Virkkunen’s list of responsibilities. Ms Virkkunen has much to build, given the European Commission's ongoing development of a European infrastructure for digital identification—but, given the recent Crowdstrike debacle, much to navigate, too. This critical appointment has the potential to ensure that digital infrastructure delivers public value for the people of Europe—and becomes an influential shaper of a global trend of developing digital infrastructure as a public good. 

The Crowdstrike disruption to Windows computers was one of the most significant computer outages ever. Explanations for the outage point to the complex role of European regulation and the vulnerability of core digital systems. The Crowdstrike disruption shut down travel, medical services, sales systems, and more. The simple explanation for the shutdown—a computer update that went wrong—has raised awareness of and concerns about the risks of single points of failure and reliance on privately owned technology. Such explanations have also strengthened calls for more resilient digital infrastructure that serves the public interest. 

More complex explanations of the shutdown’s root cause point toward governance and regulation. They have included blaming the European Commission (EC) for regulating to open access to the kernel of computer operating systems and defending that openness for limiting the outage to only those 1 percent of Windows computers subscribed to the Crowdstrike security service. As Cloudflare CEO Matthew Prince put it on X, “better security isn’t consolidated security. It isn’t your application provider picking who your security vendor must be. It’s open competition across many providers.”

Digital infrastructure for the public good

The technological approach to establishing greater digital resilience that serves public interest is digital public infrastructure (DPI). DPI reflects a shift in approaches to digital transformation from creating digital specific systems and services to building underlying infrastructure, much like roads, railways, and plumbing. Core to DPI is the idea of digital infrastructure that is both modular and interoperable, so that components can be switched out and data can flow seamlessly between systems. The focus to date has been largely on specific technologies: digital identity, data exchange, and payment systems. These can create real benefits. Organizations such as the United Nations Development Programme (UNDP) estimate that DPI could contribute to a 20 percent to 33 percent growth acceleration. As Eaves, Mazzucato, and Vasconcellos write in UCL’s IIPP note, one of the distinguishing features of DPI is its emphasis on ensuring that digital transformation makes the creation of public value as its primary goal. 

But those looking to pursue digital transformation that serves the public interest shouldn’t have to choose between approaches that emphasize either governance or technology. A governance-only approach has limitations. For example, Europe is widely regarded as having the most rights-protecting digital regulatory regime, one that through “the Brussels effect” has been adopted around the world. Yet big technology companies continue to provide services that disregard those regulations, and their business models remain untouched. Platforms like X are awash in content that has driven claims of regulatory infringement, while Telegram’s owner was arrested for failing to prevent illegal content and behavior. Though Europe might look to Brazil’s pushback against Twitter/X as a model, it’s clear that governance and regulation alone is no panacea.

Europe has been at the forefront of digital infrastructure that puts individuals first, particularly in the project to build a European platform for digital identity management. Unlike in the United States, where drivers licenses can be stored on Apple and Android phones, Europe’s vision is for European, publicly owned digital infrastructure. But a purely technology-led approach is not a solution—not least because, as technology theorist Melvin Kranzberg put it, “technology is neither good, nor bad, but never neutral.” Digital transformation—and DPI—does not inherently serve public interest. For example, when international support helped build Afghanistan’s identification systems in 2021, I wrote about how there was no mechanism in place to stop its use by the new Taliban regime to identify and pursue former regime members. 

Instead of an approach that is either exclusively technology or governance focused, the public interest can be better served by taking a holistic approach to building digital infrastructure that integrates technology, governance, and markets. Many believe the EU was right to regulate open access to the Windows kernel, but that regulation has failed to allow Windows to introduce its own security provision. Even more so, EC competition regulation is not fit for purpose when public interest technologies can enable secure infrastructure that serves both public and private market interests. A public stack could ensure the provision of digital components, including kernel security services, that could mitigate risk of another Crowdstrike-type failure. 

India has demonstrated that society-wide approaches to DPI can be implemented. The India Stack enables both public services and private sector innovation. Yet in many places DPI has been challenged for failing to be accompanied by complementary governance, regulatory, and legal frameworks. Lessons are being learned—the UNDP has developed governance frameworks for DPI (that I’ve led the development of). A number of countries have enthusiastically adopted these frameworks as part of developing a “whole of society” approach to DPI. 

A European approach to digital infrastructure

The EU is also demonstrating that a comprehensive governance and technology approach is possible. The development of the new identity regulation eIDAS 2.0 specifies open standards for a digital wallet that enables citizens to control their data. But digital identity is just one part of an ecosystemic approach to digital transformation. A truly European approach to DPI would be systemic, establishing a comprehensive European “stack” of core elements such as payments and data exchange in addition to identification. Such a stack would help maintain European sovereignty and enable the development of a rich, innovative, and rights-protecting digital market. The European Next Gen Internet initiative (full disclosure: I am a member of the “Public Commons” advisory group) is a great example of an effort to build the core elements, but future efforts should also emphasize state adoption and market creation. 

Europe’s approach to DPI could also have wider significance and serve as part of Europe’s foreign policy. A user-focused, rights-based, and decentralized approach to digital infrastructure would be distinctly European and reflect European values, contributing to the DPI marketplace, which is currently dominated by India, Brazil, and others. Actively promoting and sharing this vision for a digital future would complement existing efforts, such as the widespread adoption of GDPR, and ensure wider alignment of European values, standards, and systems. Instruments such as Europe’s international aid program and partnerships could be important instruments, along with dedicated efforts such as DG JUST’s “Data Protection Academy.” 

At the heart of this systemic approach should be efforts to make sure that digital infrastructure remains true to its purpose of serving the public good and creating public value, and that it is able to adapt to changing technological and market environments. This requires recognizing that DPI is as much about governing for outcomes as it is about technology per se. 

The Crowdstrike debacle should be a wake-up call, but the right lessons must be learned. Everyone needs digital infrastructure that serves the public interest—but it requires a holistic approach that integrates governance, technology, and markets to ensure the building of digital infrastructure that serves the common good. The upcoming event at the European Parliament on “Toward European Digital Independence” will help chart paths forward. Europe’s new Commision should seize this important opportunity to develop the kind of digital infrastructure that serves European citizens and is a public good for all, even those outside Europe.

 

 

Emrys Schoemaker, academic and consultant focussed on digital ID, risks and rights.

Photo by cottonbro studio

Disqus comments