Part I - State-centric Formations of Digital Sovereignty

2 Digital Sovereignty in China, Russia, and India From NWICO to SCO and BRICS

Johannes Thumfart

2.1 Introduction

This chapter investigates the sociotechnical imaginaries of digital sovereignty within the BRICS grouping and the Shanghai Cooperation Organization (SCO) with a focus on China, Russia, and India. Sociotechnical imaginaries include a complex network of regulatory, technological, cultural, and societal factors that characterize national approaches to technology (Jasanoff, 2015, p. 4). In addition to the analysis of national approaches, in this chapter, the concept of sociotechnical imaginaries is used to assess approaches characteristic to international organizations.

There is an essential difference between the BRICS and the SCO, the latter originally including Russia, China, and every Central Asian country except Turkmenistan (and today also Belarus, India, Pakistan, and Iran). Broadly speaking, the SCO is focused on regional security and development, whereas the BRICS is focused on global economy and trade. However, in terms of chronology, the SCO preceded the BRICS. When the dialogue between the BRIC countries began in 2006, the SCO had already existed for five years. And since India joined the SCO in 2017, the majority of the original BRICS countries and the most powerful of them are also members of the SCO.

With regard to digital sovereignty within the BRICS countries (Belli, 2021b), the SCO can be considered a forerunner. For instance, the SCO was one of the first international organizations to formulate a comprehensive agreement on information security – Declaration of the Heads of the SCO Member States on International Information Security (SCO, 2006). And in 2011 as in 2015, the SCO member states promoted the International Code of Conduct for Information Security at the UN General Assembly, which emphasized the “respect for the sovereignty, territorial integrity and political independence of all states, (…) the diversity of history, culture and social systems of all countries” (McKune, 2011). From a critical perspective, the SCO has been characterized as “perhaps one of the most successful examples of multilateral embrace of digital authoritarian norms and practices” (McKune & Ahmed, 2018, p. 3841). In order to conduct an informed debate regarding digital sovereignty within the BRICS, it is therefore highly relevant to analyze the position of the SCO and its leading nations: China, Russia and India.

This chapter demonstrates how the sociotechnical imaginaries of digital sovereignty in China, Russia, and India are related to the much earlier conception of “cultural sovereignty,” which was developed at the New World Information and Communication Order (NWICO) debates at UNESCO in the 1970s and 1980s. This conception, in turn, influenced particularly the Chinese discourse of “information sovereignty” in the late 1990s, from where the idea spread to the SCO and to Russia and India.

Starting from this genealogy, this contribution makes the case that, intertwined with economic and geopolitical factors, the sociotechnical imaginaries of digital sovereignty in China, Russia, India, and within the SCO and later the BRICS are centered around the idea that it is necessary to protect national cultural identities against the “free flow of information” enabled by digital networks, which has both domestic and international aspects dimensions. This, of course, has problematic aspects. Although the tendencies of monopolization of global communication and the concomitant uniformization of global culture regularly draw criticism, these imaginaries of digital sovereignty often serve as a means to justify practices of censorship and, in particular, obstacles to transborder information access, which violate Article 19 of the Universal Declaration of Human Rights (UDHR) that includes the right to “receive and impart information and ideas through any media and regardless of frontiers” (Universal Declaration of Human Rights, Article 19).

Section 2.2 includes a brief definition of digital sovereignty. The subsequent sections follow a chronological order. Section 2.3 proceeds with an analysis of the paradigm of the free flow of information and the postcolonial NWICO debates at UNESCO (the late 1970s to the early 1980s). In Section 2.4, I will lay out how these debates influenced the Chinese imaginary of digital sovereignty in the late 1990s and how China promoted its ideas, for example, within the World Summit on the Information Society (WSIS) from 2002 to 2005. In Section 2.5, I will focus on the SCO itself, which appears to have served as one transmission belt to export the Chinese imaginary of digital sovereignty to other countries, most notably Russia. In Section 2.6, I will lay out how cultural issues matter to Russia’s “sovereignization” of the internet from 2011 on and how the country’s specific sociotechnical imaginary of the “sovereign internet” was constructed. In Section 2.7, I will show how the SCO-member India (since 2017) developed a semi-authoritarian imaginary of digital sovereignty closely related to cultural issues, most notably regarding the Hindu nationalist government’s internet shutdowns. In the final part, I will discuss these findings in relation to BRICS.

2.2 Definition of Digital Sovereignty: A Not-So-New Alignment

Concepts related to digital sovereignty are part of a whole group of comparable, yet not identical concepts: technological sovereignty, information sovereignty, cyber sovereignty, internet sovereignty, data sovereignty, souveraineté numérique, soberania digital, digitale Souveränität, 网络主权 (“network sovereignty”), 信息主权 (“information sovereignty”) and Суверенный интернет (“sovereign internet”) (Thumfart, 2022).

While these terms can, by no means, all simply be equated, they all can be used, often by national governments, to signify the idea of national control over digital phenomena. In almost every case, this includes the concept to “align” (Mueller, 2017) cyberspace with territorial borders, which has also been described as the “territorialization” (Lambach, 2020) or “sovereignization” (Shcherbovich, 2021) of cyberspace.

In the contemporary debate, digital sovereignty has become a buzzword. What distinguishes digital sovereignty in comparison to, for example, data sovereignty, information sovereignty, or cybersecurity, is its vast scope. Information ethicist Floridi (2020) defines the term as including control over data, software, standards, processes and protocols, hardware, services, and infrastructure. Corresponding to this wide scope, the agenda of digital sovereignty includes policies such as data localization, internet censorship, the nationalization of digital infrastructure, and the construction of cyber capacities. While Floridi and many others (including Jiang and Belli in this volume) make the case that digital sovereignty can also be attributed to individuals, companies, and supranational entities, I am focusing here on digital sovereignty understood as an attribute of nation-states.

From the perspective of the Global North’s developed countries, the shift from the unregulated internet to digital sovereignty with increased state regulation of the digital has been primarily owed to the catalytic events of the 2013 Snowden revelations, the Facebook–Cambridge Analytica scandal during the US presidential election and Brexit in 2016, and the disinformation crisis during the Covid-pandemic in 2020 and 2021 (Thumfart, 2022).

However, as I have argued elsewhere, discourses related to digital sovereignty have a far older history outside of the West. Western conversion to this norm is a comparably recent phenomenon that rather universalizes digital sovereignty than constituting a new invention (Thumfart, 2022). In this sense, the discourse around digital sovereignty is exemplary for the dawn of a truly multipolar world, in which the developed countries of the Global North are no longer exclusively setting the agenda (Thumfart, 2024b). This contribution reconstructs the pre-history of the current debate about digital sovereignty from a decidedly non-Western perspective.

2.3 The Free Flow of Information and NWICO (From 1944 on)

The central idea opposing digital sovereignty is the paradigm of the free flow of information as institutionalized in the UNESCO constitution (UNESCO Constitution 1945, Article 1.2). This paradigm is particularly interesting within a BRICS context, because it is closely connected to the debate about access to colonial and postcolonial media markets. The origin of the free flow of information paradigm predates digital technologies. Around the end of WWII, US officials criticized European powers’ grip on the informational infrastructure and markets in their colonies and demanded equal access (Schiller, 1975).

For example, in 1944, the chairman of the US Federal Communications Commission criticized that “Great Britain owns the major portion of the cables of the world” and condemned this “control of communication facilities by one country with preferential services and rates to its own nationals” (Schiller, 1975, p. 77).

In 1946, the US Assistant Secretary of State outlined the government’s position, which was, at that time, not directed against dictatorships, but rather against European geopolitical competitors.

The State Department (…) plans to do everything within its power along political or diplomatic lines to help break down the artificial barriers to the expansion of private American news agencies, magazines, motion pictures, and other media of communication throughout the world (…). Freedom of the press – and freedom of exchange of information generally – is an integral part of our foreign policy.

The US ambition was ultimately successful. The European powers were weakened by WWII and willing to cooperate due to their fear of the Soviet Union (Schiller, 1975). The US’s position regarding information freedom influenced UNESCO’s position on this matter, which included the free flow of information in its charter (Schiller, 1975, p. 79). As mentioned in the introduction, this is also backed by Article 19 of the UDHR, which includes the right to access information across borders through any media.

However, with decolonization movements from the 1970s to the 1980s, leading governments of the Non-Aligned Movement, India, Cuba, and Tunisia, supported by the Soviet Union and China, began to criticize the unidirectionality of the global information flow from the developed countries of the Global North to the rest of the world (Bhuiyan, 2014, p. 4). During the debates on the NWICO at UNESCO, these countries demanded restrictions to the free flow of information based on “cultural sovereignty,” which is, in many ways, the origin of today’s debate on digital sovereignty (Carlsson, 2003).

This agenda had clearly an economic aspect, as it was part of the wider concept of the New International Economic Order (NIEO). However, the main argument in the NWICO’s conclusive report is that information cannot be a commodity as any other since it is the very foundation of society and, thus, inherently political: “Information is a service that must exist before commodities in general can be produced and exchanged. These considerations ought to act as a corrective to the transformation of information into a simple commodity” (MacBride & Commissioners, 1980, p. 153).

Further, the report argues that the diversity of cultures is threatened by global “assimilation” to a dominant global culture (MacBride & Commissioners, 1980, p. 31). The report sketches “cultural sovereignty” as a means to prevent such a decline of cultural diversity. However, the text also stresses that cultural sovereignty cannot be understood in a too simplistic, essentialist manner (MacBride & Commissioners, 1980, p. 161) and that it could be abused to justify the violation of human rights (MacBride & Commissioners, 1980, p. 189), for instance, regarding the freedom of expression and minority rights.

It is noteworthy that the NWICO debates included all of the original BRICS countries. However, the debates ended in the early 1980s due to, among other reasons, the fact that these proposals undermined the communication hegemony of both the United States and Great Britain who withdrew from UNESCO in 1984 and 1985 respectively.

Instead, the doctrine of the free flow of information prevailed. During the late 1980s, it became increasingly political. This was owed to the fall of the Soviet Bloc in 1989, during which the free distribution of information by dissidents played a crucial role. The experience of the end of the Cold War led the US to believe that the free flow of information was desirable because it inherently promoted democratization (McCarthy, 2015, p. 84). A particularly clear expression of this idea is an essay by Bill Clinton’s foreign policy advisor Joseph Nye and US navy admiral William A. Owens from 1996, titled “America’s Information Edge” published in Foreign Affairs. It reads:

The beauty of information as a power resource is that, while it can enhance the effectiveness of raw military power, it ineluctably democratizes societies. The communist and authoritarian regimes that hoped to maintain their centralized authority while still reaping the economic and military benefits of information technologies discovered they had signed a Faustian bargain

(Nye & Owens, 1996, p. 35).

The idea that the free flow of information inevitably democratizes societies corresponds to the “Internet dictator’s dilemma” (Boas, 2000), which conceives of digital technologies as forcing authoritarian States into accepting freedom of expression and democratic participation. During Hillary Clinton’s tenure as the US Secretary of State, this idea was reframed as the “Internet Freedom” agenda (Clinton, 2010a).

Although there were occasionally debates in the developed countries of the Global North regarding the harmful side of the free flow of information (e.g., on drug trade and child pornography), the issue of whether the free flow of information threatens national cultures and how this could be a political problem has rarely been addressed in the Global North. Different from a time when the Global North’s hegemony was practically unchallenged, today’s discursive landscape in the Global North includes extensive discussions of the problematic impact of disinformation on deliberative processes in liberal democracies, particularly disinformation that originates from hostile geopolitical rivals (Thumfart, 2022).

2.4 The Origins of Digital Sovereignty in China (1996–2015)

Inspired by the NWICO debates, the Chinese sociotechnical imaginary of digital sovereignty that focuses on national control over digital technologies first appeared during the 1990s (Cong & Thumfart, 2022). It is determined by five factors of cultural and political nature.

First, this development is owed to the fact that with the fall of the Soviet Union, China began to emerge as the US’s main geostrategic and economic rival, a role that it even played in its domestic political imaginary before it was perceived as such in the West. In this context, the Chinese government was and is focused on defending itself against the possibility of regime change from abroad through the means of digital communication.

Second, this geostrategic rivalry is connected to a cultural and historical issue. Since China conceives of itself as a post- and anti-colonial power, it is, in principle, vigilant regarding any developments coming from the US as the global hegemon. This anti-colonialist national imaginary was particularly influential during the 1990s, which saw the return of Hong Kong (in 1997) and Macao (in 1999) and a popularization of anti-colonialism in computer games and movies (Sly, 1997).

Third, the non-liberal and socialist country knows no strict separation between the private and public sectors. Instead, it seems rather natural to put digital technologies under state control. This is informed by Marxist political economy, which prescribes an active role of the state in promoting and controlling new technologies.

Fourth, China’s understanding of its sovereignty over digital communication is informed by Confucianism, which became very important with the rehabilitation of traditional Chinese culture under Deng Xiaoping (Jiang, 2010). In order to assess the impact of Confucianism, it is crucial to stress that China, although being officially atheist, cannot be considered a secular society according to European standards because secularization was a result of specific confessional conflicts in sixteenth- and seventeenth-century Europe. And, accordingly, Confucianism is neither a religion nor a secular philosophy in the Western sense. Rather than recognizing the independence of the religious or cultural sphere, Beijing understands religious and cultural traditions as means to achieve the wider aim of a Confucian “harmonious society.” This is exemplified by Beijing’s authority over the recognition of reincarnated Buddhist lamas (Szonyi, 2009). Accordingly, while imported from the modern Western legal tradition, the Chinese understanding of sovereignty is informed by a Confucian and imperial tradition that is characterized by a universal understanding of sovereignty according to a system 天下 (Tianxia, lit. “under heaven”) (Coleman & Maogoto, 2013; Zhao, 2019). This holistic, all-encompassing understanding of the state is a crucial element of Chinese political ideology and leads to the idea that cultural issues are inherently political.

Last but not least, China’s vigilant stance against US digital hegemony also stems from the fact that the domain name system, a core architecture of the internet based on the Roman alphabet, manifests Western cultural hegemony. It took until 2009 that the Internet Corporation for Assigned Names and Numbers (ICANN) globally approved the creation of internationalized country code top-level domains. In line with worldwide concerns regarding this issue (Baasanjav, 2014), Chinese scholars in the 1990s and early 2000s saw the predominance of the English language on the internet as a threat to their cultural identity (Gong, 1998; Han, 2000). The Chinese government was so concerned with this problem that it introduced domain names in Chinese characters independent from ICANN as early as 2000 (Baasanjav, 2014, p. 996).

The Chinese position on issues related to digital sovereignty was formulated by Chinese scholars from 1996 on (Cong & Thumfart, 2022). It was expressed in the most poignant way in an essay from 1998 written by Gong Wenxiang of the School of International Relations at Peking University on “information sovereignty” (信息主权) (Gong, 1998). First, the essay explicitly refers to the NWICO debates. Following the arguments employed there, it criticizes US cultural domination and argues for “the establishment of equal, just and mutually beneficial communication.” Constructing a fundamental conflict between the notion of “information sovereignty” and the “globalization of communication and information,” the essay states:

The so-called ‘Coca-Cola culture’, symbolized by rock music, MTV etc., has long been popular all over the world, and several major news agencies, such as AP, Reuters, BBC and CNN, have dominated international news dissemination. In the last instance, cultural communication and journalism are all about values that affect and influence the lifestyles and ideologies of their audiences. National information sovereignty (信息主权) should include the right to develop and consolidate national ethos and national culture through national and international dissemination of information

(Gong, 1998, 42f.).

Employing a more aggressive tone, the essay underlines the strategic origins of the internet itself in the US ARPANET. In this context, the essay highlights the tactical significance of IT infrastructure and refers to the US’s use of EMP-warheads during the first gulf war in 1991. It concludes:

From CNN’s exclusive field reports to the use of advanced automated weapons, the United States presented the world with a new type of warfare, which foreign scholars called ‘information media warfare.’ According to experts, the important aspect of warfare in the next century will be information warfare: digital information weapons such as computer viruses, logic bombs, and long-distance telephone network jamming devices are the nuclear weapons of the 21st century

(Gong, 1998, p. 44).

Drawing from the Confucian philosopher Mencius, reflecting on the Opium War and the Boxer Rebellion, the essay explicitly discredits the notion of the free flow of information as an ideology that serves the interests of Western “information superpowers”: “Whilst the information superpowers sing the hymns of ‘international freedom of communication’ and ‘information without borders,’ many developing countries feel that their rights are being taken away and even their national security is being threatened” (Gong, 1998, p. 45).

Gong Wenxiang’s (1998) essay and similar ones on 网络主权 (“network sovereignty”) and 网络殖民主义 (“network colonialism”) illustrate the intellectual historical background that predestinated China for being the first country to explicitly develop concepts related to digital sovereignty (Cong & Thumfart, 2022; Guan, 1997; Tang, 1998). On several occasions, the NWICO debates are explicitly cited as a blueprint for the Chinese approach of digital sovereignty (Cong & Thumfart, 2022).

The following practical and intellectual development of these ideas in China has three aspects: First, a cultural aspect; second, a security aspect; and third, an agenda related to global internet governance. The SCO, which will be discussed in Section 2.5, is part of all three aspects.

Cultural issues played a role both externally and internally. State control over internet content through censorship intensified in China in 1999 with the persecution of Falun Gong, which was considered a sect with political ambitions by the Chinese government. The group had been very active online, communicating through its international network, foreign servers and foreign websites to circumvent censorship by the Chinese government. In June 1999, the infamous 610 Office was established to crack down on this group through means including blocking access to the group’s sites outside China, undertaking cyberattacks against the group’s websites in the US, Canada, and Australia and requiring the registration of all encryption technology used by private entities and individuals (Chung, 2002, p. 96). This conflict acted as a crucial catalyst in the successive development of the “Great Firewall” that started to block content beyond Falun Gong, for example, the cause of Tibetans or Uyghurs or the events of June 1989 (Creemers, 2020, p. 13). It is obvious that the question of minorities within China is not only a political issue but also a cultural issue, particularly important from the perspective of the Chinese holistic and not necessarily secular (in the European sense) understanding of the state. These cultural aspects are not merely restrictive and top-down but have a productive and bottom-up element. They are reinforced by a form of “digital nationalism” in Chinese civil society (Schneider, 2018).

Beyond these cultural issues, security concerns played a role in the development of Chinese concepts related to digital sovereignty. One of the better-known outcomes of this discourse is an essay by the influential flight engineer Ji Zhaojun published in 2000. This essay “Network Security, Sovereignty, and Innovation” compared digital sovereignty to sovereignty over airspace and maritime space and promoted the idea that open digital networks further US dominance (McKune & Ahmed, 2018, p. 3838). In 2004, Chen Xueshi of the National University of Defense Technology affiliated to the People’s Liberation Army defined national “information borders,” which has since then been a characteristic feature of the Chinese discourse (McKune & Ahmed, 2018, p. 3838).

Third, China promoted concepts related to digital sovereignty in international fora of global internet governance, making it a prime norm entrepreneur in these contexts (McKune & Ahmed, 2018). Take as an example China’s engagement in the World Summit on the Information Society (WSIS), ICANN and the International Telecommunication Union (ITU), the SCO, and the World Internet Conference (Negro, 2020).

China has had a presence at ICANN since 1999 and it demanded a reform of the ICANN multistakeholder system in favor of an UN-like, state-centric mode of control as early as 2002 (Arséne, 2015, p. 29). The country found its allies on internet governance in the first phase of WSIS that year (Negro, 2020, p. 8), when three countries of the Global South – Brazil, Cuba, and Iran – proposed to create an intergovernmental framework to replace the existing ICANN-led internet governance model (Bhuiyan, 2014, p. 51). In essence, these countries demanded “their sovereign right to make international public policy for the internet” (Mueller, 2020, p. 3).

In the second preparatory committee of the WSIS in Geneva in 2003, the head of the Chinese delegation criticized the status of internet governance as “monopolized by one state and one corporation that neither facilitate further growth of the internet, nor fully embody the principle of equity and full representation” (Negro, 2020, p. 10). During the WSIS, China’s spokesperson tried to raise understanding for its restrictive approach to freedom of speech, calling the international community to “fully respect the differences in social systems and cultural diversity” (China, 2003). A key cultural issue discussed in WSIS was the question of domain names in non-Roman alphabets (Associated Press, 2005; Baasanjav, 2014).

Finally, the WSIS debates produced three opposing parties: Brazil, China, Russia, India, Pakistan, Iran, and Cuba, which advocated for governmental control of the internet within the UN; the US, which wanted to keep the status quo; and the EU, which initially supported the demand for governmental control over the internet, but then switched sides.

In the end, the resulting Tunis Agenda of 2005 recognized the call for digital sovereignty: “Policy authority for Internet-related public policy issues is the sovereign right of states” (WSIS, 2005). However, this declaration was not followed by real changes since the US put high diplomatic pressure on the EU to withdraw its support for the proposal to replace ICANN with a system of intergovernmental control over the global internet (“Letter by Gutierrez and Rice,” 2005). An observer summarizes: “The irony is even though Europe has been critical of ICANN, they have given their blessing to it” (Associated Press, 2005). With the European retreat, the countries favoring governmental control of the internet were relatively isolated. In the developed countries of the Global North (with the notable exception of France), the issue did not appear in the debate any more during these years (Benhamou & Sorbier, 2006; Thumfart, 2022).

Conversely, China and Russia furthered the agenda between each other and several former central Asian Soviet Union states within the SCO. Hereby, China is clearly the most important actor. In 2008, China surpassed the US in the number of internet users and has since been the leading country in terms of internet users (Robson, 2017). Accordingly, Beijing intensified its ambitions to strengthen national sovereignty over digital technology and promote this approach through international organizations such as the SCO and the BRICS.

In addition to the SCO, which will be dealt with in detail in Section 2.5, the ITU is an important forum, of which the secretary-general was Chinese from 2015 to 2022. Another important forum is the Beijing-initiated and -controlled World Internet Conference (WIC), which started in 2014 and included representatives of SCO member states, observers, and the private sector, for instance, companies and organizations such as Baidu, Alibaba, Tencent, Apple, Amazon, Microsoft, Samsung, LinkedIn, and ICANN. Since 2014, China has been promoting a declaration regarding digital sovereignty that was officially presented to the participants of this conference in 2015 (Zeng, 2015).

2.5 Digital Sovereignty in the SCO since 2005

The SCO was founded in 2001 based on a treaty regarding central Asian border conflicts in 1996 that gave birth to the “Shanghai Five.” Its original members were China, Russia, Kyrgyzstan, Kazakhstan, Tajikistan, and Uzbekistan. At first, Russia was its driving force with the two-fold strategic objective to prevent Western interventions following the wars in former Yugoslavia (1991–2001) and the “color revolutions” (2000–2005) as well as to combat Islamist extremism in the region that became a security threat with the conflicts in Chechnya and Dagestan and numerous terrorist attacks in the region (Souleimanov & Horák, 2006). The SCO’s strategic goal against Western intervention and Islamic extremism connects cultural issues with security ones.

With a rising profile, China increasingly held more sway in the SCO. On issues concerning Xinjiang province, China shared the objective to combat Islamic separatists. The formation of the Regional Anti-Terrorist Structure (RATS) in 2004 is the central pillar of the SCO and will be discussed later. In the context of its other objective, which is to strengthen state sovereignty against perceived Western interventions on issues such as human rights or popular consent, the SCO also served as a transmission belt for the Chinese imaginary of digital sovereignty to be exported to other member states. This applies foremost to Russia, which was concerned with Western interference but pursued a largely liberal approach to internet regulation until the Duma election protests of 2011 (see Section 2.6).

In 2005, the year of the Tunis Agenda of the WSIS, the SCO started to advance its strategic goals in digital sovereignty that bear resemblance to the NWICO or WSIS debates. The Astana Declaration of that year reads: “The world’s diversity of cultures and civilizations is a universal human value. In an era of rapid development of information technologies and communications (…), the right of every nation to its own way of development should be fully guaranteed” (SCO, 2005).

The SCO’s explicit demands for digital sovereignty fit well into this framework. These demands started with the Declaration of the Heads of the SCO Member States on International Information Security in 2006 that emphasized the willingness of the participants to collaborate. Although this declaration was explicitly following a recommendation included in the Resolution 60/45 passed at the 60th UN General Assembly on strengthening multilateral cooperation in matters of information security, it stands in evident contrast to the UN doctrine: The SCO member states emphasized a territorial understanding of sovereignty directly opposed to the global free flow of information. The signing member states stressed the need for international collaboration due to “the cross-border nature of ICT” but characterized ICTs as possibly contradicting the principles of “non-interference in the internal affairs of sovereign states” and “non-use of force” (SCO, 2006). Furthermore, the cultural aspect was explicitly stated in the SCO’s 2006 declaration, particularly the “respect for religious feelings and traditions of nations, inter alia, within the Shanghai Cooperation Organization region.”

Despite this rhetorical focus on territorial sovereignty, the SCO includes a significant degree of transnational cooperation in the service of preserving regime stability. In this sense, the SCO has been accurately labeled as “transnational authoritarianism” and criticized for being “a vehicle for human rights violations” (Tsourapas, 2020, p. 20). The SCO is built on the principle of mutual recognition within the Regional Anti-Terrorist Structure (RATS), which, for example, allows for the seamless extradition of individuals suspected of terrorism and the exchange of relevant information (International Federation for Human Rights, 2012, p. 5). In the language of the SCO, this is part of fighting the “three evils” of terrorism, separatism, and extremism. However, from a Western perspective, this constitutes transnational repression against individuals who can be regarded as dissidents, such as several Uyghur activists (International Federation for Human Rights, 2012, p. 16).

The SCO’s Agreement on Cooperation in Ensuring International Information Security of 2009 was likewise a reaction to a UN resolution on multilateral cooperation in the field of information security. Outspoken about its fears of regime change orchestrated by the West, the agreement names what it considered “major threats in the field of international information security” including not only “information warfare,” “information terrorism,” cybercrime, but also the “use of a dominant position in the information space to the detriment of the interests and security of other states” and “dissemination of information prejudicial to the socio-political and socio-economic systems, spiritual, moral and cultural environment of other states” (SCO, 2009).

The Tashkent Declaration of 2010 clearly formulated the SCO project to create a normative order of cyberspace based on territorial sovereignty:

Information security is closely linked to state sovereignty, national security, socio-economic stability and the interests of citizens. All countries are entitled to exercise control over the Internet in accordance with their domestic situation and laws, while expanding cooperation in a spirit of equality and mutual respect.

(SCO, 2010)

In 2011, the SCO member states submitted a Draft International Code of Conduct for Information Security to the UN General Assembly very much in line with China’s position at the WSIS. The draft reaffirms that “policy authority for Internet-related public issues is the sovereign right of states” (McKune, 2011). The text also includes a condemnation of cyberwar. The drafters pledge “not to use information and communication technologies, including networks, to carry out hostile activities or acts of aggression.” Furthermore, it includes a passage that, once more, directly links cultural issues to security issues, in which the drafters agree to combat the “use of information and communications technologies (…) that incites terrorism, secessionism or extremism or that undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment.” Little was changed in a new draft submitted to the UN General Assembly in 2015.

It is difficult to assess the impact of the SCO’s rhetorical positions on existing policies. None of the regimes involved is particularly transparent, especially when it comes to security issues. In terms of the digital implications of the SCO, it is certain that the Regional Anti-Terrorist Structure (RATS) exists and that the SCO includes a regime of transborder exchange of e-evidence. But it is also likely that this organization is, in many aspects, a paper tiger. However, at the international level in particular where norms tend to be contested and permanently evolving, rhetoric can be extremely influential in the construction of sociotechnical imaginaries. In this sense, the declarations analyzed in this section demonstrate that the SCO served as a transmission belt for a sociotechnical imaginary of digital sovereignty that connects cultural issues with security issues in the digital realm.

2.6 Digital Sovereignty in Russia since 2011

Although the Soviet Union played a leading role in the NWICO debates and even criticized the NWICO for not being focused enough on sovereignty, the post-Soviet discourse on domestic sovereignty and digital technologies is not as elaborate as the Chinese discourse on this matter (MacBride & Commissioners, 1980, p. 280). An indicator for this is that Cyrillic domain names did not get introduced before 2010 (Radio Liberty Staff, 2010), while Chinese domain names were introduced independently from ICANN as early as 2000 (Arséne, 2015, p. 30; Baasanjav, 2014, p. 966). For a long time, Moscow even promoted a moderate form of freedom of speech on the internet since it regarded the digital public sphere as a “social decompression chamber” that would keep people out of real politics (Nocetti, 2017). Rather than censoring, the Russian government initially supported the development of a regime-friendly digital sphere including bloggers, influencers and institutions that would later become notorious as Russia’s “troll factories” (Morozov, 2011, p. 126).

For this reason, China seems to have played the leading role in the propagation of more restrictive digital policies in the context of the SCO’s early declarations. Around the year 2016 when the Chinese promotion of this matter within the ITU, SCO, and WIC reached a peak, Russia reportedly received surveillance and censorship technology from China (Soldatov & Borogan, 2016). Some suggested already earlier that Russia has been demoted from the leading force of the SCO to China’s “junior partner” (Aris, 2008, p. 14).

However, the Chinese and Russian positions regarding digital sovereignty are complementary within the SCO and the BRICS contexts. While the Chinese discourse was from the start more focused on defensive sovereignty, the Russian one was more focused on aggressive digital sovereignty (Soldatov & Borogan, 2018). The first Russian (then still Soviet) cyberattack on the US happened as early as 1986 (Stoll, 1989). In 2007, the Kremlin’s youth organization Nashi’s attack on Estonia marked the beginning of the contemporary cyberwar discourse in the West by triggering the instalment of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn.

Then again, both China and Russia are subject to similar external drivers since they are geopolitically opposed to the cyber-hegemon USA and its actions, which became globally notorious with the Snowden revelations of 2013. The notion of “Суверенный интернет” (“Sovereign Internet”) finds its origin in a column published some weeks after the Snowden revelations of 2013 by Sergei Zheleznyak, a leading politician for implementing Putin’s authoritarian turn (Elder, 2013). Under the umbrella of digital sovereignty, Zheleznyak condemned the US, demanding a “national server network” and Russia’s “own information products.” Subsequently, in 2013, the Internet Research Agency was founded, which later influenced the US’s 2016 election in an “attempt to duplicate what the Kremlin considered the West’s unwarranted incursions into Russia’s own political life” (Krastev & Holmes, 2019, p. 118). Furthermore, in 2016, the Yarovaya Laws on data localization have been passed, which require personal data from individuals located in Russia to be stored within Russian territory (Savelyev, 2016). Russia also pursued an infrastructural sovereignization of RuNet (Sivetc, 2021).

These measures of sovereignization are also the product of an earlier turning point than the Snowden revelations in 2013. In 2011, following the Arab Spring, Russia experienced the greatest wave of protests of its post-Soviet history, many organized through the internet (Asmolov, 2020, p. 243). Moscow believed these protests to have been orchestrated by the US (Snyder, 2018b), even though the main reasons for these protests were, in fact, domestic (Robertson, 2013). As a reaction, Moscow started to tighten political control of the internet (Harper, 2017), passing a “whole avalanche of new repressive laws” (Weiss, 2016, p. 289). In 2012, the state introduced Federal Law 139 FZ, which, at first, banned sites containing child pornography, information regarding suicide, and selling drugs, which would two years later, with the Law 398 FZ, also extend to political content (see Chapter 8). This form of internet censorship is, at least, rhetorically, closely related to cultural issues. The repressive laws crucial to internet censorship, all adopted around the year 2012, target blasphemy, obscene language and “propaganda of non-traditional sexual relations.”

It is noteworthy that the cultural/religious turn marked by these laws was well understood in Russia, particularly the anti-blasphemy laws that triggered protest by the traditionally secular communists (Weiss, 2016, p. 290). In turn, the laws against obscene language produced less resistance and were accepted as a continuation of a Soviet tradition. However, here too a shift was visible. While the prohibition of obscenities in Soviet times was connected to insults and offenses, the new laws “are exclusively aimed at establishing and promoting language norms” (Kovalev, 2016, p. 339). The case of the so-called antigay laws is even more complex since they are based on irrational ideas. At least rhetorically, Moscow regards communication regarding homosexuality as part of Western information warfare with the objective to reduce low Russian birth rates even further (Mortensen, 2016, pp. 353–357). Overall, these concepts and laws are vague and it is exactly their vagueness and irrational nature that allows for the most repressive interpretations (Weiss, 2016, p. 289).

Some of the most notorious examples of these laws include investigations against a blogger who posed as a priest on Instagram and the forced psychiatric admission of a user of VKontakte who denied the existence of God (Weiss, 2016, p. 290). Another prominent example is the manager of a feminist website who was trialed for pornography and gay propaganda and put under house arrest (Amnesty International, 2019). Russia’s internet laws have a strong chilling effect on civil society beyond these individual cases.

While it is relatively easy to connect the Chinese discourse on digital sovereignty to cultural and political specifics such as Confucianism and Marxism, this is much harder in the Russian case. As mentioned before, the incompatibility of the Cyrillic and the Roman alphabet plays a role in the Russian pursuit of digital sovereignty, and so does Moscow’s involvement in conflicts with Islamist extremism in Chechnya and Dagestan.

However, the cultural conflict with Islamist extremism unfolds very differently in Russia since Moscow and the Orthodox church are sympathetic to the illiberal cultural claims of Islamism. For example, in contrast to Western European countries, the Russian government has banned Charlie Hebdo’s satirical depictions of Mohammed for “inciting religious hatred” and the Orthodox church supported this step (Rainsford, 2015). On a number of occasions, Putin read from Quran, Bible, and Talmud at the same event, which expresses a close linkage between politics and religion (Black, 2021, p. 377).

These are examples of the inclusive, yet illiberal, imaginary of Русский мир (russkii mir) that undergirds Russian politics on many levels. The term “russkii mir” can be understood as “Russian World,” which includes the canonic territory of the Orthodox Patriarchate, that is, Ukraine, Belarus, Moldova, Kazakhstan, and many other Slavic countries. The term can be also understood as “Russian Peace” in a sense of Pax Russica that constructs the notion of Russia’s hegemony (Laruelle, 2015, p. 15) over a multicultural Eurasian space corresponding to the idea of Russia as a “Third Rome” (Poe, 2001). In addition to these rather conservative and expansive connotations, the idea of the “Russian World” includes the territory of the former Soviet Union.

Despite its baroque multiplicity of historical fields of resonance, this idea of the “Russian World” is extremely relevant politically. On March 18, 2014, Putin used it as a justification for Russia’s annexation of Crimea (Laruelle, 2015, p. 15). Typical of imperial imaginaries, the lack of geographical precision makes the concept of the “Russian World” useful for the justification of any kind of territorial expansion.

The ultranationalist Russian think tank Izborsk Club close to Putin formulated a Russian messianic mission for Eurasia on these grounds, which includes combatting the cultural effects of informational globalization. Its manifesto from 2012 reads:

The lethal ideological and informational “machine” that destroyed all the bases and values of the (…) Romanov empire and then destroyed all the foundations of the (…) Soviet empire is everywhere at work. The fall of these empires transformed the great Eurasian space into a chaos of warring peoples, faiths and cultures on fields of blood. (…) The Russian messianic consciousness, grounded (…) in the Orthodox dream of divine justice (…) summons the negation of Russia at the level of worldview, the attacks on her faith, culture, and historical codes

(Snyder, 2018a, pp. 93–96).

From the point of view of the intellectual history of sovereignty, an interesting feature is Russian leadership’s reference to German authoritarian legal theorist Carl Schmitt’s realist conception of international relations, which is widely shared among Eurasia ideologues (Snyder, 2018a, pp. 80–90). Schmitt’s arguments against the illegality of wars of aggression partially explain Moscow’s “hybrid warfare” of kinetic and cyber means (Renz & Smith, 2016; Snyder, 2018a, pp. 193–194). Of course, Moscow’s stance is characterized by double standards. While promoting noninterference in the digital sector on a normative level, for example, within the SCO and the BRICS, it engages in using kinetic and cyber means for projecting power.

Schmitt’s idea of sovereignty, namely its foundation in the state’s monopoly of force and control and its emphasis on territoriality, is also a crucial feature of the Russian discourse on digital sovereignty. The “sovereign internet” (Суверенный интернет) grants the government far-reaching control, including deep-packet inspection of transnational data traffic. In 2019, Russia reportedly disconnected its internet from the global one, without ordinary citizens noticing it (Wakefield, 2019). Leonid Savin, a Eurasia political activist of the Izborsk Club, points out that sovereignty in the territorial Schmittian sense requires a realignment of cyberspace with territory, which must ultimately include the possibility to disconnect at will from global communication (Savin, 2019a, 2019b).

However, it should be noted that the Russian government’s decidedly illiberal approach to digital sovereignty has its technological limits. For instance, Moscow’s unsuccessful attempt to ban Telegram has shown that there is a merely rhetorical element to its claims of digital sovereignty (see Chapter 8). As of mid 2024, the jury is still out as to how the Russian army may perform on the kinetic battlefield and the cyber domain. So far, Moscow has not yet attempted the actual “disconnect” of RuNet from the global internet. However, it must be stressed that rhetoric matters when it comes to international norms and the construction of sociotechnical imaginaries.

2.7 Digital Sovereignty in India since 2017

India is the most complex of these three nations in terms of digital sovereignty formations. While India was a driving force behind the BRICS from the start with the creation of the BRIC in 2006, it is connected to the SCO in a loose way since it joined the SCO only in 2017. India was invited by Russia to join the SCO to counter China’s invitation of India’s archrival Pakistan. It is unclear to which extent previous declarations of the SCO will concern India as the country is a “digital decider” between liberal and non-liberal modes of digital governance (Basu, 2019). For instance, India joined the majority of the SCO and BRICS member states in backing the adoption of the UN resolution on Countering the Use of Information and Communication Technologies for Criminal Purposes (Sherman & Morgus, 2018).

India has a strong bipartisan anti-colonial tradition, which includes a general willingness to defend local cultures and economy against global hegemonic structures. Actors closer to the politically left promote a form of economic nationalism called swadeshi (“swa” = “self” and “desh” = “country”), while actors on the politically right promote hindutva (“Hindu-ness”) (Prabhu, 2012). India has also been one of the leading forces of the Non-Aligned Movement, which was crucial to the NWICO debate in the 1970s and 1980s. During WSIS, too, India has been on the side of those nations who demanded more political oversight over internet governance (Vipin, 2011).

Comparable to China, the resistance against US-led digital colonialism is important to India, where a commentator labeled Google’s crushing of the country’s local search engines as “digital battle of Plassey” (Arya, 2020). Accordingly, India has implemented a relatively strict regime of data localization that is primarily focused on the idea that the data of Indian citizens (the second largest internet user base in the world) constitutes an economic resource that should belong exclusively to Indians. This perspective focused on the national economy is particularly convincing since the country maintains the world’s largest digital biometrical ID program Aadhaar, which has been installed as early as 2009. This technological-demographical baseline situation also brought about a focus on privacy and national security (Kovacs & Ranganathan, 2019, p. 17).

However, the country’s position is characterized by a double frontline. In addition to a guarded stance against Western digital hegemony, India seems to also fear the influence of China, with whom it forged an alliance through the BRIC grouping since 2006 and through the SCO since 2017. India and China also had a number of territorial disputes beyond the digital realm, for instance, the 2020–2021 border skirmishes. The ban of dozens of Chinese apps in June 2020 that resulted from these border conflicts also made clear that India’s digital sovereignty can be in direct opposition to China from time to time (Al Jazeera, 2021). Due to diverging and converging interests on different issues and at different times, the SCO and the BRICS grouping can experience instability given their multipolarity.

Culturally, the notion of hindutva embodies a nationalist aspect that became increasingly important to Modi’s Hindu nationalist government (Mohammed-Arif et al., 2020). However, today, the focus of this ideology lies not so much in its stance toward the West, with whom the Modi government maintains tight relations, but toward Pakistan and the approximately 200 million Indian Muslims (Tellis, 2018). Furthermore, in contrast to Russia and China and although Modi’s government promotes the replacement of English by Hindi on all levels of Indian society, global Anglo-Saxon culture may not be regarded as an existential threat from an Indian point of view as a significant part of its population speaks English as a second language. Neither does India have only one non-Roman alphabet, which would produce a clear dichotomy. Since 2011, ICANN has allowed for domain names in several regional languages: Hindi, Gujarati, Urdu, Punjabi, Bengali, and Telegu (Sengupta, 2011). Compared to China, the liberal Western idea of internet freedom poses no fundamental ideological problems to India since the country is constitutionally a democracy.

However, comparable to the domestic implications of the Russian and Chinese imaginaries of digital sovereignty, internet use in India can also be heavily restricted. This is largely owed to domestic security challenges related to religious issues. Already in the 2000s, the Indian government has shown a keen interest in cybersecurity due to Islamist terrorism (Kovacs, 2021, p. 134). Modi’s Hindu nationalist government, in turn, stoked interreligious conflicts (Mohammed-Arif et al., 2020). In India’s complex society full of inner tensions and anachronisms, such conflicts and conflicts of nonreligious nature can lead to violent online mobs, often fueled by disinformation. In August and September 2013, social media played a decisive role in stoking clashes between Muslims and Hindus in the state of Uttar Pradesh, which left 62 dead, 93 injured, and 50,000 displaced (Biju, 2019, p. 10). Also, following the anti-Muslim laws issued by the Hindu Nationalist government, the Delhi riots of 2020 killed 53. The riots were clearly of interreligious nature, stoked by hate spread through social media (Mehta, 2020). In another example from 2018, two young men were accused of being child kidnappers and were beaten to death on the grounds of a social media video (Deutsche Welle, 2018). Such lethal attacks on the basis of social media rumors occurred more frequently in India (Krishnan, 2018). In the first half of 2018 alone, more than two dozen people died related to rumors spread via WhatsApp (Samuels, 2020). In many cases, the perpetrators were “rightwing Hindu cow vigilantes” (Shah, 2021, p. 1932). However, in one of the latest such incidents – the 2020 Palghar mob lynching – two men were killed on the grounds of WhatsApp rumors, and both the perpetrators and the victims were Hindu.

Such incidents, which the Hindu nationalist government partly stoked, serve as the justification for the government’s more expansive control over web content. For instance, the Indian government has requested Twitter (now X), Google, and YouTube to remove posts considered blasphemous or inciting communal violence (Segal, 2017). In 2019, Netflix agreed to delete all content that disrespects the country’s flag, hurts religious sentiments, or promotes terrorism (Dixit, 2019). After the Indian government waged a “war with Twitter” (Biswas, 2021), Twitter too agreed to delete 90–95% of accounts requested for removal by the Indian government (Business Insider India, 2021). However, since the removal requests concerned mostly the accounts of anti-government protesters, it is obvious that the Indian state’s actions do not exclusively serve security purposes, but also the government’s own interest.

Since the Temporary Suspension of Telecom Services Rules came into force in 2017, the Indian government also frequently uses these rules to enact local “internet shutdowns.” Although this practice also exists in Western democracies (De Gregorio & Stremlau, 2020), India is, by far, the number one country in enacting such shutdowns. Of the 155 internet shutdowns imposed globally in 2020, a staggering 109 occurred in India, which means that the country is even more authoritarian on this issue than other SCO member states (Chakravarti, 2021).

India has also enacted one of the world’s longest and most far-reaching internet shutdown so far, lasting from August 4th, 2019 to March 4th, 2020 affecting the former Muslim-majority state of Jammu and Kashmir with 12.5 million inhabitants (Internet shutdowns in India, n.d.). The toll on the local economy and on civil society, particularly the work of journalists, is high (Sarkar et al., 2020). An analysis from 2019 has shown that shutdown orders mostly do not require suspension of internet services in their entirety, but rather a direct blocking of specific mass messaging platforms such as Facebook, Twitter, and WhatsApp (Internet Freedom Foundation, 2019). Furthermore, internet shutdowns became so common in India that they are not always seen as political or security issues. In widely criticized displays of local authoritarianism, local governments regularly suspend internet connectivity to ensure that no cheating takes place during civil service exams (Sanzgiri, 2023). This is to be understood not only as a display of authoritarianism but also as an expression of the “heavy emphasis on education in the country, where for many, proper schooling could be the key out of poverty” (Yeung et al., 2021).

Also beyond the measures mentioned earlier, the current Hindu nationalist government promoted digital authoritarianism (Sherman, 2019). It has extended the use of artificial intelligence-enabled facial recognition in urban centers and successively transformed the country’s digital biometrical ID program Aadhaar from a voluntary to a de facto compulsory ID since it is needed for a great number of governmental services. This, too, has been raising fears of governmental surveillance (Khera, 2019). This top-down authoritarian turn is worsened by increasing digital vigilantism in the Indian civil society of the so-called “cyber Hindus” (Biju, 2019, p. 10).

In summary, the Indian concept of digital sovereignty includes highly authoritarian aspects, most notably censorship and internet shutdowns, which are partly connected to complex authoritarian strategies of the Hindu nationalist government but the concept has also to be understood within India’s complex cultural contexts. While the Russian notion of a disconnectable “sovereign” internet explicitly refers to Schmitt’s understanding of sovereignty against foreign powers, the Indian concept of digital sovereignty realizes the Schmittian principle on the domestic level as Schmitt defined sovereignty as the power to declare the state of exception, and internet shutdowns are an expression of such a “liminal” understanding of sovereignty in the digital realm (Thumfart, 2024a).

It is important to note here that such dramatic authoritarian approaches include a great degree of make-belief. It is more than questionable whether internet shutdowns actually achieve their security goals since they have been found to be combined with governmental inaction in critical situations of civil unrest (Ruijgrok, 2021, p. 32). Furthermore, it is not possible to shut down the internet in a country completely (Shah, 2021, p. 2696). However, there is no doubt that internet shutdowns represent an impressive staging of the nation-state as “taking back control” over digital networks. And such staging of governmental power matters, particularly regarding sociotechnical imaginaries.

2.8 Conclusion: Digital Sovereignty for Global Cultural Diversity?

Digital communication has become a decisive factor in the economy and politics of all countries. A critical understanding of the global digital infrastructure and economy as enabling “digital colonialism” is not entirely unjustified even for authoritarian countries (Avila Pinto, 2018; Hicks, 2019). Neither are fears that democratization campaigns based on social media might lead to regime change – regardless of whether this regime change might be desirable from a human rights perspective or not. Developing nations with non-liberal traits, as in the cases of China, Russia, and India, have constructed imaginaries of digital sovereignty that can be evoked to implement economic protectionism and political censorship. Such obstacles to the domestic and transnational free flow of information often include violations of article 19 of the UDHR.

Beyond political and economic aspects that influence the imaginaries of digital sovereignty promoted within the SCO and the BRICS by China, Russia, and India, it is crucial to consider cultural factors. Although threats to national cultural identities are often exaggerated and politically exploited, governments and civil societies of all three nations do have reason to believe that their traditional culture can be threatened by the free flow of information enabled by global digital hegemons. As a matter of simple fact, ICANN for a long time allowed only top-level domains in the Roman alphabet. Additionally, all of these immensely diverse countries hardly fit the idea of consolidated nation-states following the European pattern of development for they are often confronted with significant internal cultural conflicts. Whether perceived or real, internal cultural challenges and external cultural threats have informed these countries’ non-liberal or authoritarian positions on domestic digital sovereignty in the form of censorship and on external digital sovereignty in the form of protectionist policies, and in the case of Russia, also aggressive cyber operations.

This chapter highlights the relationship between digital sovereignty and cultural identity. It does so by tracing the historical narrative that informed the development of the notion of “cultural sovereignty” during the NWICO debates in the 1970s and 1980s, the digital sovereignty discourse that emerged in China in the 1990s, and the subsequent spread of an extreme form of state-centric digital sovereignty to Russia since 2011 and the embrace of it by a nationalist Indian government from 2017 on. In these processes, the multilateral forums of the SCO, and to a lesser extent the BRICS, served as a transmission belt in proliferating state-centric imaginaries of digital sovereignty. It is a central finding that in all three of the examined countries, imaginaries of digital sovereignty are related to a non-secular understanding of the state that merges politics and religion (Russia and India) and traditions that are neither secular nor religious (Chinese Confucianism). And since 2006, SCO statements routinely connected religious issues, information technologies, and security concerns. In this sense, the global emergence of digital sovereignty can be compared to the evolution of state sovereignty from the confessional wars and the connected development of the printing press in sixteenth- and seventeenth-century Europe. On a methodological level, this chapter demonstrates that, similar to this more or less well-fitting historical comparison, the construction of state-centric digital sovereignty can only be understood considering a complex entanglement of domestic social, economic, political, and cultural dispositions, power dynamics in international relations, and the development of concrete technological capacities (see also: Thumfart 2024b).

As of 2024, it is difficult to speak in positive terms of a common future of the BRICS or SCO that includes a militaristic Russia, as doing so may normalize Russia’s aggressive authoritarianism that is not shared by China or India. However, a more hopeful long-term outlook for the BRICS beyond Russia’s war of aggression in Ukraine and Putin’s misrule could emphasize cooperation between BRICS nations to realize the objectives set by NWICO and WSIS by making the digital world less one-dimensional or monopolistic (see Chapter 1). One does not need to be a right-wing nationalist to regard global cultural assimilation as a problem. If one takes the impact of digital communication on the development of human civilizations seriously, then US-led standardization and destruction of cultural diversity by Googleization, Facebookization, Twitterization, and Uberization could constitute a threat to human civilizations severe enough to warrant a serious response. Due to prejudices incurred by biased algorithms and faulty AI, cultural diversity is more than a nice-to-have luxury, but of vital importance to adequately represent the full scope and complexity of human social and intellectual capacities. Digital sovereignty grounded in legitimate reasons and proportionate actions can be a crucial means to protect cultural diversity across the globe and harvest its potential.

If one assumes that regulation of digital content and services to preserve cultural diversity around the globe is legitimate, where does the legitimate interest in preserving one’s own culture end and where does the persecution of religious and other minorities begin, as this is the case of Muslims, dissidents and members of the LGBTQ+-community in China, Russia, and India? What about respecting citizens’ privacy and right to communicate freely across borders and conduct business online when doing so contradicts the interest of the state? These are difficult questions. Decolonization and authoritarianism converged historically in their shared resistance against Western norms, which are frequently thought of as including human rights such as the freedom of speech and the right to privacy (Watson, 2021). An informed debate on digital sovereignty has to consider both: the dangers of digital authoritarianism and the productive potential of digital decolonization.

Funding acknowledgement: During this research, Johannes Thumfart received funding from Gerda Henkel Stiftung’s special programme Security, Society, and the State (2020–2022) and the European Union Horizon 2020 research programme under MSCA COFUND grant agreement 101034352 with co-funding from the VUB-Industrial Research Fund (2022–2024).

3 The Spatial Expansion of China’s Digital Sovereignty Extraterritoriality and Geopolitics

Wanshu Cong

3.1 Introduction

For various historical and political reasons, the idea of digital sovereignty, and the concept of sovereignty more broadly, is largely a state-centric one in China, revolving around the discourse, policies, and practices of the Chinese government. Within the history of the internet, China has a relatively long tradition of proclaiming cyber sovereignty and establishing state control over the cyberspace and digital infrastructures. Various practices of China bordering or “re-territorializing” the cyberspace (Kettemann, 2020) demonstrate this sovereigntist approach of governing the internet, such as the Great Firewall that censors the transmission of information to China, and the rule of data localization prescribed by Article 37 of China’s Cyber Security Law (CSL). Deep political and ideological reasons make it unlikely for China to depart from its adherence to the sovereigntist approach for governing the internet. However, the application of strict territoriality principle to the governance of the internet has indeed been challenged by its high economic costs and lack of efficacy to protect the expanding market and interest of Chinese tech and digital companies overseas. These challenges called for new ways of understanding the scope and substance of state digital sovereignty and of exercising its sovereign power over the internet and data. The Chinese regulatory evolution appears to be a gradual spatial expansion of its regulatory power beyond the physical borders, reflecting an emerging tendency from territoriality to extraterritoriality in the conception and practice of China’s digital sovereignty. This tendency is what this chapter inquires.

Of course, one may ask whether there is really a shift from territoriality to extraterritoriality in the cyber context.¹ In addition, despite its attempts of grafting borders onto the internet, China is no less reluctant to undertake extraterritorial measures against dissidents, and, therefore, its seemingly territorial approach does not reflect the complexity of actual practices. The chapter does not present this tendency as a sudden new phenomenon. What is interesting, however, is that the mismatch between China’s official stance and actual practice may become less stark due to the emerging change of regulatory philosophy: the regulatory tendency toward extraterritoriality can be identified explicitly in recent initiatives as well as scholarly discussions. They differ from previous practices of which extraterritoriality is rather implicit and barely gets clear legal justifications.

This chapter, adopting a state-centric perspective of digital sovereignty (see Chapter 1), draws attention to China’s three recent regulatory instruments, which most remarkably demonstrate the direction toward the spatial expansion of China’s digital sovereignty: China’s Personal Information Protection Law (“the PIPL”),² Data Security Law (“the DSL”),³ and the order by the Ministry of Commerce on blocking unjustified extraterritorial application of foreign legislation and measures (“the Blocking Rules”). In Section 3.2, I discuss two approaches of broadening the spatial dimension of China’s state digital sovereignty, which can be identified in these three instruments. The first one is to include extraterritorial rules in data governance legislation, making such legislation applicable beyond China’s territory or produce extraterritorial impacts. The other approach is to resort to blocking or countering measures against certain foreign measures related to data that China deem illegitimate. While their practical effects need more time to manifest, they demonstrate a clear intention of the Chinese government to regulate extraterritorially data, data activities (such as data collection, processing, and transfer) and data-related activities (such as trade and investment in relation to data), and hence to expand the spatial scope of China’s digital sovereignty. International environment is indispensable to understanding this regulatory and conceptual evolution. Accordingly, given the current, increasingly confrontational international context, I argue in Section 3.3 that this regulatory evolution represents a greater incorporation of geostrategic interests in China’s conception and practice of digital sovereignty, as a response to the geopolitical challenges that China is facing.

While the term “digital sovereignty” may be intuitively related to having and exercising control over data and digital infrastructures (Floridi, 2020), it remains highly controversial and has varied meanings for different societies (see Chapter 1).⁴ For this chapter, as it analyzes and interprets recent legislative and policy initiatives, it pays less attention to theorizing what “digital sovereignty” means. Instead, I use “digital sovereignty” as a composite term to refer to state authority over digital technologies and their social, political, and economic impacts. To justify this broad use of the term within the state-centric perspective, it suffices to say that in the Chinese context, as data is deemed as “fundamental strategic resources” since the thirteenth five-year plan (NPC & Central Committee of the CPC, 2016) and an important factor of production (Huang et al., 2020; Shi, 2018), digital sovereignty is as much about infrastructural and technological sovereignty as about economic sovereignty and hence is inherently multidimensional. As will be seen, this imbrication of the digital with the material is reflected by the way how the notion of digital sovereignty incorporates both geostrategic interests of the state and private economic interests. Given changes in these two interests in the current international environment, the spatial expansion of China’s digital sovereignty should not be surprising.

3.2 Two Approaches Toward Extraterritoriality

Two approaches toward the spatial expansion of China’s digital sovereignty can be identified in the three instruments. The first and the most straightforward approach is to explicitly adopt extraterritorial rules in the PIPL and the DSL. The second approach, present in all three instruments, is to block or counter certain foreign measures deemed discriminatory or restrictive against China.

3.2.1 Extraterritoriality in Data Governance Legislation

The attempts of re-territorializing the cyberspace and data flows by the CSL, reflecting a more exclusive and territorialized conception of cyber sovereignty and greater securitization of the internet, have been criticized widely both inside and outside of China. In terms of the territorial scope of application, the CSL applies only to the construction, operation, maintenance and use of network, and cybersecurity supervision and management within the territory of the People’s Republic of China.⁵ Regarding cross-border data transfer, the default rule in the CSL is for critical information infrastructure operators to store personal information and important data that they collect within China.⁶ The PIPL and DSL differ considerably from the CSL in both aspects. With respect to extraterritorial application, the PIPL applies to the following situations where activities of handling personal information of natural persons in China take place outside of China:

1. 1. When the purpose of such activity is to provide products or services to natural persons within China,

2. 2. When analyzing or assessing activities of natural persons within China, and

3. 3. Other circumstances provided by laws or administrative regulations.

To give teeth to the extraterritorial scope of this law, Article 42 of the PIPL addresses enforcement issues. It authorizes the Chinese cybersecurity and informatization department to impose administrative sanctions on foreign organizations or individuals whose personal information handling activities create harms on the rights and interests of Chinese citizens or on China’s national security or public interest.⁷

As for the DSL, apart from data activities carried out within China, Article 2(2) sets out that “data processing activities outside China which harm China’s national security, public interest or lawful rights and interests of citizens and organizations, are to be pursued for legal responsibility in accordance with the law.” These provisions of extraterritorial application in these two instruments illustrate an exercise of legislative jurisdiction that combines the principle of territoriality and the effects doctrine, making the location of the effect of data activities a crucial factor for re-territorializing the cyberspace.

With respect to cross-border data flows, Article 38 of the PIPL sets out four options for transferring personal information abroad, easing the data localization rule in CSL:⁸

1. 1. passing a security assessment organized by the State cybersecurity and informatization department,

2. 2. obtaining personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department,

3. 3. concluding an agreement with a foreign receiving party according to the standard contract formulated by the State cybersecurity and informatization departments, which sets out the rights and obligations of the parties,

4. 4. other conditions provided by the State cybersecurity and informatization department in laws or administrative regulations.

In addition to these options, personal information handlers are required to ensure that the treatment of personal information transferred abroad is up to the standard of this law.⁹ Furthermore, these options are followed by the obligations of individual notification, obtaining individual consent,¹⁰ and conducting risk assessments by those who seek to export personal information.¹¹ A default data localization requirement still exists in the PIPL and applies to critical information infrastructure operators and those entities who process personal information up to certain quantities determined by the State cybersecurity and informatization department. For these two categories of data collecting/processing entities, only the first option in Article 38 is available.¹²

The DSL introduces a single article addressing the export of data upon requests by foreign governmental authorities.¹³ According to this provision, such requests shall be dealt with in accordance with relevant laws and international agreements and conventions to which China is a party, or according to the principle of equality and reciprocity; without the approval of relevant competent departments of China, no data stored within China shall be transferred abroad upon such requests. Organizations or individuals within China that violate this provision will face administrative sanctions.¹⁴ A similar provision also exists in the PIPL.¹⁵ Beyond this particular scenario, the DSL does not say much about cross-border data transfers. Article 31 specifies that the CSL shall be applied to important data collected and produced by operators of critical information infrastructure within China, and that for important data collected and produced by other data processors within China, special rules shall be made by the State cybersecurity and informatization department with relevant departments in the State Council. Therefore, data localization remains the default rule for the former category of data. For the latter category, the possibility of cross-border transfer needs to be decided and formulated in future rule-making processes. Despite the lack of more concrete mechanisms for data cross-border transfer, the DSL pledges the Chinese government to “ensure the lawful, orderly and free flow of data”¹⁶ and to “promote the safe and free flow of data across borders” by actively participating in international exchanges and cooperation for the making of international rules and standards on data security.¹⁷ Such undertakings, although largely political rather than legal, suggest a cautiously positive attitude of China toward cross-border data transfers and a more proactive approach to their regulation. Accordingly, China’s stance on data localization seems to be more restrained.

These two legislative moves – i.e., the extraterritorial application of laws and the rules for cross-border data transfers – are indicative of the spatial expansion of China’s digital sovereignty, and reflect a nascent, post-CSL regulatory tendency as a result of multiple internal and external factors. To begin with, the data localization rule of the CSL has encountered various criticisms inside and outside of China. Some Chinese scholars comment that the Article 37 of CSL lacks distinction between different data subjects (Cao, 2018, pp. 99–100), fails to meet the requirement of proportionality (Hong, 2017, pp. 59–60), and is unable to balance the two equally important objectives – security and development (X. Zhu & Dai, 2020, p. 87). In the business sector, foreign companies have considered the CSL as a step toward greater trade protectionism and warned the Chinese government that the CSL could further isolate China from the global digital trade (Donnan & Mitchell, 2016). Chinese companies were much less outspoken about their concerns, but it has been pointed out that such strict data localization requirement may trigger protective measures by other countries, impeding the “going-out” of Chinese companies (Liu & Cui, 2020, p. 103). Facing these criticisms, even the Chinese government seemed less ascertain about data localization. Right before the CSL entered into force on June 1, 2017, the Cyberspace Administration of China (CAC) told journalists in a press conference that the objective of the CSL was neither to restrict foreign companies from entering the Chinese market nor to restrict lawful, orderly, and free flows of data. The CAC acknowledged that cross-border data flows had become a precondition for economic globalization and for China’s Belt and Road Initiative (Cyberspace Administration of China, 2017). Nevertheless, the blackletter law of the CSL has retained its broad and sweeping phrasing, which continues to be a source of concern for Chinese and foreign companies. The problem of the CSL is partly because the CSL only provides the general structure of cybersecurity, leaving many specific requirements to be fleshed out by complementary laws and regulations in its implementation. However, subsequent implementation and specification of the CSL rules were largely unsuccessful in resolving those concerns and criticisms.¹⁸

Despite the CSL’s formulation, parallel and subsequent regulatory initiatives already pointed toward the direction of extraterritoriality. For example, the Chinese government released several draft guidelines and regulations related to the export of data since the CSL’s adoption.¹⁹ In particular, the 2017 draft Guidelines for Data Cross-Border Transfer Security Assessment clearly incorporates extraterritorial application, making, inter alia, “accessibility” of data rather than its physical location the trigger for its application.²⁰ Considering these pre-existing attempts, the PIPL and DSL exemplify the most recent legislative moves toward extraterritoriality.

Externally, the impact of the US’s and EU’s regulatory power is undeniable, and superficially, the PIPL and the DSL can be seen as China’s emulation of their regulatory models. The US is well known for its extraterritorial laws and the long-arm jurisdiction of its courts (e.g., Putnam, 2016). Its 2018 Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is an exemplar of the global reach of its sovereign power over data.²¹ As for the EU, the General Data Protection Regulation (“GDPR”) has become a global model for regulating personal data. China’s two legislative moves, particularly with the PIPL, which resembles the GDPR in many respects, may be considered a manifestation of the so-called “Brussels effect” (Bradford, 2020). Indeed, many Chinese scholars recommended to follow the footstep of the GDPR (Shi, 2018; K. Xu, 2019) and legislators admitted that they closely studied foreign and international experiences on data protection when drafting the PIP bill (N. Zhu, 2020). However, China’s shift toward gradual extraterritoriality is not a unidirectional imitation of foreign regulatory models; as will be discussed later, this shift will produce geostrategic implications on the emulated regulatory models as well. It suffices to mention here that the emulation of the GDPR by the PIPL is accompanied with caution, especially with respect to the negative effects of extraterritoriality (e.g., the potential trade barriers that other states may put in place in response) and the practical difficulties of enforcement (Liu & Cui, 2020, p. 107). In turn, the PIPL seems to be slightly more restrained than the GDPR regarding extraterritoriality. As we can see, the text of the PIPL makes the intention (i.e., “purpose”) of offering products or services to persons in China an explicit criterion for triggering the law’s extraterritorial application, whereas the requirement of intention is only mentioned in the GDPR’s Recital 23.

In addition to the modeling influence of US’s and EU’s extraterritorial legislation, it is impossible to overlook the impact of recent mega trade and investment agreements that China has joined. The most notable one is the Regional Comprehensive and Economic Partnership (“RCEP”), which was signed in November 2020 and has accounted for over a third of China’s foreign trade in its first year since entry into force (China SCIO, 2023). The RCEP provides a templet of international data governance that contains rules to promote data flows among its members. For example, Article 12.15 of the E-commerce Chapter obliges states not to prevent cross-border transfers of information by electronic means (Regional Comprehensive Economic Partnership Agreement, 2020). It is true that this rule is followed by a significant list of exceptions, and that compared to the US-led model of digital trade (such as the Trans-Pacific Partnership), the RCEP looks rather unambitious. However, the RCEP remains to be the first significant international agreement that commits China to enhance data mobility across borders. While China’s commitment has been interpreted as more symbolic than substantive (Cory, 2021, p. 26), it can still create considerable motivation to speed up domestic legislative process addressing transborder data flows (Li, 2016, p. 781; Gao, 2022). Moreover, China applied to join the Compressive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) in September 2021 (Xinhua News Agency, 2021) and has started adopting CPTPP rules in pilot free trade zones and ports in 2023 (K. Wang, 2023). As the CPTPP has far more stringent rules ensuring cross-border data transfers than those in the RCEP,²² Xi’s gesture may indicate China’s moving toward a greater degree of data liberalization, although such liberalization only concerns data related to trade (Gao, 2022). This prospect of greater and freer data flows, however, should not be deemed as a waning of the state’s regulatory sovereignty. The deepening of trade liberalization effectively depends on the state’s capacity of creating and enforcing legal infrastructures to support and guarantee the operation of the market (Slobodian, 2020; Tzouvala, 2020). Therefore, what may appear to be a retreat of the state’s sovereign power is in fact its transformation. When it comes to China, the political will to enhance data mobility goes together with the increased flexibility of the ambit of China’s regulatory power over data.

In brief, the recent legislative development in China suggests a revision of the CSL’s stricter territoriality. Partially, such a revision is compelled by the economic impracticality of the CSL’s sweeping data localization and its enforcement difficulties. It is also caused by a convergence of internal and external incentives pushing for greater data mobility. This revision, however, should not be understood as the weakening of China’s digital sovereignty, but rather its adaptation to emerging challenges. The CSL and China’s National Security Law remain the basic reference point of recent regulatory instruments, suggesting that the notion of sovereignty is not stepping back but is reinforced through its spatial expansion. As discussed in Section 3.1, such metamorphosis of digital sovereignty is also driven by geostrategic considerations and accordingly will likely have important implications globally.

3.2.2 Blocking and Countering Measures and Their Extraterritorial Effects

The second approach, that is, to block or even counter certain foreign measures deemed discriminatory or restrictive against China, can also be found in the PIPL and the DSL. Article 43 of the PIPL provides: “Where any country or region adopts discriminatory prohibitions, limitations or other similar measures against the People’s Republic of China in the area of personal information protection, the People’s Republic of China may adopt retaliatory measures against said country or region on the basis of actual circumstances.” Similarly, the DSL proclaims that when any nation or region employs “discriminatory, restrictive, or other similar measures” against China “in areas of investment or trade in data and technology for the exploitation and development of data,” China may employ “reciprocal measures” against that nation or region based on the actual circumstances.²³ Such provisions certainly make the two instruments an outlier case in current major data regulatory regimes globally. Again, like many Chinese laws, the phrasing remains highly abstract and broad, and relevant guidelines for implementation would be needed to specify key issues, such as how to decide whether a particular measure adopted by another country is discriminatory against China, what “retaliatory” or “reciprocal” measures would be envisaged, or how to determine the target, scope, or severity of such measures.

Irrespective of these details, the two provisions send a clear political signal about China’s reaction to the global reach of regulatory powers such as the US and the EU. For instance, with respect to personal data, as the EU has not granted China an adequacy decision, it is fair to ask whether this could be deemed by China as “discriminatory” against China and trigger “retaliatory measures” (Cerulus, 2019). The possibility of retaliation, such as more restrictive market access and data export, could reduce the PIPL’s limited liberating effects of cross-border data transfer. While these potentially restricting consequences may lead to data localization or China’s self-isolation, such revert is not incompatible with the idea of China’s spatial expansion of digital sovereignty, but only one dimension of China’s evolving digital sovereignty. In the case of the EU’s non-adequacy decision, the potential “retaliatory measures” adopted by China, such as prohibiting data transfers to the EU, would effectively regulate EU-based companies who operate business in China or with Chinese companies, thereby stretching China’s sovereign power to what is under the EU’s territorial jurisdiction. Hence, the undermining of cross-border data transfers, a form of negative externality, can also be a net result of China’s extraterritorial regulatory power.

Compared with the PIPL, the provision in the DSL covers a broader range of measures by foreign countries or regions that could face China’s countermeasures, that is, foreign measures regarding investment or trade in data and technology for the exploitation and development of data. This recalls the blacklisting of Chinese tech and telecom companies (e.g., Huawei, ZET, and China Telecom) and sanctions imposed by the US government since the US–China trade war. Elsewhere, India banned Chinese apps including the TikTok for national security reasons. The EU has also begun imposing greater screening requirements on investments by the Chinese tech companies in the EU market on security ground. In short, all these measures based on national security could possibly be judged by China as discriminatory or restrictive and be responded by “reciprocal measures.” An example would be blacklisting certain American or Indian companies to the Unreliable Entity List, which imposes a series of restrictive measures.²⁴

Another possible reciprocal measure is provided by Article 25 of the DSL, which says that the state shall implement export controls on data of controlled items for the purpose of protecting national security and interests and fulfilling international obligations. This provision brings to mind the Catalogue of Technologies Prohibited or Restricted from Export, published jointly by the Ministry of Commerce and the Ministry of Science and Technology in August 2020 (PRC Ministry of Commerce & PRC Ministry of Science and Technology, 2020). The Catalogue that includes technologies related to artificial intelligence and data analytics has been widely regarded as a countermeasure to the Trump Administration’s TikTok ban by effectively prohibiting TikTok from selling itself to a US company. Again, the negative consequences of such reciprocal measures, such as potential disruptions of global trade and investment that the blacklisting and export control can create, do not necessarily suggest a return to bordered sovereignty based on physical territoriality. Instead, the “other-oriented” character of such tit-for-tat restrictions, based on the self-judgment of whether China is the victim of someone else’s wrongdoings, produces extraterritorial consequences affecting foreign actors, effectively subjecting them to China’s regulatory power.

In addition to the two laws, the Blocking Rules published by the Chinese Ministry of Commerce on January 9, 2021 is of particular interest. The Blocking Rules applies to

situations where the extra-territorial application of foreign legislation and other measures, in violation of international law and the basic principles of international relations, unjustifiably prohibits or restricts the citizens, legal persons or other organizations of China from engaging in normal economic, trade and related activities with a third State (or region) or its citizens, legal persons or other organizations

(Article 2).

“Blocking” in this document refers to both judicial and political measures, that is, nonrecognition, nonexecution, and noncompliance of foreign legislation or measures identified by the blocking decision made by the Ministry of Commerce.

According to the mainstream interpretation in China, Article 2 means that the Blocking Rules essentially responses to the so-called secondary sanctions of the US (Miao, 2021; Shang, 2021; W. Xu, 2021). In contrast to primary sanctions that prohibit US companies or citizens from doing business with those being sanctioned,²⁵ secondary sanctions have a much broader scope, covering non-US subjects as well, deterring them from having economic engagements with the sanctioned entities or individuals and therefore are highly controversial (Lowe, 1997; Meagher, 2020, pp. 1005–1006; Meyer, 2008, pp. 926–930). It has been responded to by various third countries adopting blocking statutes to counteract the effects of secondary sanctions. Among them, the EU’s Regulation 2018/1100, which was passed after the resumption of the US sanctions against Iran in 2018, has been closely studied in China. Although China’s Blocking Rules does not explicitly mention the US, its political gesture is, conceivably, to question the legitimacy of unilateral and extraterritorial economic sanctions imposed by the latter, while providing legal tools for Chinese companies that might be affected by those sanctions.

By opposing the US secondary sanctions, the Blocking Rules also produces extraterritorial effects. Article 2 quoted earlier covers the following two scenarios. First, when China (or specific Chinese companies or individuals) is the target of US economic sanctions (as with the recent Hong Kong Autonomy Act), companies of a third country may decide to cut economic relations with certain Chinese companies in or outside China. Second, when a country other than China (e.g., Iran) is targeted by the US sanctions that apply to non-US companies, Chinese companies may decide to close their business in Iran or terminate contracts with certain Iranian entities in China. In both scenarios, transnational business activities are disrupted by secondary sanctions, and if the Chinese government deems the sanctions as violating international law and basic principles of international relations, the blocking measures could be activated to preserve or restore those business activities between Chinese and foreign companies within or outside the Chinese market.

According to the current texts of the Blocking Rules, we can roughly envisage its operationalization in the following way. For example, the US government decides to impose sanctions on Huawei, prohibiting both US companies (e.g., Qualcomm) and non-US companies (e.g., TSMC, which is Taiwanese) from selling semiconductor chips to Huawei. Facing such sanctions, Huawei reports them to a special working body setup by the Chinese government that would assess the relevant sanctions and decide whether to issue a prohibition order of nonrecognition, nonexecution, and noncompliance. Once the prohibition order is issued, TSMC would be prohibited from complying with the US sanctions and hence should continue selling semiconductor chips to Huawei (while Qualcomm would not be impacted by the prohibition order). If TSMC, caught between the US sanctions and the Chinese prohibition order, decides to comply with the former, Huawei can bring a civil lawsuit before a Chinese court against TSMC for compensation, and the Chinese Ministry of Commerce may also issue TSMC a warning or a fine.

In addition to the extraterritorial effects created by “blocking” the extraterritorial reach of foreign legislation or measures, the Blocking Rules has left room for more direct, extraterritorial exercise of the state’s sovereign power. According to Article 12, “necessary countermeasures” could be also taken to respond to “unjustified” extraterritorial application of foreign legislation or measures. This reads similar to provisions in the PIPL and the DSL mentioned earlier. The examples of blacklisting “unreliable entities” and adding technologies to the export control catalog are equally relevant here.

It remains to be seen whether “necessary countermeasures” under the Blocking Rules may also take the form of unilateral sanctions by China against a foreign companies or political regime and whether those sanctions may concern companies or individuals of third countries.²⁶ Similarly, the adoption of the blocking measures provided in the Blocking Rules needs to be specified in practice. Furthermore, given the limited practical effect of the EU’s blocking statutes, one may also wonder if the Chinese Blocking Rules would have real consequences on transnational economic activities and on countries imposing unilateral sanctions. Nevertheless, it suffices to say that at this stage, the Chinese government has demonstrated a clear objective of counterbalancing the extraterritorial reach of foreign regulatory powers through the extension of its own. This objective of counterbalancing, also taking into account the provisions in the PIPL and the DSL discussed earlier, is intrinsically tied to the spatial expansion of China’s cyber sovereignty.

3.3 Analysis: The Integration of Geostrategic Interests into Chinese Cyber Sovereignty

3.3.1 An Increasing Integration between Digital Sovereignty and China’s Geostrategic Interests

The metamorphosis of China’s digital sovereignty can be regarded as both conditioned by and contributing to the so-called “cyber-geopolitics” (An, 2020; Gómez, 2014), by which geopolitical games take a specifically technological turn and data become the main strategic focus. The geopolitical stakes of having extraterritorial power over data and data-related activities and entities become increasingly clear. The examples of countermeasures such as blacklisting foreign companies or imposing export bans discussed earlier demonstrate how the extraterritorial exercise of state power is closely tied to the state’s geostrategic interests in an increasingly hostile international environment. In addition, the conclusion of the RCEP has been widely interpreted through the geopolitical lens as bringing China enormous geopolitical advantages vis-à-vis the US (Carrai, 2021; Gao & Shaffer, 2021). As these (and future) mega trade and investment agreements create pressure for China to develop regulatory frameworks to enhance the global digital economy, they are also geostrategic drivers shaping the evolution of China’s digital sovereignty.

The current cyber-geopolitics that largely started by the trade war with the US has turned into a competition for technological supremacy, as the Huawei sanctions show. The competition for technological supremacy is as much about China’s national pride as about the global market share of Chinese tech companies, for dominating the global market help to guarantee a leading role in technological standard-setting that would in turn reinforce the dominance of Chinese companies and technologies in foreign markets. Insofar as the two approaches toward extraterritoriality discussed earlier can be regarded as tools to facilitate the “going-out” of Chinese companies, we can identify a symbiotic relationship emerging between China’s digital sovereignty and economic interests of Chinese tech companies: the spatial scope of the former is stretched along with where the latter lies.

This connection between the enlargement of private companies’ market share and profits and the extraterritorial spillover of state sovereignty has been examined closely by the scholarship of Marxist and Third World approaches to international law (Anghie, 2007; Chimni, 2017; Parfitt, 2019). From a Marxist perspective, in particular, capital exports are accompanied by capitalist countries’ projection of political and military powers overseas; economic competitions between capitalist countries can therefore lead to political competitions, clashes of spheres of interests, and eventually interimperial rivalries (Knox, 2016, pp. 312–315; Miéville, 2006, pp. 227–230). In this sense, the spatial expansion of China’s digital sovereignty and regulatory power, as both compelled by and supportive of the market growth of Chinese companies abroad (see Chapter 7), can be seen as demonstrating a rising interimperial rivalry of our time.²⁷

Meanwhile, the connection between private economic interests and state sovereignty is particularly pertinent to the Chinese context due to the character of state capitalism that deliberately blurs the line between the public and the private interests. This more explicit merge between the public and the private also makes the notion of “digital sovereignty” intrinsically elastic. This elasticity is further reinforced by President Xi’s holistic approach to national security, pronounced since 2014 (Xi, 2014). According to this holistic notion, national security integrates multiple elements including “political, homeland, military, economic, cultural, social, science and technology, information, ecological, resource and nuclear security,” and has internal and external dimensions. Internally, national security refers to the promotion of development, reform, stability, and safety in China; externally, it refers to the pursuit of peace, cooperation, and mutual benefits with others to build a harmonious world. This all-encompassing notion of national security absorbs China’s geopolitical and geo-economic interests, which are by no means purely external – they are intimately tied to domestic factors and produce enormous impact on the domestic economy and politics (Shang, 2021, p. 76). Under this holistic framework of national security, extraterritoriality has been mobilized to stabilize domestic situations (Y. Wang, 2016, pp. 57–58), to empower Chinese tech companies doing business abroad, and to gain China an upper hand in current geopolitical struggles (He, 2019, p. 95; Shang, 2021, p. 76). Either from a Marxist theoretical perspective of interimperial rivalry or focusing on Chinese characteristics of state capitalism and national security, it is not surprising that the notion of digital sovereignty can evolve in a way that blurs the distinction between not only the public and the private but also the domestic and external, projecting China’s regulatory power outwardly.

3.3.2 Competition and Confrontation through Regulatory Emulation

This spatial expansion of China’s digital sovereignty is obviously conditioned by the international environment that China is subject to. In this respect, it is remarkable that the ongoing “cyber-geopolitics” that China is involved in is partly unfolding through regulatory emulation: as discussed previously, both approaches toward extraterritoriality are considerably influenced by the EU’s and US’s extraterritorial regulations. The connection between geopolitical competition and regulatory emulation is however neither straightforward nor necessary. Putting aside the geopolitical dimension, a more common view in regulation literature is that regulatory emulation can remove regulatory conflicts and contribute to the harmonization of laws (Enriques & Gatti, 2006, p. 961; Lazer, 2006, pp. 460–462; Szyszczak, 2006). For example, the US and the EU, being hegemonic regulatory powers, have created modeling effects that led to a significant degree of global regulatory convergence in many fields, for example, intellectual property, financial regulation, labor, and environment (Braithwaite & Drahos, 2000). Conversely, when sovereigns have “competing regulatory philosophies” (Koh, 2008, p. 16), it has been argued that they can bring about clashes between sovereigns that call for judicial and political solutions. In other words, tensions between regulatory sovereigns are more often associated with regulatory divergence, and emulation is often seen as one way to resolve regulatory conflicts.

However, the above observation gets much more complicated when (geo)political factors come into play. What China’s move toward extraterritoriality by learning from the EU and the US demonstrates is how, in the current geopolitical circumstances, regulatory emulation regarding extraterritoriality can potentially become a tactic by which one polity empowers itself through imitating others to challenge its rivals. This form of regulatory emulation does not solve but rather is likely to perpetuate competitions and even conflicts.

More precisely, the first approach of China’s spatial expansion of digital sovereignty may appear as following and contributing to a nascent trend of global convergence for data regulation – convergence in the sense that more and more states (e.g., Brazil, Australia, Canada) start to legislate extraterritorially and design rules for data transfers while strengthening data protection. However, this ostensible trend of regulatory convergence is not just a positive result of “trading up” by competing regulatory sovereigns (Bradford, 2020, pp. 5–6; Vogel, 1995). Rather, such convergence can also be a form of contestation. Take the example of the GDPR, which is often depicted as bringing the “first mover advantage” to the EU in the global regulatory race on the protection of personal data (Smuha, 2021, p. 74), the dynamics of its Brussels effect is not a unidirectional reception of the GDPR’s model elsewhere that leads to global regulatory harmonization. The fact that other countries are inspired by and draw upon the GDPR at different degrees can be regarded as precisely the way to mitigate the unilateral global reach of the GDPR. Similarly, the PIPL (together with preceding regulatory instruments on personal data protection) can be considered counterbalancing the EU’s role as a global regulatory hegemon.²⁸

As for the second approach, contestations caused by regulatory emulation can be much more serious. China’s emulation, using mainly the EU’s blocking statutes as a model, addresses a particularly confrontational situation, such as secondary sanctions by the US, by reacting with an equally confrontational stance of blocking or retaliation (Huang, Yuan & Hu, 2020). Compared to the contestation in the first approach that still takes place in the broader trend of regulatory convergence, the second approach is explicitly adversarial and may lead to conflict escalation. Given the current international context, the difference between contestations in the first approach and confrontations in the second may likely be more a matter of degree than kind. The slippage between the two situations is reflected by the fact that the PIPL and the DSL contain both approaches. For instance, the respective extraterritorial scopes of the PIPL and the GDPR can create jurisdictional overlaps, which lead to a regulatory contest; this contest may then be turned into a confrontation where both China and the EU pass normative judgments on each other, leading to the adoption of “retaliatory measures” by China.

In brief, regulatory tensions driven by economic interests (or other normative principles) can slip into geopolitical confrontations, and the likelihood of this slippage is significantly amplified by the emerging cyber-geopolitics, especially since the US–China trade war and the COVID-19 outbreak. In turn, the unfolding of geopolitics can involve the instrumentalization of regulations and regulatory emulations by sovereigns. A common call in China for an extraterritorial regulatory regime for data is precisely based on an acknowledgement that such a regime is necessary to support China in the current geopolitical game where cyber/data security and transnational data mobility are two important levers (e.g., Huang, Yuan, & Hu, 2020).

That regulatory emulation may lead to geopolitical competition is discussed in the general context of tensions China has with the West. Outside this particular rubric of “interimperialst rivalry,” what the spatial expansion of China’s digital sovereignty can lead to and how “elastic” the spatial scope of China’s digital sovereignty can be remain open questions. From a normative perspective that values peaceful coexistence of sovereigns, the openness of these questions leaves room for states’ self-restraint and mutual respect and helps to avoid a vortex of tit for tat between rivals. From China’s own perspective, the openness of these questions about sovereignty is related to the difficulties peculiar to China that perceives itself as anti-imperial. More specifically, the spatial expansion of China’s digital sovereignty, accompanied by the development of extraterritorial legal frameworks, stands in ostensible contrast to China’s traditional adherence to the principle of noninterference. The extraterritorial application of Chinese laws necessarily overlaps with and even suspends the jurisdiction of the territorial state. However, given the history of extraterritoriality in China, China has been particularly careful with the wording, avoiding any mention to “治外法权” (the Chinese term for the extraterritorial system created by colonial powers in China since the First Opium War) and sticking to “域外适用” (extraterritorial application, which may sound more technical). This terminological distinction is important for China to not present its expanding regulatory power as imperialist. In addition to the historical factor, there are more practical problems with noninterference. China’s extraterritorial jurisdiction over data or data-related entities abroad may trigger objections based on the principle of noninterference by the territorial state. Conversely, if China conceives of certain exogenous economic interests as part of its sovereignty, as the holistic understanding of national security seems to entail, China will logically have no objection for other states to do the same. This means that in cases such as the US applying the effect doctrine to enforce its antitrust law against Chinese companies, China’s noninterference claims may be undermined by its own exercise of extraterritorial jurisdiction. Essentially, there will be a growing tension between the principle of noninterference and China’s move toward extraterritoriality to regulate data and data-related entities and activities, both deriving from and justified by the idea of state sovereignty. How to make the two mutually compatible is one of the crucial tasks of defining China’s digital sovereignty in an anti-imperialist way. This tension is already displayed in the PIPL and the DSL: while introducing the idea of countering or blocking measures, the two also commit China to international cooperation on data regulation while providing.²⁹

3.4 Conclusions

Focusing on three recent regulatory instruments, this chapter identifies an emerging shift toward increasing extraterritoriality in China’s approach to governing the cyberspace, data, and data-related activities. This shift is more specifically manifested in two ways: first, introducing extraterritorial rules in data-related legislation and second, authorizing counter or blocking measures against extraterritorial legislation or measures of others. This regulatory tendency indicates a more spatially expansive notion of China’s digital sovereignty that evolves in tandem with the growth of profits and global market share of Chinese companies. This more spatially expansive notion also shows the integration of China’s geostrategic interests into the notion of digital sovereignty in current international contexts. Furthermore, this tendency is to a certain degree a result of regulatory emulation with the purpose to counterbalance the unilateral global reach of the EU’s and the US’s regulatory powers.

This tendency toward extraterritoriality is by no means specific to the issue of data governance, since digital sovereignty is closely related to other dimensions of state sovereignty in the Chinese context (keeping in mind also Xi’s holistic notion of national security). Therefore, it is not surprising that a more general move toward extraterritorial governing is being conceived of by the Chinese government. Since 2019, the Chinese government started pushing for the establishment of extraterritorial legal frameworks to expand Chinese law’s applicability through both extraterritorial legislative and enforcement jurisdictions (Xinhua News Agency, 2019, 2020). The intention, therefore, seems to be not only to facilitate the export of Chinese economy but to export Chinese law more specifically. As a Chinese scholar commented, “the export of Chinese capital will lead the export of Chinese law as a soft power” (Shang, 2021, p. 77). This process of projecting a kind of “Beijing Effect” (Erie & Streinz, 2022) is considered mutually supportive with China’s other strategies, such as the Belt and Road Initiative (Shang, 2021, p. 77; K. Xu, 2019, p. 59; Ye, 2020, p. 62).

Despite the increasing motivation and push for extraterritoriality, the expansive notion of digital sovereignty has its own contradictions. As discussed, although China’s shift toward spatial expansion is partly conditioned by current geopolitical relations with its competitors, it remains that this shift is at odds with China’s traditional anti-imperial and anti-hegemonic posture and its emphasis on sovereign equality. This oddity is also seen in the “Chinese approach” to global internet governance. Termed as “building a community with a shared future in cyberspace” (Xi, 2019), the Chinese approach seems to have a universal pitch, but it reaffirms the principle of respecting sovereignty in cyberspace and condemns “cyber hegemony” (Chinese Academy of Social Science et al., 2020, p. 12). How to have a community that is decentered and pluralist is an age-old question, and in the context of this book, this question also involves how to approach diverse, nonstate-centric understandings of digital sovereignty and plural actors claiming digital sovereignty. Yet, a more immediate and practical difficulty for China would be from its own commitment to respecting the sovereignty of other states. As China has traditionally been against the long-arm jurisdiction and unilateralism, how to adapt digital sovereignty to contemporary needs while maintaining internal normative coherence would be a key question.

4 South African Digital Sovereignty at the Crossroad of Securitization and Development

Enrico Calandro

4.1 Introduction

Like many other African countries, South African authorities are designing strategies, policies, and rules and assigning responsibilities to the existing and new agencies to govern emerging digital technologies. Nevertheless, national policy and regulatory directions for the governance of the digital economy and society, on the one hand, are struggling to cope with increasing responsibilities of state actors to protect citizens’ rights to data protection and safety and security online. On the other hand, data protection and cybersecurity measures do not always protect citizens’ rights to privacy, confidentiality, and freedom of expression. Instead, the increasing body of norms, rules, and regulation on the digital space might increase state control over private communications and online censorship. State and nonstate actors are also conscious of the manipulative power of digital communications and have used various digital platforms to launch sophisticated disinformation and misinformation campaigns to manipulate public opinion (Pretorius, 2021). It exposes the many conflicts that arise when different forms of digital sovereignty analyzed in this book – especially state-led, corporate, postcolonial, and individual digital sovereignty – enter in contact.

To anchor the concept of digital sovereignty in South Africa, the study seeks to answer to the following questions: what are South Africa’s national priorities regarding the governance of the digital space? What digital (and offline) processes are impacted? Moreover, to what extent are citizens’ rights to privacy and freedom of expression at risk?

To explore the emerging policy position on digital sovereignty in South Africa within the global geopolitical theater on the governance of cyberspace, the chapter first reviews international processes relevant to understanding digital sovereignty positions of South Africa. It reviews the participation of the country in multilateral organizations, including the UN Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) on ICT state security; Third Committee Resolution on Countering the Use of Information and Communications Technologies for Criminal Purposes; the United Nations Office for Disarmament Affairs (UNODA); Intergovernmental Group of Experts (IGE) on Cybercrime; the World Trade Organization (WTO) processes on e-commerce; and the Moratorium on Customs Duties on Electronic Transmissions. By looking at international multilateral processes, South African stance on digital sovereignty and its quest to construct a state-led form of digital sovereignty are explored as a reaction to power dynamics in the international system of the governance of the internet. Nevertheless, the study looks inward to reflect on the national posture of digital sovereignty by highlighting national positions in international fora dealing with digital policies.¹ More specifically, at a national level, the policy and regulatory response to the platformization of the digital economy (Poell et al., 2019), techno-authoritarianism, and the increase of digital regulation of cyberspace is explored through a critical review of digital policy and regulatory processes related to online content regulation, regulation of bulk surveillance, data policy, and cybercrime. In Section 4.9, the emerging stance of South Africa on digital sovereignty is discussed through the lens of securitization and development.

4.2 South Africa’s Role as a “Digital Swing State” in Global Geopolitical Landscape

Generally speaking, a state-centric approach to digital sovereignty focuses on states’ capacity to exert control on digital infrastructures in their territories and datasets relating to their citizens (Couture & Toupin, 2019). Although it is a broad concept, digital sovereignty can be defined as “the right of a state to govern its network to serve its national interests, the most important of which are security, privacy and commerce” (Lewis, 2020). This definition may not seem too problematic when applied to mature economies and democratic countries capable of boosting their economies through competition policy and economic regulation while upholding human rights online. However, serving national interests and governing national networks might have different connotations in small and emerging economies for many reasons. Although developing countries share similar security, privacy, and economic growth objectives, state organizations in emerging economies are poorly resourced to put in place the necessary policy and regulatory mechanisms to effectively counterbalance anticompetitive behavior in digital markets, predatory data extraction practices, and various cyber risks and cyber threats. Besides, democratic assumptions of freedom of expression² are often perceived as a threat of established political orders. Lastly, digitalization may result in state control over digital lives and citizens’ political positions through misinformation (Pretorius, 2021) and mass surveillance.

In his 1996 Declaration of the Independence of Cyberspace, John Perry Barlow, a proponent of a laissez-faire approach to the internet’s governance, asserted that cyberspace was a new territory that governments should not regulate. Since then, many things have changed. The number of policies and regulatory and legislative initiatives on the governance of the internet has increased dramatically. Different countries and regions have adopted diverging approaches to digital space governance. States have gained greater control of how the internet is used within their borders as a result of growing risks to security and privacy, combined with the erosion of national sovereignty from global connectivity (Lewis, 2020).

Interventions to spur digital competitiveness go beyond regulatory interventions, which can also take the form of new technological standards for digital infrastructure. A growing number of countries discuss plans to recreate national boundaries in cyberspace (Shcherbovich, 2021) through national Domain Name Systems or data localization laws (Lambach, 2019) or by exerting control over their citizens through technology (Shahbaz, 2018). For instance, contrary to the libertarian point of view of Barlow and the multi-stakeholder approach to internet policymaking, there is the recent Chinese proposal to redesign the TCP/IP protocol stack to allow for centralized government control over authentication and internet communication (Gross & Murgia, 2020). Another form of state control over the internet within national borders is shutting down the internet during political elections,³ a practice implemented by authoritarian or even democratic countries.

Politically driven by digital sovereignty and strategic autonomy (Timmers 2020), Europe has found its digital “third way” (Siebert, 2021) by placing itself as a regulatory superpower by setting rules underpinned by civil rights and self-determination, in opposition to the Chinese techno-authoritarianism (Polyakova & Meserole, 2019; Wang, 2021) and the US surveillance capitalism (Zuboff, 2019b). At the end of 2020, the EU launched a significant regulatory initiative (i.e., the Digital Services Act package) and in November 2022, the Digital Services Act and the Digital Markets Act were adopted by the Council of the European Union, intending to increase innovation, growth, and competitiveness in digital markets (European Commission, 2021). As part of its digital strategy, EU is investing in the “development of digital standards and promot[ing] them internationally” (Aggad, 2021). The new Africa–Europe digital economy partnership of the EU–AU digital economy task force, now advocates for the development of “policies and regulation in areas such as telecom[munications], data economy, data protection and privacy, start-up laws, e-commerce and e-government” (Aggad, 2021). Therefore, regulatory convergence on data use is already quietly happening under the umbrella of “technical assistance,” which might have important repercussions on African citizens’ privacy (Aggad, 2021). On the other hand, the US has gained an undisputed leadership over operating systems, social media, and cloud computing platforms, posing regulatory challenges to ownership and control of data and related commercial value (Roberts, 2020). Furthermore, as part of a broader US stated effort to address concerns about cybersecurity and data privacy, particularly regarding China’s role in the global technology and telecommunications industry, the 2017–2021 US Secretary of State Mike Pompeo’s “Clean Network”⁴ program aimed to create a more secure and trusted environment for US technology and data with a particular emphasis on countering perceived threats from the Chinese Communist Party.

In response to the Trump administration’s position against Chinese tech firms defined as national security threats, in September 2020, China announced its most ambitious contribution to international lawmaking on data governance with the Global Initiative on Data Security (WSJ, 2020). This was done on the one hand to attempt to shift control of the data security narrative away from the US, which, according to China’s Foreign Minister Wang Yi, made “groundless accusations” against Chinese tech firms as national security threats and “used security as a pretext to prey on enterprises of other countries who have a competitive edge” (Wang Yi, 2020); and on the other, to set global standards on data security at a multilateral level (Tiezzi, 2020). The Global Initiative on Data Security invites countries to handle data security in a “comprehensive, objective, and evidence-based manner” while emphasizing the importance of a stable supply chain for information, technology, and services. This initiative is also an invitation to all countries to consider other countries’ approaches in managing their data and internet sovereignty (WSJ, 2020). Considering that affordable devices and networking infrastructures with increased accessibility for the majority of Africans are largely sourced from China (Cascais, 2019; Wilson, 2019), it is expected that national technological standards will be anchored in these suppliers that are supporting the closure of the usage gap. These standards will certainly shape African countries industrial policy and, as a result, its capacity of self-determination on digital sovereignty.

In this virtual space of competing positions on regulatory, technological, and industrial standards, many African governments’ plans on digital transformation or on the ambitious Fourth Industrial Revolution (4IR) might increase the reliance of Africa on the US platforms, on regulations modeled after EU, and Chinese networking technologies. African countries are not self-sufficient in terms of technological innovation and development and, like many countries, import a considerable (if not all) portion of these technologies. This high dependence on technological innovation and digital transformation on global powers presents diplomatic challenges (Ndzendze, 2021) for digital sovereignty and self-determination in cyberspace.

Nevertheless, South Africa, as one of the pivotal middle powers in the Global South – together with Brazil, India, Indonesia, Saudi Arabia, and Turkey – stands out as a “swing state” within the BRICS alliance (Kupchan, 2023). This designation positions South Africa in a unique position where it maintains a degree of autonomy and the flexibility to craft its digital policies and navigate complex geopolitical landscapes independently. Unlike nations fully aligned with superpowers, as a “swing state,” South Africa straddles the middle ground, allowing it to influence and even reshape emerging power dynamics (Fontaine & Kliman, 2013). As a middle power, South Africa has seized this opportunity to assert its influence in international relations (Kupchan, 2023). One defining feature of the group of “swing states” is the absence of strong ideological affiliations, setting them apart from previous groupings in the Global South, such as the BRICS. This lack of ideological bonds allows these states to adopt a pragmatic, transactional approach to foreign policy, amplifying their collective impact on the global stage. The intensifying rivalry between the United States and China offers a “swing state” like South Africa opportunities to leverage its positions, as both superpowers seek their alignment. This strategic positioning grants South Africa bargaining power with both the US and China vying for their support. However, digitalization might be an exception, particularly when it comes to foundational technologies such as semiconductors, artificial intelligence, quantum technology, 5G telecommunications, and cloud computing. South Africa is primarily a user of such technologies and therefore may need to make strategic choices between trading with the United States or China, as these domains are subject to rigid competition (Kupchan, 2023).

The following sections explore the South African approach to digital sovereignty and its evolving digital policy posture. I consider its positions in international processes related to cybersecurity and national development with regard to digital policymaking.

4.3 ICT for Development Narrative in National Digital Connectivity Policy

A state-centric approach to digital sovereignty focuses primarily on government strategies and actions to govern digital infrastructures and datasets in their territories. Like many other countries, South African authorities are designing strategies, policies, and rules and assigning responsibilities to the existing and new agencies to govern emerging digital technologies nationally. Differently from mature economies, the international stance of South Africa in the governance of cyberspace does not seem concerned about how to wield cyber power against its rivals (Dunn Cavelty & Egloff, 2019). On the contrary, the country’s political priorities and policy objectives related to the governance of digital infrastructures, at least on official papers, emphasize leveraging digitalization to overcome some of the pressing national challenges such as poverty, unemployment, and inequality. Considering that the narrative on ICT development is predominant across all South Africa’s main digital policy documents, the emerging model of digital sovereignty needs to be understood within the context of the ICT for development narrative.

There is almost undisputed and general understanding that improving connectivity will facilitate growth and development (UNDP 2015; World Bank 2016; WSIS 2018 in Roberts, 2021). The sustainable development goals (SDGs) include a focused approach for increasing use (target 17.8) and access to ICT; provide affordable and universal access to internet in least developed countries (SDG 9c); enhance regional and international cooperation and access to technology and innovation (SDG 17.6); and promote women’s use of ICT for empowerment (target 5b). At an international level and a technical cooperation level, improving internet access and use in Africa⁵ has been one of the main priorities of various UN agencies, whose objectives and goals have been translated in digital policy documents at regional and national levels (Calandro, 2015).

Nationally, the 2013 national broadband policy South Africa Connect (SA Connect) was designed to integrate supply- and demand-side approaches to foster a “dynamic and connected information society and a vibrant knowledge economy that is more inclusive and prosperous.” South Africa Connect gives expression to South Africa’s vision in the National Development Plan (NDP) of eliminating income poverty, decreasing inequality, and enhancing employment opportunities. In the problem statement presented in the broadband policy, reference was made regarding proven relationships between investment in the digital infrastructure and improvements in the overall economy. Furthermore, the document describes how making broadband available at competitive rates fosters an increase in broadband penetration, subsequently linked with job creation and overall economic growth.

Comparable goals are outlined in the National Integrated ICT Policy White Paper, which highlights how ICTs play a fundamental role in enabling the National Development Plan to achieve its goal of constructing a more inclusive society that reduces poverty and inequality. In this regard, ICTs play a transformative role, which is acknowledged in the Vision and Principles Chapter of the ICT White Paper. It emphasizes that “the main purpose of this White Paper is to unlock the potential of ICTs to eliminate poverty and reduce inequality in the country by 2030” (DTPS, 2016, p. 10).

More recently, also the 4IR plan expressed similar ambitions to those expressed in SA Connect and in the ICT White Paper. In the Summary Report & Recommendations presented by the Presidential Commission (January 2020), the South African “triple scourge,” that is, unemployment, poverty, and inequality, are the unequal outcomes of a history of exploitation and exclusion and are recognized as the “Grand Challenges” that the 4IR Commission, the State, and all institutional actors and citizens, in their capacity, have to overcome (Presidential Commission on the Fourth Industrial Revolution, 2020, p. 11). The 4IR and the related institutional arrangements, therefore, are about “contemplating solutions to South Africa’s development challenges” (Presidential Commission on the Fourth Industrial Revolution, 2020, p. 14).

Despite good intentions, policy and regulatory outcomes have been suboptimal. The national telecommunications market remains structured around integrated network and service operators, with two incumbents MTN and Vodacom dominating the mobile telecommunications market with a combined market share of 78% (Research ICT Africa, 2020). Many rural areas are still served by one or both incumbent operators where populations remain unable to benefit from the lower prices of smaller operators. Besides, the fiber-optic market has significantly penetrated only urban areas and the main transmission routes, leaving other areas poorly covered. Therefore, while the top-end market is well served, people with low incomes are paying a premium for low-value products. In addition, the proposed strategy of SA Connect to leverage private and public investments to provide connectivity to public buildings in under-serviced areas failed (Research ICT Africa, 2020). Lastly, the inability to release high-demand spectrum, compounded with the separation of the Ministry of Communications into two in 2014, severely undermined digital policy action and operationalization (Research ICT Africa, 2020).

All in all, while developmental aspirations underpin these national policy documents, they run short in terms of implementation. From a digital sovereignty perspective, there is little recognition of high dependency on digital supply chain and technological standards. Moreover, risks to human security might jeopardize developmental aspirations. The misuse of digital technology as a weapon, compounded with the risk of escalation of developing cyber offensive capabilities in the absence of shared regulation of how states should behave in cyberspace, could have unintended consequences for human security in South Africa (Allen, 2019).

4.4 A Securitization Agenda in Reaction to Cyber Threats

It is well known that in the past few years, and specifically after Snowden’s revelations, digital security has received prominence in political security agendas worldwide (Dunn Cavelty & Egloff, 2021), including Africa. In these agendas, online risks become a security issue not always because threats are objectively measurable as such, but because actors define them as threats in political processes (Buzan et al. 1998, Dunn Cavelty & Egloff, 2021) by using the language as a performative act. The narrative of existential risks, sometimes put forward to justify increasing policy and regulatory measures on cybercrime, is often linked to high political stakes and it is a powerful mobilizer to legitimize extraordinary responses and undemocratic procedures (Dunn Cavelty & Egloff, 2021).

In this sense, cybersecurity measures have increased parallel to growing threats and risks emerging from access and use of digital technologies (Dunn Cavelty & Egloff, 2021). Different actors have used different representations of danger to create or change political, private, social, and commercial understandings of security in selected public spheres (Dunn Cavelty & Egloff, 2021). Within this political arena of problems, risks, and threats, cybersecurity policy is shaped at the intersection of “hypersecuritization,” “everyday security practices,” and “technification” (Dunn Cavelty & Egloff, 2021; Hansen & Nissenbaum, 2009). They do not exclude each other, but they are all present at different times in the cyber-insecurity discourse.

While hypersecuritization refers to the invoking of an imminent status of destruction and existential threats often without linkages to the historical incidents of similar scope, everyday security practices refer to the practice of creating a feeling of insecurity by connecting the hypersecuritization scenarios to the life and experiences of individuals, primarily to ensure compliance and partnership (Dunn Cavelty & Egloff, 2021; Hansen & Nissenbaum 2009). In the technification logic, the technical construction of the cybersecurity discourse is molded by technical knowledge and expert positions that are used to serve a political and normatively neutral agenda (Dunn Cavelty & Egloff, 2021).

In its submission on the Cybercrime and Cybersecurity Bill, Research ICT Africa⁶ (2015) observed that draconian restrictions and regulations on the internet might be the result also of lack of empirical measurements and assessments of cyber threats and cybercrime. Research ICT Africa (2015) noted that to ensure the penalties are aligned with the crime, it is imperative that cyber-threat representations are fully documented as a means of preventing any (over)reactions that are linked with excessive implementation costs and lack of clarity in terms of the benefits (Research ICT Africa, 2015).

Within the South African context, the country adopted a human-centered approach to national security in its 1996 Constitution, distinguishing it from the conventional state-centered approach. As Duncan (2018) observed, in light of South Africa’s history of apartheid, a more refined definition that treats state protection as a higher priority over citizens could lead to a situation in which the government can abuse its power and shield itself from any criticism while simultaneously failing in its objective to address the underlying issues that put society at risk. A human security approach, on the other hand, deals with seven fundamental security threat domains⁷: food security, economic security, health security, personal security, environmental security, political security, and community security (UNDP, 1994). This human-centered approach to national security is perceived to be more democratic than a state-focused approach. However, Duncan highlights the need to put checks and balances in place to prevent excessive levels of scrutiny in aspects of public and private lives (Duncan, 2021). If national security achieves a “freedom from fear and want” (UNDP, 1994), such a broad framework might entail a strategic and operational expansion of intelligence (and, thereby, surveillance) to increasing “insecurities” and risks. As observed in South Africa, discourses related to securitization can serve to legitimize surveillance in ways not unlike the apartheid police state that preceded it (Kuehn, 2018).

4.5 South African Positions on ICT State Security in UN Processes

South Africa has been involved with the UN GGE on advancing responsible state behavior in cyberspace in the context of international security since the beginning in 2004 and 2005, although that process failed to produce a consensus report. Subsequently, it served as the only African representative in the second GGE in 2009 and 2010, and the result of which was a consensus report A/65/201 (2010). It did not take part in the third, fourth, and fifth GGE, but it had a seat in the recently concluded sixth GGE together with Kenya, Mauritius, and Morocco from Africa, and with all BRICS countries, which were all represented in the recent GGE. South Africa has been not only an active member of the GGE but also one of the most active African countries during the substantive meetings of the OEWG, sponsored by the Russian Federation and established with resolution A/RES/73/27 in December 2018.

During these meetings, South Africa suggested several inputs including the consideration of gender disparities in ICT access and use and the recommendation of conceptual and practical clarification on the notion of a “human-centric approach.” It also suggested that exchanges within the Southern African Development Community (SADC) and the AU could effectively function as Confidence Building Measures⁸. In its comments to the predraft of the UN OEWG report, South Africa has expressed concerns about stockpiling of ICT-related vulnerabilities by state actors⁹ and has also called for a “long-term view” that includes binding instruments of international law “to hold Member states accountable and assist in the arbitration of grievances.” In May 2020, at the United Nations Security Council (UNSC) held in an Arria-formula meeting¹⁰ to discuss “cyber stability, conflict prevention, and capacity building,” South Africa expressed concerns about malicious cyber acts aiming at damage or impairing health infrastructure or responses to the COVID-19 crisis (Pytlak, 2020b). Lastly, South Africa abstained on the UN L.8/Rev.1 (UNGA, 2020) on the extension of the mandate of the OEWG for another five years, tabled by Russia at the end of October 2020. During the meeting, South Africa stressed that although it supports the idea of extending the OEWG in general by two years, it would like to focus on the implementation of existing norms instead of developing new ones (Pytlak, 2020a).

From its statements, it is clear South African positions on international law are leaning toward the support for the creation of a new instrument in international law in the form of legally and politically binding norms under the aegis of the UN.¹¹ This is also quite clear in the BRICS context, considering that since the eThekwini Declaration (2013) on Partnership for Development, Integration and Industrialisation, the discussions and initiatives on cyber-BRICS have intensified. BRICS countries have shared common interests and enhanced cooperation in the area of science, technology, and innovation, with the aim of designing a legal framework within which the various areas of this cooperation and partnership can grow and develop (Belli, 2021b). More recently, in September 2021, cybersecurity was a priority at the 13th BRICS summit, when BRICS leaders reiterated their willingness of “advancing practical intra-BRICS cooperation in this domain, including through the implementation of the BRICS Roadmap of Practical Cooperation on ensuring Security in the Use of ICTs and the activities of the BRICS Working Group on Security in the use of ICTs” (BRICS India, 2021, p. 7).

At the same time, during the third substantial meeting of the UN OEWG, South Africa stressed the importance of reaffirming that a universal cybersecurity framework can only be grounded in the existing international law, including the Charter of the United Nations in its entirety, and respect for human rights and fundamental freedoms (DigWatch, 2019). Therefore, it seems that South Africa is cognizant that despite the intention to work (also with BRICS) toward a UN cybersecurity framework, the country is already a signatory of a binding instrument of international law on cybercrime: The Convention on Cybercrime of the Council of Europe (better known as the Budapest Convention). While the two international efforts are not mutually exclusive, the envisaged UN Treaty on cybercrime probably will not create a different framework than the one already established under the Budapest Convention (for South Africa and for any other Budapest Convention’s signatory).

The importance of addressing developmental issues has emerged when South Africa voiced the concern of developing states related to the increasing sophistication of malicious ICTs and the need to bridge the digital and gender divides. South Africa has stated the need to implement existing norms and their role in identifying capacity building and warned of strain on resources (DigWatch, 2021).

The commitment of South Africa in international cybersecurity is evident not only at the UN First level but also at the UNODC level, in particular with the open-ended intergovernmental expert group (IEG) to conduct a comprehensive study on cybercrime.¹² The IEG is a process particularly relevant for South Africa, considering that it has played a diplomatic role as Chair of the Bureau of the IEG. The country has occupied this role since 2011, making its most significant diplomatic stance in 2017 when it facilitated the adoption of a multi-year plan for delegations to interrogate the findings of the draft report on cybercrime matters affecting UNODC Member States.

In 2020, South Africa chaired the sixth session of the IEG on Cybercrime that deliberated on two important issues namely: (1) international cooperation and (2) prevention (UNODC, 2020). This was the last substantive meeting of the IEG, followed by a stocktaking exercise in April 2021 aimed at putting together a list of recommendations for submission to the CCPCJ. This session was also a platform for delegations from the United States (Nemroff, 2018) and its allies to contest Russia-led third committee resolution.¹³ The contestation was to preempt the call of the IEG¹⁴ on active participation of all Member States in the work of the ad hoc committee¹⁵ to develop a new cybercrime convention (UNODC, 2021).

4.6 Promoting Inclusive Development in WTO Processes on Electronic Transmission

Another perspective worth to explore to understand South Africa’s approach to digital sovereignty is the country’s position on electronic international trade. At that level, South Africa and India have argued in favor of suspension of the WTO Moratorium on Electronic Transmission.¹⁶ Both countries have suggested a multilateral dialogue to promote an inclusive development-oriented approach to e-commerce. Such a dialogue, they argue, should include the examination of the challenges experienced by developing countries and least developed countries (LDCs) in relation to e-commerce and explore ways of enhancing the participation of such countries in digital transmissions. They have argued that the Moratorium has several implications for developing countries, including tariff revenue losses, and it has impacts on industrialization, the use of digital technologies such as 3D printing in manufacturing, and the losses of other duties and charges (IISD, 2020).

Since 1998, this Moratorium has been renewed biannually (except for 2003–2005 when the members failed to reach consensus in Cancun). The debate however on whether this Moratorium on custom duties on electronic transmissions should be done away with or made permanent has not been decided upon yet even after 20 years of discussions in the WTO (Roberts, 2020). Tariff revenue losses for South Africa are estimated at USD 37 million using bounded or most favored nation (MFN) duties and USD 25 million when using effectively applied duties (UNCTAD, 2019 in Roberts, 2020). This is due to the fact that South Africa and other developing countries and emerging economies (with the exception of China) are highly dependent on foreign digital networks and services such as telecommunications networks, cloud computing, social networks, and data centers. The bounded duties equal Rand 542 million or 1% of South Africa’s tax revenue in 2017 (Roberts, 2020). Although these might not seem big amounts, the proportion of electronic transmissions in trade is expected to increase with the growth of the digital economy. Therefore, according to Roberts (2020), a permanent moratorium on customs duties essentially means an increasing loss of customs revenue for developing countries because of their position as large and growing net importers of electronic transmissions in trade. Further, the moratorium makes it virtually impossible to rebalance the current dependency on foreign services. Lastly, the Moratorium may impede countries from adopting rules for the access to data and appropriate incentives for transnational investments in local capabilities.

4.7 Emerging National Regulation on Digital Sovereignty

Before delving into some of the policy and regulatory measures adopted to secure network infrastructures and citizens’ data, it is important to contextualize these measures in the worrisome reality of increasing national vulnerability in cyberspace.

4.7.1 Cyber Vulnerabilities

Recent cyber incidents make it clear that South Africa is facing an undoubtedly real wave of unrelenting cyberattacks and incidents, which is affecting many economic sectors. Kaspersky (2023a) has reported that ransomware attacks in South Africa increased by 10% in the second quarter of 2023 in comparison to the first quarter of the same year, as well as phishing attacks, which grew by 7% between 2022 and 2023 (Kaspersky, 2023b). Not only do individuals and consumers fall victims of cybercrimes, but also public and private organizations alike. In the past few years, South Africa experienced a sharp increase in cyberattacks on all fronts that hit banks, internet service providers (ISPs),¹⁷ utilities, and e-commerce platforms (Accenture, 2020), with smaller and less resourced actors being the most vulnerable (Calandro & Berglund, 2021). According to SEACOM (2023), a private operator of Africa’s first broadband submarine cable system along the continent’s Eastern and Southern coasts, South Africa has the highest number of ransomware and email attacks in Africa, with over 220 million email threats detected in 2021, costing the country billions in losses. In 2022, there was a surge in ransomware attacks, including a particularly damaging form of malware called “Agenda,” which targeted healthcare and educational institutions, while the average ransom payout for South African institutions is estimated to be around R3.2 million. Regarding attacks to critical infrastructures, in May 2023, the Development Bank of Southern Africa (DBSA) experienced a ransomware attack by a threat actor believed to be the Russian group Akira (DBSA, 2023). While the extent of the breach is still under investigation, DBSA reported that servers, logfiles, and documents were encrypted and suspects that various categories of stakeholders’ personal information may have been unlawfully accessed or acquired (DBSA, 2023). In 2021, two incidents were particularly concerning. First, in September 2021, the Department of Justice and Constitutional Development’s IT system was interrupted due to a security breach through a ransomware. While all information systems were encrypted and unavailable to the Department’s employees and member of the public, the Office indicated that data was not compromised (Ngqakamba, 2021). Second, Transnet SOC Ltd., South Africa’s port and rail company was attacked with a ransomware that encrypted terabyte of personal data, company files, financial reports, and other documents, forcing the operation to switch to manual processing of cargo (Gallagher & Burkhardt, 2021).

There are many interconnected factors that make South Africa an attractive target by cyber-threat actors. First, many South African internet users are novices and therefore inexperienced and less digitally literate than users in other more developed nations. A significant portion of the South African population is not always able to recognize different kinds of cyberattacks and may unintentionally fall victim of cybercrime. Second, lack of investment in cybersecurity inhibits South Africa’s ability to put in place measures to prevent and mitigate advanced threats. Third, the development, implementation, and adoption processes of policies and mechanisms that combat cybercrimes are lengthy. Fourth, the South African Police Service (SAPS), which is now legally mandated to act against such crimes, lacks cybercrime training and is not knowledgeable in handling cybercrime-related cases (Dlamini & Mbambo, 2019) in addition to not having adequate resources to investigate, detect, and combat cybercrime. Finally, cybersecurity awareness is a challenge as well, increasing the risk of negligent use of ICT among citizens, consumers, public officials, and small and medium enterprises (Dlamini & Mbambo, 2019). These factors do not affect only South Africa, but are common to most countries and are particularly evident in most developing countries.

4.7.2 Data and Cloud Policy

To respond to increasing threats and risks to data security, one of the most significant policy developments indicating a possible emerging approach of South Africa on digital sovereignty is the Draft National Policy on Data and Cloud, published on April 1, 2021 by the Minister of Communications and Digital Technologies. The Draft Policy covers a number of areas such as access to data and cloud services, data protection, localization and cross-border data transfers, and cybersecurity measures. The Draft policy seeks to promote “data sovereignty”¹⁸ and recognizes data as a “tradable commodity” (DCDT, 2021, p. 29) and a critical element for the digital economy, although it does not clearly define what these terms mean. Additionally, while the developmental spirit of the data and cloud policy is clear from its key objectives,¹⁹ the document seems more concerned with how to address the lack of data ownership and control. According to the Draft Policy, most of the data centers and cloud computing infrastructure hosting data generated in South Africa are under foreign ownership.

The developmental spirit of the Draft policy is evident in the inception as it aims at enabling South Africans “to realise the socio-economic value of data” (Department of Communications and Digital Technologies, 2021, p. 13) and to ensure socioeconomic development for inclusiveness. The policy aspires to foster a digital economy that is data driven and data intensive. Explicitly, the Draft Policy places attention on leveraging the socioeconomic value of data through relevant policies and law that support access, reuse, and publication of data while also ensuring adequate privacy, protection, security, and confidentiality in line with the South African Constitution.

From the perspective of securitization, one of the biggest issues associated with this policy concerns the nationalistic elements and government’s heavy control over data. Specifically, the Draft policy attempts to position the government at the center of data ownership,²⁰ control, and distribution in South Africa (Cohen, 2021). It states that “data generated in South Africa shall be the property of South Africa, regardless of where the technology company is domiciled. Government shall act as a trustee for all government data generated within the borders of South Africa.” The plan contains clear characteristics of a state-led approach that will ultimately serve to establish a High-Performance Computing and Data Processing Centre, which will act as a repository for “[all] data generated from South African natural resources [which] shall be co-owned by government and the private sector participant/s whose private funds were used to generate such.”

In its written submission in the response to the draft policy, Research ICT Africa (2021) warned on the positions on sovereignty and localization of the Draft policy, stating that this does not support data flows required to increase trade under the African Continental Free Trade Agreement (AfCFTA),²¹ arguing that in its current form the Draft policy prevents cross-border data flows. The document adopts a Russian approach to data storage in that it describes that a copy has to be maintained within South African borders in addition to storing copies for law enforcement purposes. Nevertheless, it states that citizen data²² may be kept outside South Africa and cross-border transfer can be executed in line with the Protection of Personal Information (POPI) Act. This is markedly distinct from the European Union’s General Data Protection Regulation, which emphasizes the need to maintain data security regardless of where it is stored (Cohen, 2021).

As such, to some extent, the Draft National Policy on Data and Cloud appears to adopt an approach that is relatively different to South Africa’s POPI Act 4 of 2013, which is based on the EU’s personal data protection model, specifically Directive 95/46/EC of the European Parliament and the Council of October 24, 1995. For example, cross-border transfers are not forbidden in South Africa unless they are not aligned with certain requirements, emphasizing the need for adequate legal protection, consent, performance of a contract, or the data subject’s interests or benefit.²³ In this sense, adequacy mechanisms can be seen as a form of data sovereignty that does not preclude cross-border data flow. A data sovereignty’s approach that recognizes adequacy mechanisms does not evoke necessarily data localization, but rather the possibility to transfer personal data freely as long as equivalent jurisdictional guarantees are applied.

4.7.3 Online Content Classification and Emergency Regulation against Disinformation

In the review of the policy posture of South Africa with regard to digital sovereignty, online content regulation provides an example on how state-centric and securitization trends are emerging in the governance of the digital space nationally. The Films and Publications Amendment Act 11 of 2019 (FPAA)²⁴ was highly criticized by human rights observers and termed as the “Internet Censorship Bill” (Mungadze, 2019) as it is overhauled for infringing on freedom of speech. While the objective of the law is to regulate the development, ownership, creation, and distribution of films, publications, and games with the underlying objective of protecting young people from any harmful material, the underlying definition of what is harmful and disturbing is somewhat vague. Its broad lexicon may engender a situation in which constitutional rights to privacy and freedom of expression are infringed (Mungadze, 2019).

In summary, while the Act appears to protect people against revenge porn or fake news and enables them to consult the Film and Publication Board (FPB) for remedy (ITweb, 2017), the Act requires ISPs²⁵ to block access to any sites that host repudiated classification content. After it has been enacted, the FPAA will give the FPB the power to demand that any content that is deemed to be prohibited is taken down. However, the Association of ISP (ISPA) has criticized the amendment on the basis that it goes beyond the FPB’s mandate and creates an environment in which the FPB can censor content as a quasi-governmental department. This would be contrary to the existing arrangements, which give the courts the power to adjudicate defensible limitations to the freedom of expression (Freedom House, 2020).

A further regulation that could impede the rights of freedom of expression is intermediary liability. ISP’s liability was limited by the Electronic Communications Act 2002, which required them to cooperate with takedown notices. However, the existing provisions fail to provide immunity to all forms of communications providers. The takedown process does not provide the individual who uploaded the material the right to argue against any claims. Nor does it allow people to seek recourse for false claims (Comninos, 2012, in Razzano et al., 2020). As such, in practice, the takedown process may represent an indefensible infringement of people’s rights to freedom of expression. One proposed modification, which was designed to address the current lack of appeal process, did not improve the situation; it gave the complainant the right to decide on the validity of the response to the complaint. According to Rens (in Razzano et al., 2020), a notice process may address many issues that arise on notice and takedown. This process would give the intermediary the obligation to share the notice that was received with the subscriber to attempt to strike a balance between the competing interests (Razzano et al., 2020).

In more recent times, false information about COVID-19 spread throughout South Africa via the internet. This false information has impeded the nation’s COVID-19 response (Kazeem, 2020) and provoked the government to put in place emergency regulations in an attempt to fight the “infodemic” (WHO, 2021). Essentially, spreading any false information²⁶ related to COVID-19 became a criminal offense.²⁷ Although the enactment of the regulation resulted in multiple arrests in the early stages of the pandemic, there was no evidence of government abuse of this power (Wild, 2020). Rather, the state collaborated with technology companies and fact-checkers to diminish any proliferation of false information (South African Government, n.d.). The strong response may have helped reduce the spread of hoaxes and rumors concerning COVID-19.

4.7.4 Downsized Mass Surveillance

To supplement the evolving national approach to the regulation of online content, the national regulation of surveillance provides a further case of securitization in the governance of the digital sphere. Surveillance is perceived to be illegitimate or unconstitutional if it fails to sufficiently delineate the process by which an individual is informed that their information has been intercepted or fails to make it clear what processes need to be followed by officials who examine, replicate, share, or sort any data that they access as a result of intercepting communications. In South Africa, the Regulation of Interception of Communications and Provision of Communication Related Information Act (RICA) outlines the legal requirements associated with the interception of communications. Regulation of Interception of Communications and Provision of Communication Related Information Act mandates that communication companies provide interception-capable networks. It also demands that intelligence agencies seek an interception direction (or warrant) from a certified judge prior to performing any type of communication surveillance. However, the Act was endorsed in a rushed response to the global panic observed in the aftermath of the September 11, 2001, terrorist attacks (Duncan, 2021). It has not undergone any modification since that period and has fallen behind any international developments on democratic oversight. The South African Constitutional Court questioned the constitutionality of the RICA in 2019 when it issued a judgment that temporarily halted the country’s foreign signals intelligence (SIGINT) capabilities (Duncan, 2021). In the case of AmaBhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others [2019], the Court, after being informed of mass surveillance by state security entities, ordered: “It is declared that the bulk surveillance activities and foreign signals interception undertaken by the National Communications Centre are unlawful and invalid.” This emerged in the absence of any express empowering legislation to do so. Legislation for mass surveillance needs to take into consideration necessity and proportionality of such a law. However, in light of the nature of proportionality requirements within international law, it is challenging to delineate what is a justifiable and lawful permission for this type of activity (Razzano et al., 2020).

4.7.5 Cybercrime Legislation

From a cybercrime perspective, as observed earlier, it is undisputed that cyberattacks have costed South Africa billions of Rands and that they have posed real risks to the well-functioning of governments, critical infrastructures, and affected confidentiality, integrity, and availability of individuals’ data. That might be the reason why Hlase (2018) observed that due to the need of putting in place appropriate measures to protect information systems and critical infrastructures otherwise vulnerable to infiltration and sabotage, “securitization may be unavoidable” in South Africa (2018, p. 62).

The protracted process associated with establishing jurisdictional clarity on cybercrime concluded in June 2021 when it was passed as law. The President proclaimed that certain sections of the law to commence on December 1, 2021 (Sheik, 2021). As a result of the Cybercrimes Act 19 of 2020, the relationship between law enforcement bodies and electronic communications service providers (ECSPs) has been revamped, leading to the introduction of several new mechanisms for the SAPS to access and to maintain the preservation of any evidence held by ECSPs.

Particularly, Section 54 outlines several reporting obligations and the maintenance of evidence to be imposed on ECSPs and financial institutions, which may help SAPS during the process of any investigations of an offense. However, the Act also specifies that these measures must not be misused to enforce obligations on electronic service providers or financial institutions to monitor any data that the ECSP or financial institution stores or transmits; or proactively seek circumstances or facts that are indicative of unlawful activity.

Despite these positive developments, a challenge associated with the Cybercrime Act concerns the operationalization of the law because resource limitations and competing policy priorities have culminated in a serious lack of personnel who have the skills required to establish defense against cybercrimes (Allen, 2019).

4.8 Discussion

Based on the earlier discussions, it is possible to argue that national policy and regulatory directions for exerting sovereignty in the digital domain in South Africa are informed by developmental aspiration linking digital transformation to socioeconomic development. However, institutional failures due to the delayed implementation of digital policies extensively undermined policy and regulation actions on improving digital connectivity. Besides, existing and newly established state entities are struggling to cope with increasing responsibilities to protect citizens’ rights to privacy, safety, and security online.²⁸ On the other hand, the country is facing an unprecedented wave of cyberattacks and incidents resulting from competing policy priorities and inadequate investment in cybersecurity and, more recently, from criminals capitalizing on COVID-19, which is affecting many economic sectors. From a geopolitical point of view, the high dependence on digital services from the US, technological equipment from China, and regulatory standards from the EU (McKenzie Baker, 2022) place the country also in a position of diplomatic pressure from diverging global powers and different approaches in the governance of the digital realm, undermining self-determination on digital sovereignty.

As a result, securitization trends are permeating an increasing number of areas of digital governance. It can be understood almost as a protectionist reaction to the fear of losing control over national digital assets and the benefits of digitalization. At the same time, however, the increasing use of surveillance and the use of social media for disinformation and misinformation campaigns are expression of the need of exerting control through manipulation of information.

Internationally, at the UN First Committee level, developmental ambitions are expressed in several inputs at the OEWG, those for instance related to the consideration of the digital divide and gender disparities in ICT access and use amid a securitization agenda spurred by increasing threats of cybercrime. The position of vulnerability in cyberspace of South Africa emerged from its concerns on stockpiling of ICT-related vulnerabilities by capable state actors and not by the country’s concerns with growing cyber offensive and defensive capabilities of adversary states.

At the level of international digital trade, South Africa has advocated for an inclusive and development-oriented approach to transnational e-commerce in the WTO process related to the moratorium on electronic transmission. While the ban from imposing customs duties on electronic transmission is perceived as a loss of tariff revenue and duties, in an international digital trade system, developing countries might become rent seekers considering that most of e-commerce would be incoming. Therefore, in addition to advocating for the removal of the ban on tariffs, a bigger effort should be placed on creating favorable conditions for outgoing e-commerce to grow.

Nationally, with the recent Draft National Policy on Data and Cloud, the country took a predominantly state-centric position on data sovereignty, stating that data generated in South Africa shall be the property of South Africa, with the government acting as a trustee for all government data generated within the borders of South Africa. While the ambition of the policy document is to realize the socioeconomic value of data and to ensure socioeconomic development for inclusiveness, the outcome may restrict data flows necessary to increase trade under the AfCFTA. Similarly, the approach to online content regulation is shaped by securitization forces through a state-centric vetting approach for the classification of digitally distributed content. On the other hand, the takedown procedure that gives expression to limited liability for ISPs (Parliament of the Republic of South Africa, 2022) has an impact on the rights of freedom of expression, because it does not provide a right to respond to claims made by a complainant, nor imposes adequate penalties for false claims. More recently, as a result of the infodemic related to disinformation on COVID-19, alongside emerging regulation to fight against the pandemic, disinformation on COVID-19 became a criminal offence. Lastly, practices of mass surveillance by state security agencies have been fought in court, which acknowledged them as unlawful and invalid.

4.9 Concluding Policy Observations

The South African state stance to digital sovereignty is at the intersection of a digital transformation for development and securitization agenda. Nevertheless, in a national context of cyber vulnerability, institutional failure to effectively implement inclusive digital connectivity and transformation policies and lack of personnel, skills, and capacity to deal with increasing cyber threats and cyber risks, balancing the need to securitize elements of the critical infrastructures and to protect data while respecting fundamental rights of privacy and freedom of expression is a major challenge for South African policy makers.

In South Africa, cyber threats and vulnerabilities are growing in parallel with responsibilities of state actors to protect citizens’ rights to privacy, safety, and security online. The public sector response is putting human and constitutional rights under pressure with increasing government control over various elements of the digital infrastructure. To improve developmental outcomes of digitalization while protecting privacy, safety and security online of South Africa citizens, policy options for digital sovereignty should consider elements of proportionality as the most important requirement that must be satisfied in the limitation of human rights. The four major elements of this principle are legitimacy, adequacy, necessity, and proportionality stricto sensu (Anđelković, 2017). At the same time, emerging digital policy regimes on data, cybersecurity, and online content governance should be human-centric to deal with the underlying factors that make society vulnerable, instead of abusing national security narratives to protect state actors from criticism. In this way, self-determination in cyberspace would respect human rights and would promote the human security approach to national security as enshrined in the 1996 Constitution. Lastly, in order to implement a positive digital sovereignty agenda for South Africa, existing digital policy regimes and legislation on data protection and cybercrime should be effectively implemented. This can be done only if the necessary skills and capacity in public sector institutions are in place, so that public authorities can tackle emerging threats and risks, leverage digital transformation for socioeconomic development, while protecting citizens’ rights to privacy and freedom of expression.