Digital Sovereignty

In practice, digital sovereignty comes into play in the relation between universities and private companies that deliver services. One of the persistent fears among universities is that they will be locked into certain solutions (vendor lock-in). This could be due to the technical standards used by one provider, which are not open and cannot be transferred to a new provider. Changing services could become unpractical, especially if universities use an ecosystem of services from one company that is not compatible with services provided by another. Generally, these solutions based on big technology companies offer limited interoperability. These services fit well together as a working ecosystem, and they guarantee a high level of maintenance and security, but if a university chooses to exchange one of these programmes, there is a risk that it will not work as smoothly with the rest, at best making work complicated. Working with one ecosystem of a large technology company also can restrict the clients that students and staff can use: using Microsoft exchange emails, for example, works best in the Outlook apps for desktop and mobile. Using services from Google (for example, Google Drive, Google Docs and calendar) works best when the user has an account for all Google services. For these and other reasons, universities often have the experience that while big technology companies offer the benefits of efficiency and security, this comes at the cost of digital sovereignty.

Control of data is another important issue in the discussion. The European regulation on privacy, as set out in the GDPR, should prevent companies from storing data for purposes that users have not given specific consent to. However, there is not always a relation of trust between European universities and large technology companies. With the possibilities of tracking and monitoring users of, for example, online videoconference software or generative artificial intelligence like ChatGPT, universities must be sure that they can guarantee the privacy of students and staff and compliance with regulation. There is also a fear that higher education gets entangled in the wider data economy, where data about the behaviour of learners is quickly commodified, which some fear could lead to commercialisation of higher education.

The concept of digital sovereignty has also been used in the context of research data and open science. There are concerns about the commodification of  research articles, where publishers take ownership of research results and sell them back to universities. Here, the concerns are not only regarding the research data but also data that reveals authorship, publishing patterns, cooperations and the like. This metadata is valuable for university strategies, for example to see where and with whom researchers publish globally. Much of this information is in private hands and must be bought from entities such as big publishers. At the same time, universities are increasingly recognising the need to reclaim and keep control of the data generated by their educational and research activities in their relations with commercial providers and scholarly publishers. In this context, initiatives such as Plan S Rights Retention Strategy support universities and their researchers in retaining their intellectual property rights, enabling authors to retain sufficient intellectual ownership rights of their work and the data generated by their research.

The practical steps and pathway towards realising digital sovereignty can take different shapes. In the Netherlands, where the concept of digital sovereignty and push to achieve this is, perhaps, strongest, the solution has very much been about dialogue with private providers as well as clear regulation and procurement. The logic is that the market might have other values than those of the public sector, but the public sector can regulate the market to protect its values. SURF, the organisation that manages procurement for universities in the Netherlands, developed the Values Compass in part so that it could be used as a tool in procurement processes and set clear standards for private providers. The Netherlands has also put great effort into making big technology companies comply with GDPR.

A more radical solution to digital sovereignty would be that universities develop their own solutions based on a common developer community and open-source software. This strategy is difficult within one institution, but there are successful examples of universities joining forces at the system level to create their own solutions. In Germany, for example, this is done by creating an open-source ecosystem in Lower Saxony (Hochschule.digital Niedersachsen) or through developing specific solutions through a non-profit organisation run by universities (HIS-eG). This direction of thought also puts great weight on self-hosting or using public cloud infrastructure rather than depending on private cloud providers.

The ambitions to be a digitally sovereign university comes with trade-offs in practice. Often, large technology companies provide solutions that are immediately workable on the scale needed by universities. One of the experiences from the Covid pandemic was that private companies such as Zoom were able to grow quickly enough to manage the emergency. Also, the lack of full interoperability in the products of big software companies makes it difficult to change to products with open standards. Importantly, many universities feel that they cannot responsibly rely completely on self-hosting in terms of guaranteeing security. Nevertheless, universities can aim at preserving digital sovereignty by defining the areas where it does not make compromises on solutions, or by being very precise in the requirements in the procurement process with large providers.