Data protection in Europe - sproof

From media law to data protection: expert in Austria

Katharina Raabe-Stuppnig began her career in media law. She advised publishing houses and telecommunications companies on issues of competition law, advertising and media responsibility. The bridge to data protection came about almost automatically: "Many clients approached me and said: You know our processes and our balancing of interests - can you also support us with data protection?"

When the GDPR came into force, data protection moved more into the center of corporate reality. Fines in the millions increased the pressure. Companies needed clear concepts - and relied on existing partnerships. As a result, data protection law evolved from a peripheral issue to the central focus of their activities.

Data protection as an enabler

Since the introduction of the GDPR in 2018, the need for legal support has increased enormously - and remains high. This is not least due to the fact that the regulation makes no distinction between large corporations and small companies. Everyone must meet the same standards.

"A functioning data protection management system is a real enabler today," explains Raabe-Stuppnig. "It provides companies with an overview of systems, processes and risks - and forms the basis for optimization and increased efficiency."

At the same time, the environment is becoming increasingly complex: new legislation such as NIS-2, the Cyber Resilience Act, the AI Act and the Data Act are placing additional demands on companies - across all industries. Those who have already created a stable data protection foundation now have a clear advantage.

Strategies for the digital transformation

The questions that companies turn to the law firm with today are manifold:

• How does NIS-2 affect me if I am a supplier of critical infrastructure?

• What policies do I need for the AI Act?

• How do I deal with new data access rights under the Data Act - without jeopardizing the level of data protection I have built up so far?

In addition to legal assessments, strategic questions are playing an increasingly important role: Where should responsibilities be assigned within the company? How can compliance, cyber security and the ability to innovate be reconciled? Raabe-Stuppnig and her team support companies not only with implementation, but also with positioning themselves within the new legal framework.

EU vs. USA: Different basic attitudes

The use of software from third countries - for example by US hyperscalers - is a particularly sensitive issue. Although there are also data protection laws in the US, Raabe-Stuppnig explains, the protection primarily applies to US citizens. These regulations are significantly weaker for EU citizens.

"The problem lies in the weighting: the security interests of the NSA often take precedence over the data protection of non-Americans. The ECJ has already found this disproportionality twice - and thus overturned central principles such as Safe Harbor and Privacy Shield."

Change in awareness in Europe since 2018

Awareness in Europe has changed noticeably since the GDPR came into force. Companies are now much more sensitive when handling personal data. The media attention surrounding data protection judgments and prominent cases has played a key role in this.

"We have created a gold standard for data protection in Europe," summarizes Raabe-Stuppnig. "And it is pleasing to see how many companies are actively striving not only to meet this standard, but to use it as a competitive advantage."

What makes data transfer to the USA so sensitive - and what is the legal situation in the EU today?

The data protection debate between the EU and the USA is complex - and, above all, highly dynamic in legal terms. In contrast to countries such as Switzerland, for which the EU Commission has issued a so-called adequacy decision, the situation in the USA was and is much more complicated. Such a decision states that personal data may be transferred to a third country because the level of data protection there is comparable to that in the EU. In countries such as China or Russia - and for a long time in the USA too - there was no such decision.

Data processing in the USA - a legal balancing act

As soon as companies work with service providers for data processing in the USA, for example, they must take additional protective measures to maintain the level of data protection required by the GDPR. This means more effort, more auditing obligations - and more risk.

A practical example: even if you choose a server location within the EU for US cloud providers, the problem still exists - for example, if the European subsidiary is under the control of a US parent company. In an emergency, US authorities such as the NSA could demand access to the data - even via an internal chain of command. A server location in the EU reduces the risk, but does not completely eliminate it.

From Safe Harbor to the Data Privacy Framework: A look back

The history of data protection agreements between the EU and the US reads like a series of legal setbacks:

• Safe Harbor was the first agreement to impose certain data protection standards on US companies on a voluntary basis. It was repealed in 2015 by the Schrems I judgment.

• Privacy Shield was the successor - a revised version of Safe Harbor. However, this agreement was also declared invalid by the European Court of Justice in the Schrems II ruling in 2020.

• In response, the Data Privacy Framework came into force, on the basis of which the EU Commission once again adopted an adequacy decision for the USA.

However, the new decision is once again based on shaky foundations

This is because the Data Privacy Framework is based on an executive order from the US President - in other words, an order that can theoretically be revoked at any time. Critics therefore doubt the long-term stability of this framework. A lawsuit against the adequacy decision has already been filed with the European Court of Justice - the outcome is open.

In addition, the responsible US supervisory authority, the PCLOB, is currently unable to act because three of its five directors were dismissed by former President Trump. The result: great uncertainty as to how stable the data protection mechanism in the USA really is.

How important is the Data Privacy Framework for companies in the EU?

If you are planning for the long term and want to focus on data security, you should not blindly rely on the Data Privacy Framework. As in the past, the legal situation can change quickly. The cost of Data Transfer Impact Assessments (TIA) is high, and violations can result in severe penalties of up to 4% of annual global turnover.

US cloud services are (still) usable - but not without risk

Cloud services from US providers can currently be used in compliance with **data protection regulations, provided **appropriate protective measures such as standard contractual clauses and technical security measures are implemented. But there is still a residual risk. It is particularly problematic that there is still no end-to-end encryption suitable for everyday use for all types of use - for example, for the ongoing processing of data ("data in use").

The use of US services should therefore always be assessed on an individual basis: How sensitive is the data being processed? What security measures are taken? And to what extent is the company actually able to mitigate risks?

Between black and white and realism: how companies should deal with data protection and cloud providers

The question of whether companies should only use software and cloud services of European origin - a "completely or not at all" - sounds like a clear stance at first glance. But this is precisely what data protection expert Katharina Raabe-Stuppnig warns against. Such a principle is not only impractical, but also difficult to justify to the authorities. Instead, every decision on the use of software or cloud services must be made on a case-by-case basis - depending on how sensitive the processed data is and what specific protective measures can be taken.

Don't be lulled into a false sense of security - even with Privacy Framework

Another topic that is currently preoccupying many companies: What happens if the European Court of Justice (ECJ) overturns the new Data Privacy Framework between the EU and the USA - as it has previously done with "Safe Harbor" and "Privacy Shield"? The answer is clear: massive legal uncertainty would arise once again. This is precisely why Kargl is already advising companies not to rely solely on the framework, but to agree additional standard contractual clauses (SCCs). These should always include a transfer impact assessment (TIA) - i.e. a risk analysis for data transfer to third countries.

However, the lawyer also makes it clear that should the Data Privacy Framework actually fall and the proportionality of data transfer to the USA be fundamentally called into question, TIAs would also reach their limits. The hope then rests on supplementary technical and organizational measures - above all encryption.

Encryption: claim and reality diverge

The data protection authorities and the ECJ demand a clear solution from US cloud providers: data should only be stored in encrypted form and the key should be managed outside the provider - ideally in Europe and under the control of the company responsible for the data or a European trustee. The aim of this so-called "external key management" solution is to ensure that even in the event of access by US authorities such as the NSA, only encrypted, i.e. unusable, data can be passed on.

In practice, however, according to Katharina Raabe-Stuppnig, this type of encryption can only really be implemented for backup data. As soon as data is actively processed in everyday life, access to unencrypted material is required. This is precisely where the problem lies: the technology that allows complete data processing in an encrypted state currently only exists to a very limited extent - for simple calculations or estimates in specific scenarios, for example. The state of the art is not yet sufficient for widespread use, as is required in business.

The role of Europe: opportunities through the Data Act

Despite these challenges, the lawyer is optimistic about the future: the EU Data Act will set an important course. Cloud providers are to be obliged to enable multicloud strategies, i.e. to support easy switching between providers - without high switching costs. This is an active effort to strengthen European sovereignty in the digital space and create more alternatives to US hyperscalers in the long term.

The question remains as to whether Europe will be able to act more independently and securely in the digital space in time. Ms. Raabe-Stuppnig is nevertheless confident: "The political will is there - and with targeted support and regulation, viable European alternatives could soon emerge.

A blanket renunciation of third-country solutions is neither practicable nor legally required. Companies need to carefully weigh up how sensitive their data is, which partners are suitable - and which specific protective measures they can implement. Those who already rely on SCCs, TIAs and encryption are not only on the safe side legally, but also strengthen Europe's position in the digital competition.