With more than 15 years of experience as a lawyer, her role as co-founder of a data protection advisory board and her active participation in proceedings before the European Court of Justice – together with Max Schrems and Thomas Lohninger – Katharina Raabe-Stuppnig is one of the most influential voices in European data protection law. In her law firm in Wickenburggasse in Vienna, she talks about her professional path, the challenges of the GDPR and the growing complexity caused by new EU digital laws.
From Media Law to Data Protection: Expert in Austria
Katharina Raabe-Stuppnig began her career in media law. She advised publishing houses and telecommunications companies on competition law, advertising and media responsibility. The bridge to data protection was almost automatic: “Many clients approached me and said: You know our processes and our balancing of interests – can you also support us with data protection?”
When the GDPR came into force, data protection moved more into the center of corporate reality. Fines in the millions increased the pressure. Companies need clear concepts – and rely on existing partnerships. As a result, data protection law developed from a marginal topic to the central focus of her work.
“My wish would be to strengthen the European economy – through European alternatives. The digital strategy and the Data Act are a step in the right direction. The only question is: Will it come in time?”
Mag. Kathrina Raabe-Stuppnig
Data protection as an enabler
Since the introduction of the GDPR in 2018, the need for legal support has increased enormously – and remains high. This is not least because the regulation makes no distinction between large corporations and small companies. All must meet the same standards.
“A functioning data protection management system is a real enabler today,” explains Raabe-Stuppnig. “It gives companies an overview of systems, processes and risks – and forms the basis for optimisation and efficiency increases.”
At the same time, the environment is becoming increasingly complex: New legislation such as NIS-2, the Cyber Resilience Act, the AI Act or the Data Act places additional demands on companies – across all industries. Those who have already created a stable data protection foundation have a clear advantage.
Digital Transformation Strategies
The questions with which companies turn to the law firm today are manifold:
- How does NIS-2 affect me if I am a supplier of critical infrastructure?
- What policies do I need for the AI Act?
- How do I deal with new data access rights according to the Data Act – without jeopardizing the level of data protection I have built up so far?
In addition to legal assessments, strategic questions are playing an increasingly important role: Where are responsibilities to be located in the company? How do you balance compliance, cybersecurity, and innovation? Raabe-Stuppnig and her team support companies not only in implementation, but also in positioning within the new legal framework.
EU vs. USA: Different basic attitudes
A particularly sensitive issue is the use of software from third countries – for example by US hyperscalers. Although there are also data protection laws in the USA, Raabe-Stuppnig said, the protection applies primarily to US citizens. For EU citizens, these regulations are much weaker.
“The problem lies in the weighting: The security interests of the NSA often take precedence over the data protection of non-Americans. The ECJ has already found this disproportionality twice – and thus overturned central principles such as Safe Harbor and Privacy Shield.”
Change in awareness in Europe since 2018
Since the GDPR came into force, awareness in Europe has changed noticeably. Companies today are much more sensitive when it comes to handling personal data. The media attention around data protection rulings and high-profile cases has played a central role in this.
“We have created a gold standard in data protection in Europe,” Raabe-Stuppnig sums up. “And it is gratifying to see how many companies are actively striving not only to meet this standard, but to use it as a competitive advantage.”
What makes data transfer to the USA so sensitive – and what is the legal situation in the EU today?
The data protection debate between the EU and the USA is complex – and above all highly dynamic from a legal point of view. In contrast to countries such as Switzerland, for which a so-called adequacy decision of the EU Commission has been issued, the situation with the USA was and is much more complicated. Such a decision states that personal data may be transferred to a third country because there is a level of data protection comparable to that of the EU. In countries such as China or Russia – and for a long time also in the USA – such a decision was missing.
Data processing in the USA – a legal balancing act
For example, as soon as companies work with data processing service providers in the USA, they must take additional protective measures to maintain the level of data protection required by the GDPR. This means more effort, more obligation to check – and more risk.
A practical example: Even if you choose a server location within the EU for US cloud providers, the problem persists – for example, if the European subsidiary is subordinate to a US parent company. In an emergency, US authorities such as the NSA could demand access to the data – including via an internal chain of command. A server location in the EU reduces the risk, but does not eliminate it completely.
From Safe Harbor to the Data Privacy Framework: A Review
The history of the data protection agreements between the EU and the US reads like a succession of legal setbacks:
- Safe Harbor was the first agreement to voluntarily impose certain data protection standards on U.S. companies. It was overturned in 2015 by the Schrems I judgment.
- Privacy Shield was the successor – a revised version of Safe Harbor. But this agreement was also declared invalid by the European Court of Justice in 2020 in the Schrems II ruling.
- In response, the Data Privacy Framework came into force, on the basis of which the EU Commission has once again adopted an adequacy decision for the USA.
However, the new decision is once again on shaky foundations
This is because the Data Privacy Framework is based on an executive order of the US president – i.e. an order that can theoretically be revoked at any time. Critics therefore doubt the long-term stability of this framework. A lawsuit against the adequacy decision has already been filed with the European Court of Justice – the outcome is open.
In addition, the responsible US supervisory authority PCLOB is currently unable to act because three of its five managers have been dismissed by ex-President Trump. The result: great uncertainty as to how stable the data protection mechanism in the USA really is.
How important is the Data Privacy Framework for companies in the EU?
If you plan for the long term and want to focus on data security, you should not blindly rely on the Data Privacy Framework. The legal situation can change quickly – as in the past. Data Transfer Impact Assessments (TIA) require a lot of effort, and violations can result in severe penalties: up to 4% of global annual revenue.
US cloud services are (still) usable – but not without risk
Currently, cloud services from US providers can be used in compliance with data protection regulations, provided that appropriate protective measures such as standard contractual clauses and technical security measures are implemented. But there remains a residual risk. It is particularly problematic that there is still no end-to-end encryption suitable for everyday use for all types of use – for example, in the ongoing processing of data (“data in use”).
The use of US services should therefore always be assessed individually : How sensitive is the processed data? What safety measures are being taken? And to what extent is the company able to actually cushion risks?
Between black and white and realism: How companies should deal with data protection and cloud providers
The question of whether companies should only use software and cloud services of European origin – an “all or nothing” – sounds like a clear stance at first. But this is exactly what data protection expert Katharina Raabe-Stuppnig warns against. Such a principle is not only impractical, but also difficult to justify to authorities. Rather, any decision to use software or cloud services must be made on a case-by-case basis – depending on how sensitive the processed data is and what protective measures can be taken in concrete terms.
Don’t be lulled into a false sense of security – even with Privacy Framework
Another topic that is currently occupying many companies: What happens if the European Court of Justice (ECJ) overturns the new Data Privacy Framework between the EU and the USA – as “Safe Harbor” and “Privacy Shield” did before? The answer to this is clear: massive legal uncertainty would arise again. This is precisely why Kargl is already advising companies not to rely exclusively on the framework, but to agree on standard contractual clauses (SCCs) in addition . These should always include a so-called Transfer Impact Assessment (TIA) – i.e. a risk analysis for data transfer to third countries.
But the lawyer also makes it clear: If the Data Privacy Framework were actually to fall and thus the proportionality of data transfer to the USA was fundamentally questioned, TIAs would also reach their limits. Hope then rests on supplementary technical and organizational measures – above all encryption.
Encryption: Aspiration and reality diverge
The data protection authorities and the ECJ are demanding a clear solution from US cloud providers: data should only be stored in encrypted form and the key should be managed outside the provider – ideally in Europe and under the control of the data responsible company or a European trustee. The aim of this so-called “external key management” solution is to ensure that even in the event of access by US authorities such as the NSA, only encrypted, i.e. unusable, data can be passed on.
In practice, however, according to Katharina Raabe-Stuppnig, this type of encryption can only really be implemented for backup data. As soon as data is actively processed in everyday life , access to unencrypted material is required. This is precisely where the problem lies: The technology that allows complete data processing in an encrypted state currently only exists to a very limited extent – for example, for simple calculations or estimates in specific scenarios. The state of the art is not yet sufficient for the widespread use required in business.
Europe’s Role: Opportunities through the Data Act
Despite these challenges, the lawyer is optimistic about the future: The EU Data Act sets an important course. Cloud providers are to be obliged to enable multicloud strategies, i.e. to support the problem-free switching between providers – without high switching costs. This is an active effort to strengthen European sovereignty in the digital space and to create more alternatives to US hyperscalers in the long term.
The question remains whether Europe will still be able to do this in time to be able to act more independently and securely in the digital space. Nevertheless, Ms. Raabe-Stuppnig is confident: The political will is there – and with targeted funding and regulation, viable European alternatives could soon emerge.
A blanket waiver of third-country solutions is neither practicable nor legally required. Companies must carefully weigh up how sensitive their data is, which partners are suitable – and which protective measures they can implement in concrete terms. Those who already rely on SCCs, TIAs and encryption are not only on the safe side legally, but also strengthen their European position in digital competition.
