Data protection expert Raabe-Stuppnig warns of strategic blind spots
Vienna, September 2025: As Europe prepares for the next wave of digital regulations, experts are warning of strategic risks. In an interview with Dr. Fabian Knirsch, data protection expert and co-founder of sproof GmbH, Katharina Raabe-Stuppnig – renowned data protection lawyer and long-time companion of Max Schrems before the European Court of Justice – analyzes current risks and new regulatory developments in the European digital space.
GDPR as a basis: new EU laws on the horizon
The GDPR has been the gold standard since 2018. But now comes the next wave of regulations: AI Act, NIS-2, Cyber Resilience Act, Data Act. “All of these rules are based on a functioning data protection system,” explains Raabe-Stuppnig. Companies that don’t have this will fall behind – both legally and economically. This new legislation is tightening the requirements for companies – across all sectors. The central challenge is to reconcile legal requirements, technical security and the ability to innovate.
Data transfer to the USA: trust is not a strategy
Despite the adequacy decision, data transfer to the USA remains fragile. “The framework is based on a political decree – it could be history again tomorrow,” warns Raabe-Stuppnig. A lawsuit against the agreement is already pending. The US supervisory authority PCLOB – responsible for monitoring government surveillance measures – is currently unable to function properly: Several management positions are vacant after US President Donald Trump fired three of the five people in charge. As a result, important data protection mechanisms on which the Data Privacy Framework is based are de facto blocked.
Encryption: Aspiration and reality diverge
Particularly tricky: Even with server locations in the EU, access by US authorities cannot be ruled out – for example via parent companies. European authorities require external key management solutions that guarantee control over encryption. “This type of encryption usually only works for backup data,” explains Raabe-Stuppnig. “The necessary technology is often lacking for operational systems.”
European alternatives: The Data Act as a beacon of hope
A recent ruling by the International Criminal Court shows just how urgently such alternatives are needed: Microsoft refused to hand over emails in international proceedings – based on US legislation. For many, this is a warning signal: without digital independence, there is not only a threat of compliance risks, but also restrictions on democratic jurisdiction and the state’s ability to act.
Despite these uncertainties, Raabe-Stuppnig is optimistic about the future. She sees the EU Data Act as a key lever for greater digital sovereignty. Multicloud strategies are to be promoted, switching providers made easier and switching costs reduced. “We need European alternatives – and we need them now,” she says. “With targeted support, we can create real competition for the US hyperscalers.”
The good news is that some EU countries are already taking action. Denmark, for example, is currently gradually abandoning US cloud solutions in favor of secure EU open source solutions.
Conclusion: Data protection as a strategic element
The debate shows: Data protection is no longer just a compliance issue, but a strategic element of digital competitiveness. Companies that secure their data processes in a structured and forward-looking manner not only strengthen their legal framework, but also their market position.
Podcast tip:
The complete discussion with Katharina Raabe-Stuppnig is available in the sproof podcast: https: //open.spotify.com/show/4KuGms2KGAXBTbiPo1taUx
The discussion with Katharina Raabe-Stuppnig offers valuable insights into the interface between law, technology and politics – with the aim of providing orientation in the European digital space.
About Katharina Raabe-Stuppnig
Katharina Raabe-Stuppnig is a lawyer with over 15 years of experience in data protection, media and IT law. She is co-founder of a data protection advisory board, is involved in landmark proceedings before the European Court of Justice – alongside Max Schrems, among others – and advises companies strategically on the implementation of European digital laws. Her law firm in Vienna is one of the most sought-after points of contact for practice-oriented data protection at the highest legal level.
