Under pressure from Trump, agreements on data transfers between the European Union and the United States are once again under strain. Digital sovereignty no longer seems a luxury, but a necessity for European companies. Or is it an illusion?
The Austrian privacy organization noyb spread a striking warning earlier this year. Noyb fears that under Donald Trump’s administration, the data privacy framework between the European Union and the United States is on shaky ground. The collapse of this framework could have major consequences: the use of American cloud services would then be “illegal” according to the letter of European privacy legislation. “Nothing more than Trump’s signature is needed for that”, says Max Schrems during Cybersec Europe in Brussels.
Although it hasn’t come to that yet, the perception of American technology companies is changing more broadly in Europe. This has a lot to do with the often aggressive language and methods of the powerbrokers in Washington. From the political sphere, calls for Europe to become more independent are growing louder, and companies are also reconsidering whom they can entrust their data to. The search for digital sovereignty is breaking loose.
Schrems I, II and III?
Data transfers between the European Union and the United States are regulated through the TADPF (Transatlantic Data Privacy Framework), which has been in effect since the summer of 2023. The framework imposes conditions on American cloud providers such as Google, Microsoft and AWS for processing personal data of their European customers.
The TADPF was from the beginning a fragile compromise, or in Schrems’ words, “a magic trick on paper”. Previous agreements between the EU and the US did not survive. Twice, Schrems was the man who brought down the agreement. In 2015, the Safe Harbor agreement was invalidated, and the Schrems II lawsuit in 2020 meant the end of the EU-US “Privacy Shield”.
The fundamentally different views that Europe and the United States have on data and privacy are difficult to reconcile. Two collective traumas from the past determine this attitude. In Europe, in the aftermath of the Holocaust, the protection of personal data is an acquired right, while in the US since 9/11, government interference in the personal sphere is accepted. Compromises like TADPF are therefore by definition built on shaky ground.
read also
The Cloud Illegal? Sovereignty as Holy Grail for European IT
“TADPF has the same limitations as its predecessors. Only the language is a bit clearer. The United States has developed a completely new definition of the concept of ‘proportionality’ to stay out of the prohibited zone of European legislation. As a European company, you’re caught between privacy and surveillance”, says Schrems. A Schrems III lawsuit seems to be only a matter of time.
New Bosses, New Rules
Donald Trump seems to want to work on that in any case. The American president does not shy away from kicking against any shin he doesn’t like. Already in the first days of his second term, he cleaned house in the Privacy and Civil Liberties Oversight Board by throwing out all Democratic magistrates. This committee is supposed to ensure that agreements between the European Union and the US are complied with on the American side.
Which direction it will go is always difficult to say with Trump. So far, the TADPF is still in effect, but Schrems fears that the controlling body has become teethless As a result, the agreement threatens to become unworkable in the long term, and that could have far-reaching consequences for European companies. Without a legal agreement, data flows between European and American companies are illegal, and therefore the use of American cloud services as well.
“All decisions under Biden can be undone with a simple signature under an Executive Order by Trump. In the case of TADPF, this would affect the entire stack: not only cloud infrastructure but also SaaS services from companies like Salesforce and Meta. It doesn’t seem likely to happen immediately, but it’s not unthinkable”, Schrems sounds ominous.
European companies are caught between privacy and surveillance.
Max Schrems, noyb
Not only noyb is concerned. Beltug, the Belgian association of CIOs and digital technology leaders, calls on Belgian companies not to wait until it comes to that. “Compliance is the first of our eleven ‘fair principles’ for the cloud industry, but it’s not always respected because legislation is insufficiently clear,” says Danielle Jacobs, CEO of Beltug.
“Sovereignty is not a new theme, but it’s now coming more to the surface. Data is becoming increasingly valuable. Almost the entire way organizations work is now in the cloud, and companies don’t always have on-premises or local alternatives. The rise of Trump increases uncertainty among companies about whether they still comply with regulations or even fear that their data is no longer safe. This goes far beyond personal data: for companies, a large part of their data is very sensitive.”
European Cloud with an American Flavor
The cloud industry is largely dominated by three American players: Microsoft, Google, and AWS. The hyperscalers are not blind to what’s happening in the European market. They see a commercial opportunity in the demand for digital sovereignty. With local data centers and cloud regions, European companies are wooed with promises that their data will remain on European soil. Those who want to go a step further can subscribe to sovereign cloud services from the providers.
The local presence is particularly emphasized in the current context. “Our sovereign cloud is being built entirely in and for Europe”, we hear from Danielle Gorlick, General Manager for AWS in the Benelux, during a meeting of the cloud giant in Amsterdam. Microsoft, which is about to open a Belgian cloud region, recently renewed its vows to the European Union, and Google will gladly emphasize that it planted its first data centers on European soil fifteen years ago.
read also
Microsoft promises more data, security, and control for Europe
Combell, a Belgian provider of web hosting and cloud services, takes such claims with a grain of salt. “Data from European customers may be subject to American legislation that conflicts with the GDPR. The uncertainty this brings leads European companies to look more critically at where their data is located and under which legislation it falls. Local players can guarantee compliance with European legislation”, Combell says in a statement to the editorial team.
Jacobs also looks critically at cloud services promoted as “sovereign”. According to her, it’s important to look at what role the local partner gets in the offering. “The term is vague. It’s not enough that data simply stays in the EU. Even if you’re a European company, the American government can request data if you’re a customer of an American provider. Be critical and ask who owns the encryption keys to ensure your data cannot be requested”.
Stuck in the Cage
The question is whether the European IT industry can move forward without American technology. EuroStack, an initiative for more sovereignty in Europe, sounds the alarm in a report. The “big” three Microsoft, Google, and AWS represent almost seventy percent of the European cloud market. Behind them come IBM, Oracle, and providers from China.
This feeling is also expressed by Flemish Minister-President Matthias Diependaele (N-VA) during his opening speech at Cybersec: “Europe must urgently consider the strategic dependence on a few technological players”. You can probably fill in yourself who he means by those “few players”.
The term “sovereignty” is vague. Be critical of your provider and ask who owns the keys.
Danielle Jacobs, CEO Beltug
Dependence on a provider often has a reinforcing effect. Cloud ecosystems are built in such a way that once you’re in, you can’t easily get out: in industry terms called “vendor lock-in”.
“With hyperscalers, everything is smartly integrated. This quickly makes you very dependent, and costs are difficult to predict because prices can be unilaterally changed. But because everything in your IT environment needs to be able to communicate with each other, companies are not inclined to change quickly. Alternative providers can only offer part of it. The switch requires courage because you’re putting your eggs in multiple baskets”, says Jacobs.
“As soon as a company deeply integrates with specific technologies or services within a closed ecosystem, it becomes technically and financially complex to migrate.
That’s why it’s essential to choose open, standards-based technologies that guarantee flexibility, such as Kubernetes, from the start. This way, you maintain the ability to switch”, says Combell.
Data Act: a Lifeline?
If you recognize yourself in this situation, it’s not as hopeless as you might think. According to Jacobs, the European Data Act that comes into effect in September is an important step towards dismantling vendor lock-in. The legislation requires cloud service providers to enable an exit within thirty days without charging excessive costs. If the provider can give a good reason why this is not possible within thirty days, there is a maximum limit of six months.
read also
The Cloud Illegal? Sovereignty as Holy Grail for European IT
“Retrieving your data can cost a lot of money and time. Only five percent of cloud contracts today have an ‘exit clause’. The Data Act makes switching or exiting cheaper by eliminating costs charged for returning data. Companies thus regain more control over their data. It’s a step in the right direction, but there must then be alternatives”, says Jacobs. Does the Data Act pave the way for digital independence?