Digital sovereignty in uncertain times: Why european companies must act now
The new political realities and their impact on data protection
The change of power in Washington in early 2025 marks a significant turning point for transatlantic data protection relations. The fundamental differences between US and European data protection law are thereby intensified, presenting European companies with new challenges. While the EU has established a comprehensive legal framework with the GDPR that enshrines the protection of personal data as a fundamental right, US data protection is based on a patchwork of sectoral regulations and corporate self-commitments.
Political decisions with far-reaching consequences
This discrepancy has become particularly evident through recent events: On 3rd February 2025, President Trump dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB). This decision has direct implications for the Transatlantic Data Privacy Framework (TADPF), which governs legal data transfer between the EU and the US. The now inquorate supervisory body can no longer fulfil its central task – namely overseeing US intelligence agencies regarding their data protection practices.
Experts warn that this could be just the beginning of a series of measures endangering the entire TADPF. Executive orders, on which the framework is substantially based, could be revoked in the coming weeks. This would particularly affect companies and institutions that currently rely heavily on US cloud services.
Cloud Act and TADPF: The fundamental legal conflict
The legal core of the problem lies in the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) passed in 2018. This US law enables American authorities and intelligence agencies to legally access data stored by US companies – regardless of where in the world this data is physically located. For European companies using services such as AWS, Microsoft 365, or Google Cloud, this specifically means: Even if data is stored in European data centres of American providers, US authorities can access it by invoking the CLOUD Act.
US companies are legally obliged to comply with this access, even if it violates European law. In many cases, the affected European companies may not even be informed about this access ("Gag Orders").
TADPF is not legally binding
This stands in direct contradiction to the GDPR, which demands a high standard of protection for personal data and sets strict requirements for international data transfers. European data protection legislation requires:
- Transparency in data processing
- Purpose limitation of collected data
- Restriction of governmental access possibilities
- Legal remedies for affected individuals
The TADPF was developed to defuse this legal collision by ensuring that US companies offer a level of data protection comparable to the EU. However, it is primarily based on executive orders rather than statutory regulations.
Executive orders vs. laws
This is a crucial weakness of the TADPF. While laws are passed by Congress and can only be changed through new legislation, executive orders are merely instructions from the President to federal agencies. A new President can revoke or alter these at any time – without Congressional approval. This makes the TADPF inherently unstable and vulnerable to political power shifts, as we are experiencing now.
The role of the PCLOB: Guardians without power
The Privacy and Civil Liberties Oversight Board (PCLOB) is an independent agency within the US government that functions as a central pillar of the TADPF. Its main task is to monitor the activities of US intelligence agencies with regard to data protection and civil liberties. The board reviews whether surveillance measures comply with legal requirements and ensures that US authorities adhere to the data protection obligations stipulated in the TADPF. In case of violations, it can report and recommend corrective measures.
However, with the dismissal of three of the five members, the PCLOB is no longer quorate and cannot fulfil its supervisory function. This means that one of the most important guarantees that the TADPF offers to European citizens and companies – namely the independent control of US surveillance – effectively no longer exists. With the weakening of this control mechanism, the entire architecture of the framework is under scrutiny. Data protection activists like Max Schrems are already warning that US cloud services could soon be considered illegal in the EU – similar to the predecessor agreements Safe Harbor (2015) and Privacy Shield (2020) that were overturned by the European Court of Justice.
Illegal overnight: Risks for European companies
With an EU market heavily dependent on US tech giants, companies face significant challenges. The compliance risks are substantial – if the TADPF collapses, data transfers to the US could become illegal overnight, exposing companies to GDPR violations and potential fines. Simultaneously, there is a threat of significant operational disruptions, as forced migration from US services to European alternatives would entail high transition costs and business process disturbances. Furthermore, the continuing CLOUD Act potentially enables unauthorised access to sensitive company data, leading to a fundamental loss of data sovereignty. Last but not least, the political instability regarding US-EU data protection agreements creates ongoing planning uncertainty that significantly complicates long-term strategic decisions.
European and Open-Source alternatives as a solution path
European open-source solutions offer a safe way out of this dilemma. These providers operate entirely under European law and are not subject to the requirements of the US CLOUD Act.
Advantages of European services:
- GDPR compliance: Complete alignment with European data protection standards
- Data sovereignty: Physical and legal control over data within the EU
- Legal certainty: Reduced vulnerability to political changes in the US
- Comprehensive security: Advanced encryption and international security certifications
- Promotion of European technology: Support for Europe's digital sovereignty
Additional benefits of open-source solutions:
- Transparency: Open source code allows checking for backdoors or security vulnerabilities
- Independence: Reduced dependence on individual providers and proprietary formats
- Adaptability: Flexibility in implementing one's own security and data protection measures
- Sustainability: Long-term availability and further development by the community
European providers ensure compliance with European data protection laws and ensure that company data remains securely within the EU – protected from the uncertainties of US legislation.
The time to act is now
With increasing uncertainty surrounding the TADPF, companies should act proactively now. A comprehensive risk assessment is the first step, evaluating the dependence on US cloud services and the associated legal and operational risks. Building on this, it is advisable to develop a gradual migration strategy, beginning with the most sensitive data and critical applications. Legal advice from data protection experts can help understand and implement the specific compliance requirements. When selecting European alternatives, companies should conduct a thorough assessment of the technical capabilities, security measures, and reliability of potential providers to ensure a smooth transition.
Conclusion: Sovereignty as a strategic advantage
Current developments show the vulnerability of European companies that rely on US cloud services. The switch to European and open-source providers is more than a compliance measure – it is a strategic step towards digital sovereignty.
By choosing European providers, companies can not only minimise legal risks but also strengthen the European digital infrastructure. In times of geopolitical tensions, control over one's own data becomes a decisive competitive advantage. Companies that act now are actively shaping a more secure and sovereign digital future.