Data sovereignty in Europe: What businesses need to know to stay compliant

As Europe continues to advocate for full data sovereignty, there are growing concerns about the role that non-EU technology companies play with regard to the safety of EU citizens' data, and the ability of national and EU regulators to enforce local laws. The policies and legislation that are being developed to address the issue are aimed at enforcing data localization to decentralize the geo-landscape of data storage and prevent concentrating too much power in the hands of global tech giants.

With the coronavirus pandemic overwhelming Europe in 2020, European legislators concentrated their efforts on defining a new roadmap and regulations to achieve data sovereignty. With the services provided by companies like Microsoft, Amazon, and Meta becoming essential for business operations and social life continuity, the need for not only stricter policies, but higher attention to their enforcement accelerated. 

As of 2021, 71% of European firms transferred data to non-EU countries for data processing. The European Commission has explicitly stated its concerns about the lack of compliance that global tech enterprises demonstrated with regard to EU values and regulations on data collection, processing, and cross-border transfer.

On 7 December 2022, the Conference of the Independent Data Protection Authorities of Germany (DSK) issued a detailed report summarizing the results of a Microsoft 365 audit. The key takeaway from the document is the DSK’s conclusion that the software violates data protection law as set out in Art. 5 (2) General Data Protection Regulation (GDPR), which led to a formal restriction of Microsoft 365 use in educational institutions. 

In parallel to the events in Germany, a similar situation was unraveling in France. On 15 November, the French Ministry of National Education issued a statement that put an end to the use of Microsoft 365 by students in educational institutions. The reasons mirrored the German case, with a strong emphasis on the breach of GDPR provisions, the Schrems II judgment of the ECJ, as well as France’s internal doctrines.

Microsoft is not the first company to incur GDPR violations due to its privacy and data security policies. In 2021, WhatsApp faced a €225 million GDPR fine caused by inadequate disclosure of its data processing procedures in its privacy policy. A year later, Meta found itself in a comparable scenario, with a €17 million fine from the Irish Data Protection Commission (DPC) for failing to demonstrate the security measures it had put in place to protect EU users' data.

In a nutshell, there are three major issues here:

• Data localization – EU legislation calls for local data storage;
• Data sovereignty – companies using the software in Europe must have full ownership of user data, preventing unauthorized disclosure to US authorities;
• Minors’ data protection – GDPR calls for transparent retention and deletion policies with regard to the records of individuals under 18 years of age.

Even though popular business communication apps like WhatsApp and Microsoft Teams offer advanced security measures, such as end-to-end encryption, data sovereignty is not guaranteed as companies continue to be subject to US laws. This means organizations in countries outside the US have no full control over their data when employing third-party solutions.

Offering data residency in a few selected regions does not necessarily ensure data sovereignty. A US-based company can be compelled to release client information by way of a subpoena from state or federal authorities. Additionally, US legislation grants authorities the power to access the data stored by US companies, regardless of where that data is physically located. This applies to all major technology vendors, which suggests these companies' protective capabilities may be limited due to their obligation to comply with such requests.

Business communications, much like cloud services, are largely dominated by US technology companies. For instance, Microsoft Teams has a significant market share with 270 million daily active users as of 2022. Workspace messaging platform Slack, which is now owned by US-based Salesforce, has 10 million users connecting to it on a daily basis for an average of 9 hours. Meanwhile, WhatsApp, owned by Meta, has an overwhelming 2 billion users, with over 100 billion messages exchanged on the platform every day.

In addition to being owned by US companies, Teams, Slack, and WhatsApp also have similar characteristics in terms of encryption. They all offer encryption to secure user communications, however, the encryption keys are owned and controlled by the vendors. This creates potential issues for data sovereignty and privacy. In the event of a vendor suffering a data breach, their encryption keys could be exposed. Additionally, if US authorities issue a subpoena under the US CLOUD Act to release an encryption key, the vendor must comply, even if the key belongs to an EU-based company.

Slack is another example of a communication platform that may present compliance issues for end users. At the moment, Business+ subscribers can choose from eight available data residency options (Germany, France, Japan, India, Korea, Australia, the UK, and Canada). However, Slack indicates that specific data categories, such as member profiles and analytics data, may still be processed and stored in regions outside the country selected by the customer. This means that while Slack supports selected data residency options, it cannot guarantee full compliance with all EU laws.

To keep up with Europe’s data sovereignty roadmap, it is essential that organizations maintain control over their digital assets, ensuring ownership of encryption keys and enforceable data localization. To achieve this, companies need to rethink the way in which they handle data storage, processing, and transmission. With increasing threats to information security and privacy, and big tech companies holding all the cards, it is crucial for businesses to regain control and visibility over their data assets.