What Europe’s data protection laws mean for business communications

Comprising hundreds of pages, the General Data Protection Regulation (GDPR) is one of the toughest information privacy and security laws in the world. Moreover, it imposes obligations onto organizations all over the globe, so long as they collect, process, or store data pertaining to citizens of the EU. With penalties for violations occasionally reaching millions of euros, it is vital that organizations pay close attention to their use of third-party software. However, GDPR is itself just the tip of the iceberg when it comes to data protection.

On top of this is the growing concern across the 27-member bloc that citizens and businesses alike are gradually losing control of their data. This is largely down to the fact that the majority of data belonging to EU citizens and businesses ultimately falls under US jurisdiction, simply because that is where most of the world’s biggest tech companies are based. Therefore, digital sovereignty has become a top priority for EU decision makers.

Digital sovereignty ultimately means keeping all data within the jurisdiction of the people and organizations it pertains to. In other words, that means keeping all European data in Europe and, therefore, fully under the control of European regulations and subject to processing and storage by European companies. In February 2022, the European Commission published the first draft of its proposed Data Act, which intends to shift control over EU data back to the EU. 

On a geopolitical basis, the primary goal of digital sovereignty is to protect data from foreign government surveillance, as well as to help support local tech industries and move away from the dominance of leading US tech companies. In some ways, the proposed EU Data Act can be viewed as a response to the US Cloud Act. However, digital sovereignty and data protection are both interlinked, with a view to giving people more control over their data. The laws, both existing and expected, apply to all personally identifiable information (PII).

While this does not necessarily entail having all EU data physically stored on EU servers, it does mean that it must be wholly inaccessible to entities outside of the EU. As such, any data stored outside the bloc not only needs to be adequately encrypted – the encryption keys must also be owned and controlled exclusively by the owner of the data.

Just like the world’s biggest cloud providers, business communications are dominated by US tech giants. Microsoft Teams has one of the biggest market shares in its sector, reaching 145 million daily active users by the middle of 2021. Workspace messaging platform Slack, which is now owned by the US software giant Salesforce, has 10 million users. WhatsApp, owned by Meta (formerly Facebook) has a staggering two billion users, including more than 5 million business users.

Aside from being owned by US-based companies, Teams, Slack, and WhatsApp also share some other important characteristics. For example, they all provide encryption to keep user communications secure. The only problem is that the encryption keys are owned and ultimately controlled by their vendors. This presents two potential problems with regards to digital sovereignty and data privacy. Firstly, in the admittedly unlikely event that the vendor would suffer a major data breach, it could mean that their encryption keys are left exposed. Secondly, if a vendor were to receive a subpoena from a court of law to release an encryption key, then they would have to comply – even if the encryption key supposedly belongs to an EU company. Given that European governments want to protect their citizens from the prying eyes of the US authorities, especially in the wake of the Snowden revelations, it is no wonder that the compliance landscape is changing fast.

There is also the fact that even some of the world’s biggest tech companies are themselves no strangers to compliance failures. For example, WhatsApp received a €225 million fine in 2021 under the EU’s GDPR rules, making it the second-largest GDPR fine ever at the time. The investigation that resulted in the fine was launched three years earlier by Ireland’s data protection watchdog, which concluded that WhatsApp lacked transparency concerning how user data was stored and processed. Given the poor track record of WhatsApp’s parent company Meta, and the numerous fines levied against Facebook, this should not come as a surprise.

Of course, it’s not just the tech companies themselves that are at risk of compliance failures. Their users often put themselves at risk as well, regardless of exactly where the fault lies. In the US, for example, businesses are legally obliged under record-keeping laws to maintain meticulous records of their electronic messages, which means having full visibility and control over them. By allowing employees to use WhatsApp for business communications, JP Morgan found out the hard way when it was fined $200 million by two US banking regulators. International banking giant HSBC is also under investigation for similar reasons, those being that, by itself, WhatsApp does not feature the necessary record-keeping controls, nor does it give users control over their own encryption keys.

We can look to Slack for another example of potential compliance issues for end users. Slack supports data residency, which allows organizations to specify which geographical location their data is kept in. This is important in highly regulated sectors like law and healthcare, which require data to physically remain within its jurisdiction. That said, Slack does not support the most stringent version of data residency – data localization. Data localization is predicated by legal obligations. In effect, this means that Slack provides data residency options, but it is not able to guarantee that they will be fully compliant with all current or future EU laws.

In spite of the complexities of compliance and data privacy, no business can expect to function without modern communications tools like Teams, Slack, and WhatsApp. After all, they have become vital enablers of remote work in recent years, and their importance will only persist for the foreseeable future.

An alternative is to use specialized tools tailored to specific industries and business use cases. However, this is not always practical nor desirable. After all, most knowledge workers have already been using the aforementioned platforms for months or even years. They have grown accustomed to them, and with that familiarity comes convenience, morale, and productivity.

Security, privacy, and compliance should not have to come at the cost of user-friendliness and innovation. In fact, all of these things should be inseparable components of a secure-by-design digital transformation. In other words, the goal should not be to immediately retire all the tools that your employees already know and love, but to find a way to use them safely and in total compliance with the increasingly complex global regulatory landscape.

This ultimately means regaining control over your digital assets so that you are free to apply the security, privacy, and compliance measures that are important to you and your industry. There are two main requirements for achieving this: ownership of your encryption keys and enforceable data localization. With the help of Worldr solutions, which can be installed and operated from a private cloud or physical on-premises server, you can achieve those goals. Furthermore, having complete ownership of your encryption keys upholds transparency and compliance with record-keeping laws. It also adds an extra layer of security, instead of having to rely purely on the security measures provided by the vendor.

As Europe’s data protection laws and drive for digital sovereignty evolve, organizations both there and abroad need to think carefully about how they store, process, and transmit data. In a world where the threats against information security and privacy are growing all the time and major technology companies are holding all the cards, it has never been more important for businesses to regain control and visibility over their digital assets. Fortunately, however, with the aid of a true zero trust security and digital sovereignty solution, this does not have to mean setting up barriers to innovation.