Broken US Personal Data Protection Is Likely To Hit Europe Hard
20 Mar 2025
Personal data protection is a big thing, particularly in Europe. However, it is under a serious threat right now. In the US, the data protection is enforced by the Department of Commerce (DoC) and Federal Trade Commission (FTC). Existing data protection structures are being heavily affected by current US administration. The data privacy framework (DPF) that ensures adequate level of data protection in the US is endangered. Given the speed at which Trump administration is going, there is no telling what exactly happens and when it happens. It may happen any day. It may even have happened already. Once the DPF is gone or crippled, European Commission will be forced to react, suspending or repealing adequacy decision for data transfer to US [EU 2023/1795 Article 3(5)]. In that case, personal data transfer to US would not be legal any more, not in the same way it is legal now. The details are difficult to predict. However, it is very likely that this is going to dramatically complicate everything. Once the adequacy decision is suspended or repealed, it is not clear whether data protection could be secured by contractual means. European companies must be prepared for the possibility that transfer or personal data to US would not be GDPR compliant.
Almost every meaningful interaction with almost any service involves personal data. If transfer of personal data is not legal, this could render use of such service completely illegal. As many European companies rely on US technology, the consequences could be devastating. It is quite clear that this is the time for European companies to migrate away from US technology.
What should European companies do?
- Do not panic. Not yet. There is still some time. Create plans. Get prepared.
- Immediately stop any new deployments of US technology. Stop all purchasing activities involving US technology. Put it all on hold. Data migration is always difficult. The only easy migration is the one that you do not have to do at all. Therefore, stop all projects before you put any data into the systems.
- Create inventory of all your software and cloud services, or update it if you already have one. Make sure you know zone of control for every service, particularly whether it is US company or European company running it. Also note location of data. Many US companies have European datacenters.
- Identify which software and services are critical for your organization. Prioritize the list. Things may easily get very tough, you will not be able to migrate all the services at once. You will need to focus on important ones first.
- Backup data from all the services, starting with critical services. Do it now. Do not wait. Do not rely on backup mechanisms provided by the service operator, such backups may be gone tomorrow. Store backups in a trustworthy place, ideally on your own premises. If that is not possible, store the backup in a different zone of control than the provider resides in. E.g. store backups of US services on European servers which are under control of European company.
- Look for alternative services, at least for the critical services run by US companies. Try the alternatives. Do not just read about them, try them. Even if it does not look good at the first sight, still give it a try. You are not looking for a perfect replacement. You are looking for something that is good enough to keep your business afloat.
- Once the alternatives are identified, create an "exit and migration plan". Migration is never going to be easy. You will need to customize the new system, migrate the data, adjust processes, rework integration points, re-train users. Consider possibility that one alternative service may replace several existing services, at least temporarily.
- If you still have time, migrate some of the services, to check whether the plan works. Choose smaller, non-critical services. Selecting a service where the migration makes economic sense (saves money) is a smart move.
- When the time comes, execute the plans.
NOTE: It is control that really matters, not location. It does not really matter if the data are stored in European data centers, if they are controlled by US company that is subject to US legislation. In current situation, US legislation, and especially its enforcement, is more than unpredictable. This creates a huge risk. However, if data are located in European data centers, it may give you some extra time to migrate - at least from a legal point of view.
What alternative services should you choose? That is a very difficult question. European IT services are not as numerous, widespread or advanced as US services. However, there is one important thing to consider. Open source is secret strength of Europe. There are several good open source alternatives for US services. In particular:
- Nextcloud for productivity, file management and many more.
- Collabora online and Onlyoffice for documents.
- OpenProject for project management.
- MidPoint and Syncope for identity management and governance, solution based on Keycloack for access management.
- LimeSurvey for survey management.
This list is by no means complete. In fact, it is just a couple of projects that I know from personal experience. Look around, you are certainly going to find much more options.
Do not be afraid to go for on-premise software if needed. Open source software is usually not difficult to deploy on-premise, on in similar self-hosted environments. E.g. our company (Evolveum) is self-hosting pretty much all the software that we need to do business.
This is all going to be quite hard, for everybody. Dependencies on cloud services are extremely heavy. There are no good solutions for eliminating heavy dependencies. Creating such dependencies without appropriate exit strategy was not a wise decision in the first place. Now it is time to pay the dues. This problem is recognized by some regulations already (e.g. EU 2022/2554 (DORA) Article 28(8)). Prepare everything in advance, that is the best thing you can do now.
However, it is not all bad. Preparedness can be a major competitive advantage. Your competitors may be knocked out, paralyzed by the migration, or crushed by subsequent GDPR fines. If you are well prepared, you may get out of this crisis, stronger than ever. It is all about your approach, your commitment and your persistence.
