With more than 15 years of experience as a lawyer, her role as co-founder of a data protection advisory board and her active participation in proceedings before the European Court of Justice – together with Max Schrems and Thomas Lohninger – Katharina Raabe-Stuppnig is one of the most influential voices in European data protection law. At her law firm on Wickenburggasse in Vienna, she talks about her career path, the challenges of the GDPR and the growing complexity of new EU digital laws.
From Media Law to Data Protection: Expert in Austria
Katharina Raabe-Stuppnig began her career in media law. She advised publishing houses and telecommunications companies on issues of competition law, advertising and media responsibility. The bridge to data protection came about almost automatically: “Many clients approached me and said: You know our processes and our balancing of interests – can you also support us with data protection?”
When the GDPR came into force, data protection moved more into the center of corporate reality. Fines in the millions increased the pressure. Companies needed clear concepts – and relied on existing partnerships. As a result, data protection law developed from a peripheral issue to the central focus of her work.
“My wish would be to strengthen the European economy – through European alternatives. The digital strategy and the Data Act are a step in the right direction. The only question is: Will it come in time?”
Mag. Kathrina Raabe-Stuppnig
Data protection as an enabler
Since the introduction of the GDPR in 2018, the need for legal support has increased enormously – and remains high. This is not least due to the fact that the regulation makes no distinction between large corporations and small companies. All must meet the same standards.
“A functioning data protection management system is a real enabler today,” explains Raabe-Stuppnig. “It provides companies with an overview of systems, processes and risks – and forms the basis for optimizations and efficiency improvements.”
At the same time, the environment is becoming increasingly complex: new legislation such as NIS-2, the Cyber Resilience Act, the AI Act and the Data Act are placing additional demands on companies – across all sectors. Those who have already created a stable data protection foundation now have a clear advantage.
Digital Transformation Strategies
The questions with which companies turn to the law firm today are manifold:
- How does NIS-2 affect me if I am a supplier of critical infrastructure?
- What policies do I need for the AI Act?
- How do I deal with new data access rights according to the Data Act – without jeopardizing the level of data protection I have built up so far?
In addition to legal assessments, strategic questions are playing an increasingly important role: Where should responsibilities be assigned within the company? How can compliance, cyber security and the ability to innovate be reconciled? Raabe-Stuppnig and her team support companies not only with implementation, but also with positioning within the new legal framework.
EU vs. USA: Different basic attitudes
A particularly sensitive issue is the use of software from third countries – for example by US hyperscalers. Although there are also data protection laws in the USA, Raabe-Stuppnig says, the protection primarily applies to US citizens. These regulations are significantly weaker for EU citizens.
“The problem lies in the weighting: The security interests of the NSA often take precedence over the data protection of non-Americans. The ECJ has already found this disproportionality twice – and thus overturned central principles such as Safe Harbor and Privacy Shield.”
Change in awareness in Europe since 2018
Since the GDPR came into force, awareness in Europe has changed noticeably. Companies today are much more sensitive when it comes to handling personal data. The media attention surrounding data protection judgments and prominent cases has played a central role in this.
“We have created a gold standard for data protection in Europe,” summarizes Raabe-Stuppnig. “And it is pleasing to see how many companies are actively striving not only to meet this standard, but to use it as a competitive advantage.”
What makes data transfer to the USA so sensitive – and what is the legal situation in the EU today?
The data protection debate between the EU and the USA is complex – and, above all, highly dynamic from a legal perspective. In contrast to countries such as Switzerland, for which the EU Commission has issued a so-called adequacy decision, the situation in the USA was and is much more complicated. Such a decision states that personal data may be transferred to a third country because the level of data protection there is comparable to that in the EU. In countries such as China or Russia – and for a long time in the USA too – there was no such resolution.
Data processing in the USA – a legal balancing act
For example, as soon as companies work with service providers for data processing in the USA, they must take additional protective measures to maintain the level of data protection required by the GDPR. This means more work, more mandatory inspections – and more risk.
A practical example: Even if you choose a server location within the EU for US cloud providers, the problem still exists – for example, if the European subsidiary is under the control of a US parent company. In an emergency, US authorities such as the NSA could demand access to the data – even via an internal chain of command. A server location in the EU reduces the risk, but does not completely eliminate it.
From Safe Harbor to the Data Privacy Framework: A Review
The history of the data protection agreements between the EU and the US reads like a succession of legal setbacks:
- Safe Harbor was the first agreement to voluntarily impose certain data protection standards on U.S. companies. It was overturned in 2015 by the Schrems I judgment.
- Privacy Shield was the successor – a revised version of Safe Harbor. But this agreement was also declared invalid by the European Court of Justice in 2020 in the Schrems II ruling.
- In response, the Data Privacy Framework came into force, on the basis of which the EU Commission has once again adopted an adequacy decision for the USA.
However, the new decision is once again on shaky foundations
This is because the Data Privacy Framework is based on an executive order of the US president – i.e. an order that can theoretically be revoked at any time. Critics therefore doubt the long-term stability of this framework. A lawsuit against the adequacy decision has already been filed with the European Court of Justice – the outcome is open.
In addition, the responsible US supervisory authority PCLOB is currently unable to act because three of its five managers have been dismissed by ex-President Trump. The result: great uncertainty as to how stable the data protection mechanism in the USA really is.
How important is the Data Privacy Framework for companies in the EU?
If you plan for the long term and want to focus on data security, you should not blindly rely on the Data Privacy Framework. The legal situation can change quickly – as in the past. Data Transfer Impact Assessments (TIA) require a lot of effort, and violations can result in severe penalties: up to 4% of global annual revenue.
US cloud services are (still) usable – but not without risk
Currently, cloud services from US providers can be used in compliance with data protection regulations, provided that appropriate protective measures such as standard contractual clauses and technical security measures are implemented. But there remains a residual risk. It is particularly problematic that there is still no end-to-end encryption suitable for everyday use for all types of use – for example, in the ongoing processing of data (“data in use”).
The use of US services should therefore always be assessed individually : How sensitive is the processed data? What safety measures are being taken? And to what extent is the company able to actually cushion risks?
Between black and white and realism: How companies should deal with data protection and cloud providers
The question of whether companies should only use software and cloud services of European origin – a “completely or not at all” – sounds like a clear stance at first glance. But this is precisely what data protection expert Katharina Raabe-Stuppnig warns against. Such a principle is not only impractical, but also difficult to justify to the authorities. Instead, every decision on the use of software or cloud services must be made on a case-by-case basis – depending on how sensitive the processed data is and what specific protective measures can be taken.
Don’t be lulled into a false sense of security – even with Privacy Framework
Another topic that is currently occupying many companies: What happens if the European Court of Justice (ECJ) overturns the new Data Privacy Framework between the EU and the USA – as “Safe Harbor” and “Privacy Shield” did before? The answer to this is clear: massive legal uncertainty would arise again. This is precisely why Kargl is already advising companies not to rely exclusively on the framework, but to agree on standard contractual clauses (SCCs) in addition . These should always include a so-called Transfer Impact Assessment (TIA) – i.e. a risk analysis for data transfer to third countries.
But the lawyer also makes it clear: If the Data Privacy Framework were actually to fall and thus the proportionality of data transfer to the USA was fundamentally questioned, TIAs would also reach their limits. Hope then rests on supplementary technical and organizational measures – above all encryption.
Encryption: Aspiration and reality diverge
The data protection authorities and the ECJ are demanding a clear solution from US cloud providers: data should only be stored in encrypted form and the key should be managed outside the provider – ideally in Europe and under the control of the data responsible company or a European trustee. The aim of this so-called “external key management” solution is to ensure that even in the event of access by US authorities such as the NSA, only encrypted, i.e. unusable, data can be passed on.
In practice, however, according to Katharina Raabe-Stuppnig, this type of encryption can only really be implemented for backup data. As soon as data is actively processed in everyday life , access to unencrypted material is required. This is precisely where the problem lies: The technology that allows complete data processing in an encrypted state currently only exists to a very limited extent – for example, for simple calculations or estimates in specific scenarios. The state of the art is not yet sufficient for the widespread use required in business.
Europe’s Role: Opportunities through the Data Act
Despite these challenges, the lawyer is optimistic about the future: The EU Data Act sets an important course. Cloud providers are to be obliged to enable multicloud strategies, i.e. to support the problem-free switching between providers – without high switching costs. This is an active effort to strengthen European sovereignty in the digital space and to create more alternatives to US hyperscalers in the long term.
The question remains whether Europe will still be able to do this in time to be able to act more independently and securely in the digital space. Nevertheless, Ms. Raabe-Stuppnig is confident: The political will is there – and with targeted funding and regulation, viable European alternatives could soon emerge.
A blanket waiver of third-country solutions is neither practicable nor legally required. Companies must carefully weigh up how sensitive their data is, which partners are suitable – and which protective measures they can implement in concrete terms. Those who already rely on SCCs, TIAs and encryption are not only on the safe side legally, but also strengthen their European position in digital competition.
