15 Jun 2022

Digital industry sounds the alarm on contradicting EU legislation on data and cloud that would harm the economy

In a newly released report, DIGITALEUROPE sounds the alarm on the increasingly complex legal maze of new and existing rules to govern data transfers within and outside Europe.

The in-depth analysis of upcoming European legislation on data transfers and cloud security, including the European Cybersecurity Certification Scheme for Cloud Services (EUCS) and the Data Act, reveals major flaws and tensions with equivalent rules set out in the GDPR.

In a letter co-signed with 18 of its national trade associations, DIGITALEUROPE also highlights how the EUCS’s focus on data localisation, EU headquarters and EU control will not only severely affect the quality and security in the European cloud market but will also make it more difficult for European companies to operate globally.

This will have major implications for the economy and the growth prospects of European companies abroad, as well as weaken our security by hindering the exchange of information with our closest allies.

Director General of DIGITALEUROPE Cecilia Bonefeld-Dahl said:

“We must find the right balance to defend our strategic autonomy and digital sovereignty, while encouraging global competitiveness and access to foreign markets for our companies. We cannot afford the confusion and economic damage that would result from this legal maze, nor the risks to our cybersecurity.

We urge the European Parliament and the Member States to reject any hasty and counterproductive requirements in the Data Act and the EUCS, and the Commission and ENISA to launch an open stakeholder consultation process and re-evaluation of its proposals.”

Read the full joint letter

Data transfers in the EU Data Strategy: contradicting rules

  • New rules governing data transfers outside Europe in the Data Governance Act and the Data Act are unnecessary, and contradictory with the broad protections already available under the GDPR.
  • Despite in theory addressing non-personal data, both the Data Governance Act and the Data Act address laws that involve personal data and are already covered under the GDPR, in particular rules meant to address the US CLOUD Act and e-evidence.
  • These Acts create a complex web of authorities responsible for their application and enforcement that will inevitably conflict with the powers of data protection authorities (DPAs) under the GDPR.
  • Blanket rules stipulating that firms must be EU headquartered or 100% under European control, or mandating data localisation in Europe – such as those proposed in the EU Cloud Certification Scheme (EUCS) or GAIA-X’s Trust and Labelling Framework – cannot and will not guarantee immunity to access to EU data by non-European countries.
  • The sheer amount of new overlapping rules is unworkable for businesses and could have a chilling effect on growth and reaching our Digital Decade goals.
  • As well as damaging the economy and the growth prospects of European companies abroad, rules limiting data transfers will also weaken our security by hindering the exchange of information with our closest allies.

Read the full report
For more information, please contact:
Samia Fitouri
Senior Communications Manager
30 Apr 2024 Position Paper
Contribution to public consultation on white paper on export controls
29 Apr 2024 Publication & Brochure
The Download: Funding Europe's Digital Transition - Investing in the future not the past
06 Mar 2024 resource
DIGITALEUROPE’s response to the Joint European Supervisory Authorities’ public consultation on the second batch of policy mandates under DORA
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.