Bringt Trump den transatlantischen Datenschutz ins Wanken?

Die USA sind Heimat vieler führender Cloud-Anbieter – darunter Amazon Web Services (AWS), Microsoft Azure und Google Cloud. Diese Anbieter dominieren mit über 70 % Marktanteil die europäische Cloud-Infrastruktur. Doch gerade diese starke Abhängigkeit birgt datenschutzrechtliche Risiken: Die Übermittlung personenbezogener Daten in die USA ist rechtlich nur unter bestimmten Bedingungen erlaubt – aktuell gestützt durch das EU-US Data Privacy Framework.

Doch das politische Klima in den USA wirft Fragen auf: Sollte Präsident Donald Trump die rechtliche Grundlage für den Datentransfer kippen, müssen Firmen neu denken. Bereits jetzt wurde ein zentrales Kontrollgremium des Datenschutzabkommens, das „Privacy and Civil Liberties Oversight Board“, faktisch entmachtet. Ohne diese unabhängige Instanz fehlt ein wichtiges Korrektiv.

Snowden, Schrems and the Lessons of the Past

The European Court of Justice (ECJ) has already struck down a transatlantic data protection agreement twice – Safe Harbor in 2015 and Privacy Shield in 2020. One of the triggers was Edward Snowden’s revelations about the access of U.S. intelligence agencies to the data of European citizens.

This story shows: Cloud solutions with server locations outside the EU are repeatedly affected by legal uncertainty – despite technical security measures. A political decision in Washington can become a risk for European companies overnight.

On-premise or European cloud: More control, less risk

Companies that rely on on-premise models or cloud solutions with data locations in the EU are better able to address such risks. Although the administrative effort is higher, data protection, confidentiality, and compliance can be ensured more reliably.

For particularly sensitive data – for example in industry, healthcare, or with personal customer information – a critical review is worthwhile: Does data processing necessarily have to run through US providers? Or aren’t European providers or in-house servers the better alternative?

Recommendation: Plan an exit strategy and data protection strategy

Authorities such as the data protection commissioners of the federal states recommend that companies address exit strategies at an early stage – in other words, plans for the event that data transfers to the USA are no longer legally viable. EU standard contractual clauses can also be used, but these involve considerable effort and auditing obligations – and do not bind the US authorities themselves.

What should companies do now?

Analyze data flows: Which data is flowing where – and is a US connection absolutely necessary?
Develop exit strategies: What to do if the agreement becomes invalid overnight?
Review legal bases: Standard contractual clauses, technical and organizational measures, risk impact assessments.
Consider European alternatives: Providers with headquarters and data centers in the EU are becoming increasingly competitive.
Raise awareness: Executives and IT should incorporate political and legal developments into the digital strategy.

Conclusion: Make strategic decisions with foresight

The decision between cloud and on-premise should no longer be based solely on cost or scalability. Legal compliance, geopolitical stability, and long-term availability must also be taken into account.

Our tip: Companies that want to be on the safe side should increasingly rely on European cloud providers or assess whether on-premise infrastructures represent a realistic and economical alternative.

Our recommendation: Have your cloud strategy reviewed now!

We provide companies with comprehensive consulting on legally compliant data processing, the implementation of the GDPR, and the introduction of robust information security measures – also taking international data flows into account.