Europe's move toward cybersecurity sovereignty [Q&A]
Governments around the world are increasingly legislating for cybersecurity and privacy. But regions often have differing views on how this should be achieved.
We spoke to Christian Have, CTO of Logpoint, to get insight into how US surveillance laws could serve as a catalyst for Europe to take greater control over its data, pushing forward the concept of digital sovereignty.
BN: What is FISA's Section 702, and why is it causing tension in Europe?
CH: FISA's Section 702, originally established to bolster US national security, grants US intelligence agencies extensive surveillance powers. This allows them to collect electronic communications from companies without requiring a warrant. While this benefits American security interests, it has raised significant concerns in Europe, especially regarding data privacy and compliance with the EU's General Data Protection Regulation (GDPR).
The tension lies in the scope of these surveillance powers, which potentially infringe upon the privacy of European citizens whose data is stored or processed by US-based firms. This conflict escalated when Section 702 was extended for another two years, amplifying concerns about European cybersecurity sovereignty.
BN: How does Section 702 conflict with European privacy laws like GDPR?
CH: GDPR mandates that personal data transferred outside Europe can only go to countries providing an 'adequate' level of protection. However, the US, with its sweeping surveillance capabilities under FISA, does not meet this standard. This makes data transfers between the EU and US legally uncertain, especially after the 2020 Schrems II decision by the European Court of Justice (CJEU), which invalidated the Privacy Shield framework meant to govern such transfers.
Section 702 essentially positions businesses with internet-connected infrastructure as potential agents of US surveillance. This complicates compliance for European organizations handling data that might be accessible by US entities, and calls into question the legality of such data transfers under GDPR.
BN: What are the potential consequences of FISA's renewal?
CH: FISA's renewal may lead European companies to reconsider partnerships with US vendors due to fears of their data being accessible to American intelligence agencies. This could disrupt transatlantic trade and prompt a shift toward European-based cybersecurity solutions. Companies that prioritize compliance with GDPR and the protection of customer data might seek to limit their reliance on US service providers subject to FISA.
European regulators are expected to respond by tightening data transfer rules with the US, making compliance more complex for businesses operating across both regions. This further highlights the growing tension between European data privacy laws and US surveillance policies.
BN: How does this tie into the broader concept of European cybersecurity sovereignty?
CH: The renewal of Section 702 could accelerate Europe's push for greater cybersecurity sovereignty. Digital sovereignty refers to a nation’s control over its own data and digital infrastructure. In response to the far-reaching powers of US surveillance laws, European countries may increasingly opt to localise their data and rely on European cybersecurity providers. This would enable them to better protect citizen privacy while maintaining control over critical digital assets.
As trust in US data protection standards erodes, Europe is likely to invest heavily in developing its own cybersecurity solutions. The goal is not only to avoid US surveillance but also to ensure that European laws govern the handling of European citizens' data.
BN: Why are European cybersecurity vendors gaining prominence in this context?
CH: European vendors are becoming more attractive as they are not subject to FISA, meaning they offer a safer alternative for European organizations looking to protect sensitive data. Solutions like Security Information and Event Management (SIEM) and log management, often provided by US companies, pose a risk because such data could be accessed by US intelligence. European alternatives like Logpoint allow organizations to maintain compliance with GDPR and mitigate exposure to US surveillance.
This shift is not just about avoiding US surveillance; it's part of a broader strategy for Europe to assert control over its digital landscape. As data becomes as valuable as currency, ensuring its security is key to both national security and economic independence.
BN: What does the future hold for Europe's quest for cybersecurity sovereignty?
CH: The renewal of FISA Section 702 is likely to spur further action in Europe toward achieving digital sovereignty. While this will require significant investment in infrastructure and technology, the long-term benefits are substantial. Enhanced data security, compliance with European regulations, and independence from foreign surveillance will become critical priorities for European nations and businesses.
Ultimately, the debate over FISA and European data privacy is about more than just surveillance -- it's about power. Europe's growing commitment to controlling its digital future could lead to a more secure and sovereign digital environment, protecting citizens' rights while strengthening the continent’s economic and technological resilience.
Image credit: terovesalainen/depositphotos.com