EU Plans Legislation to Seize Data Stored Abroad
In recent developments, both California and the European Union have taken significant steps to strengthen data protection and law enforcement access to digital information, posing both challenges and opportunities for tech companies operating in these regions.
California, leading the way in the United States, updated its data security breach notification law in an unspecified year. The new legislation requires any person or business that owns or licenses computerized data that includes Californians' personal information to disclose any breach of the security of the system. This update marks a first of its kind in the nation, setting a precedent for other states to follow.
Across the Atlantic, the European Union is working on a new law that will allow EU law enforcement to obtain customer's personal data stored outside the EU. As part of its ProtectEU strategy, the EU Commission has set ambitious goals for law enforcement access to private data. A roadmap presented in June 2025 outlines plans to ensure that, by 2030, law enforcement agencies can access encrypted data "lawfully and effectively," potentially including decryption capabilities for private communications. This reflects ongoing efforts by the EU to balance security concerns with privacy rights, but has raised concerns among privacy advocates and tech companies about the creation of "backdoors" in encryption.
Europe has always been very restrictive on how companies can transfer data outside the EU, and this new law could potentially conflict with laws in countries that do not allow sharing of personal data overseas. However, the EU is also advancing new rules to streamline cross-border data protection enforcement. On June 27, 2025, the Council of the European Union adopted a draft regulation introducing additional procedural rules for GDPR enforcement in cross-border cases. This regulation aims to harmonize procedural rules, enhance collaboration between national data protection authorities, and provide legal certainty for all parties involved in cross-border data protection issues.
For tech companies doing business in the EU, these legal changes present both challenges and opportunities. Companies may face new obligations to assist law enforcement agencies in accessing data, which could require technical or procedural changes to facilitate access to encrypted communications. On the other hand, the new GDPR procedural regulation should make cross-border compliance smoother, with clearer deadlines and more predictable outcomes for data protection investigations. Harmonized procedures and improved cooperation between data protection authorities can reduce the complexity and cost of handling cross-border data protection issues.
In summary, tech companies operating in the EU must prepare for both enhanced law enforcement access requirements and streamlined but potentially stricter cross-border data protection enforcement in the coming years. As these developments continue to unfold, companies will need to navigate this evolving landscape to ensure compliance and protect their customers' privacy.
References: [1] European Commission (2025). ProtectEU: Strengthening the EU's cybersecurity and law enforcement capabilities. Retrieved from https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/cybersecurity/protecteu_en [2] European Digital Rights (2025). ProtectEU: Encryption backdoors are a threat to our fundamental rights. Retrieved from https://edri.org/protecteu-encryption-backdoors-are-a-threat-to-our-fundamental-rights/ [3] Council of the European Union (2025). Proposal for a regulation on the European Production and Preservation Order for electronic evidence in criminal matters. Retrieved from https://data.consilium.europa.eu/doc/document/ST-11432-2025-INIT/en/pdf [4] European Data Protection Supervisor (2025). GDPR Procedural Regulation: Improving cross-border data protection enforcement. Retrieved from https://edps.europa.eu/data-protection/our-work/documents/gdpr-procedural-regulation-improving-cross-border-data-protection-enforcement_en
- The updates in California's data security breach notification law and the EU's moves towards law enforcement access to encrypted data present significant challenges for tech companies in the industry, especially in terms of finance and policy-and-legislation.
- The new legislation in California and the EU's ProtectEU strategy highlight the increasing role of politics in shaping business operations, particularly for technology companies dealing with general-news and digital information.
- The EU's efforts to balance security concerns with privacy rights, as seen in the ProtectEU strategy and the GDPR procedural regulation, have implications for the overall business environment, potentially affecting the ease of conducting business across borders, particularly in the realm of technology and finance.
