BRUSSELS — More than 80 percent of Europe’s companies will be freed from environmental-reporting obligations after EU institutions reached a deal on a proposal to cut green rules on Monday.   The deal is a major legislative victory for European Commission President Ursula von der Leyen in her push cut red tape for business, one of the defining missions of her second term in office. However, that victory came at a political cost: The file pushed the coalition that got her re-elected to the brink of collapse and led her own political family, the center-right European People’s Party (EPP), to team up with the far right to get the deal over the line. The new law, the first of many so-called omnibus simplification bills, will massively reduce the scope of corporate sustainability disclosure rules introduced in the last political term. The aim of the red tape cuts is to boost the competitiveness of European businesses and drive economic growth. The deal concludes a year of intense negotiations between EU decision-makers, investors, businesses and civil society, who argued over how much to reduce reporting obligations for companies on the environmental impacts of their business and supply chains — all while the effects of climate change in Europe were getting worse. “This is an important step towards our common goal to create a more favourable business environment to help our companies grow and innovate,” said Marie Bjerre, Danish minister for European affairs. Denmark, which holds the presidency of the Council of the EU until the end of the year, led the negotiations on behalf of EU governments. Marie Bjerre, Den|mark’s Minister for European affairs, who said the agreement was an important step for a more favourable business environment. | Philipp von Ditfurth/picture alliance via Getty Images Proposed by the Commission last February, the omnibus is designed to address businesses’ concerns that the paperwork needed to comply with EU laws is costly and unfair. Many companies have been blaming Europe’s overzealous green lawmaking and the restrictions it places on doing business in the region for low economic growth and job losses, preventing them from competing with U.S. and Chinese rivals.   But Green and civil society groups — and some businesses too — argued this backtracking would put environmental and human health at risk. That disagreement reverberated through Brussels, disturbing the balance of power in Parliament as the EPP broke the so-called cordon sanitaire — an unwritten rule that forbids mainstream parties from collaborating with the far right — to pass major cuts to green rules. It set a precedent for future lawmaking in Europe as the bloc grapples with the at-times conflicting priorities of boosting economic growth and advancing on its green transition. The word “omnibus” has since become a mainstay of the Brussels bubble vernacular with the Commission putting forward at least 10 more simplification bills on topics like data protection, finance, chemical use, agriculture and defense. LESS PAPERWORK   The deal struck by negotiators from the European Parliament, EU Council and the Commission includes changes to two key pieces of legislation in the EU’s arsenal of green rules: The Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD).  The rules originally required businesses large and small to collect and publish data on their greenhouse gas emissions, how much water they use, the impact of rising temperatures on working conditions, chemical leakages and whether their suppliers — which are often spread across the globe — respect human rights and labor laws.    Now the reporting rules will only apply to companies with more than 1,000 employees and €450 million in net turnover, while only the largest companies — with 5,000 employees and at least €1.5 billion in net turnover — are covered by supply chain due diligence obligations. They also don’t have to adopt transition plans, with details on how they intend to adapt their business model to reach targets for reducing greenhouse gas emissions.   Importantly the decision-makers got rid of an EU-level legal framework that allowed civilians to hold businesses accountable for the impact of their supply chains on human rights or local ecosystems. MEPs have another say on whether the deal goes through or not, with a final vote on the file slated for Dec. 16. It means that lawmakers have a chance to reject what the co-legislators have agreed to if they consider it to be too far from their original position.

BRUSSELS — A fresh proposal by European Commission President Ursula von der Leyen to reform digital laws on Wednesday was welcomed by lawmakers on the right but shunned on the left. It signals a possible repeat of a pivotal parliamentary clash last week in which von der Leyen’s center-right European People’s Party sided with the far right to pass her first omnibus proposal on green rules — sidelining the centrist coalition that voted the Commission president into office last year. The EU executive on Wednesday presented plans to overhaul everything from its flagship General Data Protection Regulation to data rules and its fledgling Artificial Intelligence Act. The reforms aim to help businesses using data and AI, in an effort to catch up with the United States, China and other regions in the global tech race. Drafts of the plans obtained by POLITICO caused an uproar in Brussels in the past two weeks, as everyone from liberal to left-leaning political groups and privacy-minded national governments rang the alarm. Von der Leyen sought to extend an olive branch with last-minute tweaks to her proposal, but she’s still a long way away from center-left groups. The Progressive Alliance of Socialists and Democrats, Greens and The Left all slamming the plans in recent days. Tom Vandendriessche, a Belgian member of the far-right Patriots for Europe group, said the GDPR is not “untouchable,” and that there needs to be simplification “to ensure our European companies can compete again.” He added: “If EPP supports that course, we’re happy to collaborate on that.” Charlie Weimers a Swedish member of the right-wing European Conservatives and Reformists, welcomed the plan for “cleaning up overlapping data rules, cutting double reporting and finally tackling the cookie banner circus.” Weimers argued von der Leyen could go further, saying it falls short of being “the regulatory U-turn the EU actually needs” to catch up in the AI race. Those early rapprochements on the right are what Europe’s centrists and left fear most. The digital omnibus “should not be a repetition of omnibus one,” German Greens lawmaker Sergey Lagodinsky told reporters on Wednesday. Lagodinsky warned EPP leader Manfred Weber that “there should be no games with anti-democratic and anti-European parties.” BIG REFORMS, SMALL CONCESSIONS The Commission’s double-decker digital omnibus package includes one plan to simplify the EU’s data-related laws (including the GDPR as well as rules for nonpersonal data), and another specifically targeting the AI Act. A Commission official, briefing reporters without being authorized to speak on the record, said the omnibus’ impact on the GDPR was subject to “intense discussion” internally in the run up to Wednesday’s presentation, after its rough reception from some parliament groups and privacy organizations. Much in the EU executive’s final text remained unchanged. Among the proposals, the Commission wants to insert an affirmation into the GDPR that AI developers can rely on their “legitimate interest” to legally process Europeans’ data. That would give AI companies more confidence that they don’t always have to ask for consent. It also wants to change the definition of personal data in the GDPR to allow pseudonymized data — where a person’s details have been obscured so they can’t be identified — to be more easily processed. The omnibus proposals also aim to reduce the number of cookie banners that crop up across Europe’s internet. To assuage privacy concerns, Commission officials scrapped a hotly contested clause that would have redefined what is considered “special category” data, like a person’s religious or political beliefs, ethnicity or health data, which are afforded extra protections under the GDPR. The new cookie provision will also contain an explicit statement that website and app operators still need to get consent to access information on people’s devices. SEEKING POLITICAL SUPPORT The final texts will now be scrutinized by the Parliament and Council of the European Union. Von der Leyen’s center-right EPP welcomed the digital simplification plans as a “a critical boost for Europe’s industrial competitiveness.” Parliament’s group of center-left Socialists and Democrats came out critical of the reforms. Birgit Sippel, a prominent German member of the group, said in a statement the Commission “wants to undermine its own standards of protection in the area of data protection and privacy in order to facilitate data use, surveillance, and AI tools ‘made in the U.S.’” On the EPP’s immediate left, the liberal Renew group cited “important concerns” about the final texts but said it was “delighted” that the Commission backtracked on changing the definition of sensitive data, one idea in the leaked drafts that triggered a backlash. Renew said it would “support changes in the digital omnibus that will make life easier for our European companies.” If von der Leyen goes looking for votes for her digital omnibus among far-right groups, she will find support but it might not be a united front. German lawmaker Christine Anderson of the Alternative for Germany party, part of the far-right Europe of Sovereign Nations group, warned the digital omnibus could end up boosting “the ability to track and profile people.” Weaker privacy rules would “enable enhanced surveillance architecture,” she said, adding her party had “always opposed” such changes. “On these issues, we find ourselves much closer to the groups on the left in the Parliament,” she said. Pieter Haeck contributed reporting.

BRUSSELS — Ursula von der Leyen hasn’t even published her plans to overhaul the EU’s digital laws yet and already the European Parliament is signaling: This shall not pass.   Political groups to the left of von der Leyen’s center-right European People’s Party are coming out against draft proposals for a digital omnibus legislation that reveal how the EU executive is looking to loosen privacy rules, amend its artificial intelligence law, and overhaul data legislation to the benefit of industry — not least American tech giants.   In letters to the European Commission, political groups from center to left barreled into the draft reforms, calling them “extremely worrying,” asking the executive to “reverse course,” and slamming it for what they see as a capitulation to U.S. demands. The backlash puts von der Leyen in a bind. She could opt to change her proposals ahead of the formal presentation next Wednesday, or else she’ll have to seek votes on the far right — yet again — to pass a key part of her political platform. The EPP is already expected to lean on right-wing support to pass its green rules simplification legislation on Thursday due to a lack of support in the center. The Commission also backed down on its budget plans to avert a rebellion of centrist groups in the Parliament, POLITICO reported Sunday.  The digital omnibus draft proposals, obtained by POLITICO last week, showed how the EU executive is looking to ease rules on AI firms under the flagship General Data Protection Regulation (GDPR). It’s looking to create exceptions for AI companies that would allow them to legally process data linked to people’s religious or political beliefs, ethnicity or health data to train and operate their tech, and also wants to redefine categories of personal data, which would relieve swaths of data from the privacy protections they currently enjoy. The proposals also envision tweaks to the EU’s landmark AI law, like delays on fines for watermarked content and exemptions for small businesses. The drafts drew the ire of the center and the left in the Parliament in recent days. Such outcries are exceptional: Parliament groups often refrain from taking a position until a proposal is formally presented. The Greens group, liberal Renew and Socialists and Democrats have all drawn up letters slamming the Commission. The Greens addressed von der Leyen and the Commission’s tech chief Henna Virkkunen, asking them to “reverse course and focus on actual simplification” of tech laws, in a letter shared with POLITICO.   Alexandra Geese, a prominent German member of the Greens group, said the Commission’s plans would “dismantle the protection of European citizens for the benefit of U.S. tech giants.” She said “the Commission should focus on real simplification and streamlining of definitions rather than bending their knee to the U.S. administration.”  The Renew group voiced “strong opposition to certain changes” and called some of the draft tweaks “extremely worrying.” “We would strongly ask you to remove and reconsider those proposed changes before presenting the official proposals,” the group wrote in its letter to von der Leyen and key commissioners, shared with POLITICO. The Greens addressed von der Leyen and the Commission’s tech chief Henna Virkkunen, asking them to “reverse course and focus on actual simplification” of tech laws, in a letter shared with POLITICO.  | Thierry Monasse/Getty Images Italian S&D MEP Brando Benifei, the Parliament’s lead negotiator on the AI Act, said he was “deeply skeptical of reopening the AI Act before it’s fully in force and without impact assessment.” Two dozen lawmakers from The Left, the Greens and S&D also backed a written question drawn up by French left-wing MEP Leïla Chaibi that will be filed this week. It follows the EU executive’s reportedly “engaging” with the Donald Trump administration in the lead-up to the omnibus proposal. In it, lawmakers said: “The European Commission’s apparent willingness to yield to pressure from the White House in this way raises serious concerns about the European Union’s digital sovereignty.”  The S&D came out swinging in a letter on Tuesday, warning the Commission that they’ll oppose “any attempt” to weaken the foundations of the EU’s privacy framework that would “lower the level of personal data protection, or narrow the GDPR’s scope.” The group said Europe’s digital laws at large have “inspired international partners and positioned Europe as a normative power in global tech governance.” RIGHT TO THE RESCUE?  Von der Leyen’s EPP hasn’t yet issued a united statement about the draft digital simplification plans.   Finnish center-right lawmaker Aura Salla — who previously led Meta’s Brussels lobbying office — said earlier she would “warmly” welcome the proposal “if done correctly,” as it could bring legal certainty for AI companies.  The center right, which holds the most seats in the Parliament, could seek support to its right with the right-wing European Conservatives and Reformists and the far-right Europe of Sovereign Nations (ESN) and Patriots for Europe. Piotr Müller, a Polish ECR member, welcomed the Commission’s draft texts: “After years of excessive legislation that has stifled progress, it is five to midnight: We need ambitious deregulation now.” Further to the right, French lawmaker Sarah Knafo from the ESN said it would be a “breath of fresh air for our businesses,” lamenting that “Europe has locked itself into absurd over-regulation in the technology sector, which stifles all innovation.” On the issue of privacy, though, some right-wing lawmakers could turn against the draft idea. The right has previously defended personal privacy and personal freedoms over industry’s interests in some legislative fights. “We need to let our tech players move forward, while remaining vigilant about sovereignty and control over our data,” Knafo said.  Lawmakers on both the left and right will be under fire from powerful privacy lobbyists. Civil society campaigners have sounded the alarm in recent days after the drafts leaked. The Commission is “secretly trying to overrun everyone else in Brussels,” Max Schrems, founder of Austrian privacy group Noyb and a prominent European privacy campaigner, said previously. The proposals also have to make their way through the Council of the EU, where countries are equally divided on whether to touch privacy rules.  Documents seen by POLITICO show that at least four countries — Estonia, France, Austria and Slovenia — are firmly against any rewrite of the GDPR. Germany, usually seen as one of the most privacy-minded countries, came out in favor of big changes to help AI blossom. 

BRUSSELS — The European Commission said it is “not empowered to take action” amid concerns about the appointment of a former tech lobbyist to Ireland’s privacy regulator. The Irish Council for Civil Liberties — a non-profit transparency campaign group — on Tuesday filed a complaint calling on the Commission to launch an inquiry into how Niamh Sweeney was appointed to co-lead the Irish Data Protection Commission. Citing reporting from POLITICO, the complaint alleges the appointment process “lacked procedural safeguards against conflicts of interest and political interference.” It’s the first formal challenge to the decision after Sweeney took up her role as one of three chief regulators at Ireland’s top data regulator this month. Her prior experience as a lobbyist for Facebook and WhatsApp reignited concerns that the regulator is too close to Big Tech. In response to the complaint, Commission spokesperson Guillaume Mercier said that “it is for the member states to appoint members to their respective data protection authorities.” The Commission “is not involved in this process and is not empowered to take action with respect to those appointments,” Mercier told a daily press briefing Tuesday. He emphasized that countries do need to respect requirements set out in EU law — that the appointment process must be “transparent,” and that those appointed should “have the qualifications, the experience, the skills, in particular in the protection of personal data, required to perform their duties and to exercise their powers.” The complaint asked the Commission to look into the appointment as part of its duties to oversee the application of EU law, claiming these responsibilities had not been met by Ireland. Sweeney was appointed by the Irish government on the advice of the Public Appointments Service, the authority that provides recruitment services for public jobs, which has previously expressed its full confidence in the process.

A corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators. Niamh Sweeney will take up her role as one of three chief regulators at Ireland’s powerful Data Protection Commission (DPC) next week. Her previous experience as a lobbyist for Facebook and WhatsApp has reignited concerns that Ireland’s top data regulator is too close to Big Tech. Now, new details about her appointment process seen by POLITICO show that a lawyer representing tech giants at a prominent law firm in Ireland was a member of a small panel that picked Sweeney. The inclusion of that lawyer on the panel triggered a conflict of interest complaint by a candidate that competed with her for the job earlier this year. The Irish Data Protection Commissioner enforces Europe’s mighty General Data Protection Regulation (GDPR) on many of the world’s largest technology companies, including Meta, X, Google, TikTok and others that have their European headquarters in Ireland. For years, the Irish authority has faced criticism for being too soft on tech giants, with critics pointing to Ireland’s heavy reliance on Big Tech for its domestic economy. After the GDPR took effect in 2018, it took years before the DPC started imposing sizable fines on tech giants. Commissioners at the Irish DPC are appointed by the Irish government on the advice of the Public Appointments Service, the authority that provides recruitment services for public jobs. The authority is known as publicjobs. In a confidential letter dated May 14 and seen by POLITICO, publicjobs said it had assembled a selection panel of five people to pick the newest privacy chief. According to the letter, that panel included consultant Shirley Kavanagh as chair, Department of Justice Deputy Secretary Doncha O’Sullivan, the head of Ireland’s ComReg communications watchdog Garrett Blaney, publicjobs recruitment specialist Louise McEntee, and Leo Moore, a partner at law firm William Fry. Moore heads the firm’s technology group. He has advised domestic and multinational companies, including “several ‘Big Tech’ and social media companies,” the law firm’s own website states. The law firm advised Microsoft in a landmark court case where U.S. authorities wanted to access data on Irish servers, it said in a 2016 press release. Irish media also reported that the firm had advised the Irish government in a case in which the government pushed back on collecting almost €14 billion in back taxes from Apple. Moore did not respond to POLITICO’s requests for comment. William Fry did not provide a comment in time for publication. The Irish Data Protection Commissioner enforces Europe’s mighty General Data Protection Regulation (GDPR) on many of the world’s largest technology companies, including Meta, X, Google, TikTok and others that have their European headquarters in Ireland. | Artur Widak/NurPhoto via Getty Images The chair of the panel, Kavanagh, has previously worked in senior leadership roles in the pharma, financial services, retail and public sectors, including with Inizio, Axa, Primark and Ireland’s central bank, she stated on her website. The site said she has also worked with “technology companies” as a “coach and senior team facilitator.” Kavanagh declined POLITICO’s request for comment, directing questions to the publicjobs service and the Irish justice department. REVOLVING DOOR COMPLAINT Sweeney is set to take office Oct. 13 alongside co-Commissioners Des Hogan and Dale Sunderland. The DPC switched to having three top commissioners after former Data Protection Commissioner Helen Dixon (who carried out the role alone) left office in 2024. Sweeney worked as Facebook’s head of public policy in Ireland from 2015-2019, then as EMEA director of public policy for WhatsApp until 2021, followed by a year working as head of communications for financial technology firm Stripe. She was a director at lobby firm Milltown Partners until this summer, her LinkedIn page showed. Sweeney’s appointment as co-commissioner raised concerns among privacy activists when it was announced in September. Austrian privacy group Noyb described it as Ireland’s “kissing US Big Tech’s backside” and said it left companies like Meta to regulate themselves. A candidate competing with Sweeney for the commissioner role submitted a complaint about the process in April, publicjobs’ May letter seen by POLITICO showed. The complainant’s name was redacted from the documents. The complainant questioned the inclusion of tech lawyer Moore on the panel that selected the former Meta official. They alleged that Moore had a conflict of interest given his role “as a corporate lawyer who represents clients whose business practices are regulated by the very agency this role oversees,” according to the letter, which responded to the complaint. Publicjobs in the letter defended the independence and expertise of the board that it had assembled and said it was “assured that Mr Moore’s professional role was not considered to conflict with his role on the Board.” The complainant also argued that no member of the panel had enough technological expertise to make a fair assessment of applications.   In the letter, publicjobs highlighted the “extensive” expertise of Moore in data protection and cybersecurity. GOVERNMENT STANDS BY APPOINTMENT Publicjobs said in the letter that it found “no evidence that the Board convened was inappropriate, or incapable of assessing candidates against the key requirements of the role in question.”  In a written comment to POLITICO, a spokesperson for publicjobs said the authority has “full confidence in the composition, independence, expertise and qualifications of the chosen Assessment Board” to recruit a third data protection commissioner, and that the complaint submitted about the competition had been “fully addressed” by the service’s review process.     A corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators. | Samuel Boivin/Getty Images They said publicjobs works to ensure assessment boards for senior roles are “balanced, diverse and not conflicted, with all panelists required to complete a confidentiality agreement and a conflict-of-interest form.” Boards at this level are approved by the service’s Chief Executive Margaret McCabe and Head of Recruitment Talent Strategy Michelle Noone, the spokesperson added. A spokesperson for Ireland’s Department of Justice, Home Affairs and Migration told POLITICO the ministry is “fully satisfied with the appointment process.” The Irish Data Protection Commission declined to comment, saying it was not involved in the appointment process. Blaney declined to comment, directing POLITICO to publicjobs and Ireland’s justice department. McEntee did not immediately respond to a request for comment.

Publishing the name of a professional athlete online because they have broken anti-doping rules is against the EU’s privacy laws, a top EU lawyer has said. The fresh opinion from Advocate General Dean Spielmann weighs a case taking place in Austria, where four professional athletes who have broken anti-doping rules are arguing that publication of their details online would breach the EU’s General Data Protection Regulation. Austrian law requires details including the athletes’ names, sporting discipline, duration of their exclusion and the reasons for that exclusion to be published on the websites of the Austrian anti-doping agency and an associated legal committee. Spielmann said he had “serious doubts” about the need to publish all those details online, according to a court press release, on the basis that any national laws that require personal data to be published have to be proportionate. He said publishing pseudonymized details on the internet would still deter athletes from doping and prevent offenders from circumventing doping rules, while also protecting the individual’s privacy. The opinion is not binding but will inform the final decision at the Court of Justice of the EU.

Mehdi Paryavi is the Chairman and CEO of the International Data Center Authority think tank. Every day we grow more reliant on technology. And the more we digitize our lives, the more data we produce — health records, financial information, buying habits, and so on. In fact, the amount of data handled by the internet continues to double every three years. As governments across the developed world accelerate their digitization of public services in tandem — from health records to tax filings — their promise is faster, cheaper and more efficient services for citizens. In practice, however, things are much more complicated. For example, the U.K. government’s new deal with Google will see vast amounts of public data stored on U.S. servers, while Microsoft recently said it “cannot guarantee” data sovereignty to customers in France — and by extension the rest of the EU — if the U.S. government demanded access. This situation raises questions that affect every single one of us: Who has access to our digital footprint? Who actually owns this data? Who controls it? And how can people trust governments to protect them from intrusion into their private data? Within the EU, the 2018 General Data Protection Regulation (GDPR) was enacted to address these very issues. And the measure is generally considered to be a success, having tightened the use of personal data by websites and companies in the U.S. as well as Europe. Legislation like the Data Sovereignty Act, the Data Act and the NIS2 Directive also stipulate EU control of data and prevent unauthorized international access. But even these seemingly strong measures won’t stop all forms of privacy intrusion. And as the U.K. government seemingly works its way back into a tighter relationship with the EU, its agreement with Google is worth examining. Announced in early July, the deal states that the U.S. tech giant will provide “free” technology to the U.K. government to modernize its outdated systems. According to the U.K. Secretary of State for Science, Innovation and Technology, more than 25 percent of public sector IT and as much as 70 percent of the so-called legacy systems running parts of the country’s National Health Service and police forces date back three to four decades. Google wants to fix all this by replacing wheezing, inefficient technology with the latest cloud-based systems, and will provide hundreds of millions of pounds of in-kind services to do its good deeds. In return, it will be able to bid on future public sector IT projects, and benefit from the goodwill and better branding profile this will bring. But is the U.K. government “dangerously naive” for turning the keys to the data castle over to Google? One of the major worries here is vendor lock-in — that is, the reliance on a single vendor, which is headquartered in a foreign nation, for such a large and critical amount of the government’s computing systems. There’s also the specter of the U.S. government using its CLOUD Act to spy on and attempt to prosecute U.K. residents. The U.K. government’s new deal with Google will see vast amounts of public data stored on U.S. servers. | Facundo Arrizabalaga/EPA The CLOUD Act — which stands for the tortured nomenclature, Clarifying Lawful Overseas Use of Data Act — was written to “clarify” the circumstances under which U.S. companies must comply with requests for data from the government. It also created a framework for bilateral agreements with other countries to share data, which seems to counter GDPR protections, as well as the general EU spirit of protecting personal data from prying eyes. Google has responded to all this by stating that all its technology will be under the control of the U.K. government, and that it will challenge any U.S. government efforts to intrude upon data privacy in the U.K. But is that enough to erase concerns? Meanwhile, a new deal with Microsoft is raising similar issues within the EU. According to this agreement, Microsoft will invest as much as €5 billion to upgrade public sector IT across the bloc. And just like Google, it stands to benefit from better access to future public sector IT bids and the warm feelings that come from its largesse. Potential vendor lock-in is, again, an issue here. But more profoundly, recent testimony by Microsoft France’s Director of Public and Legal Affairs Anton Carniaux revealed that the company could not guarantee that data can’t be exposed to the U.S. government by way of the CLOUD Act. Carniaux’s testimony came after Microsoft outlined what it calls its “diversified” approach to sovereign cloud data centers in the EU. For instance, Microsoft plans to work with local companies Capgemini and Orange in France on a joint venture named “Blue,” which will be designed as a trusted cloud platform. And a similar sovereign cloud is planned in Germany, with SAP and Bertelsmann subsidiary Arvato Systems. But in all of this, we can’t forget that the data generated by the citizens of these nations is invaluable for Big Tech. In today’s global economy, data is more valuable than gold, and it should be preserved as such. That’s why at the International Data Center Authority, we advise government leaders to do their best to protect their national interests and the interests of their citizens. We also advise them to create trusted alliances with their economic peers on data and data rights, so there can be bilateral trade that both enables data sovereignty and is financially lucrative. A nation might have technical challenges with regards to its data center and cloud infrastructure capabilities. It may be faced with financial obstacles in tackling these challenges. But giving up national computing resources to outside parties doesn’t warrant a visionary or long-term solution. It’s also important to realize that tech giants have a bigger valuation and larger budgets than many nations around the world. Their buying power, lobby and influence are such that they can pull a wide spectrum of strings when negotiating deals. They’re also for-profit entities that will ultimately do what’s best for their stakeholders. These companies are in constant search of resources like energy, water, land, human capital and friendly regulations. At the same time, they have a mandate to sell their services. And while the in-kind services to be provided by Google and Microsoft will improve the underlying IT infrastructure of many nations and foster goodwill, we can’t forget these companies must conduct a profitable business. Free services aren’t free forever. That means that for the world’s technology purveyors, any nation that’s struggling with its national computing capacities but can pay its bills on time is a prime prospect. They’re also interested in any country or region that has key resources but lacks the technological capacity to export advanced computing. Microsoft recently said it “cannot guarantee” data sovereignty to customers in France — and by extension the rest of the EU. | Hannibal Hanschke/EPA The U.K. and EU member countries meet this distinction, as do dozens of other nations across the world. On more than a few occasions, proud officials have told us that certain major vendors have agreed to talk to them about locating cloud services in their country. But these companies are motivated by creating new revenue and supporting market caps that now reach into the trillions of dollars. The enormous pressures tech giants face to continue to grow and maintain their wealth shouldn’t be the concern of any government. Rather, it should be to serve their societies and preserve national security, intellectual property and individual privacy. That’s where data sovereignty comes in. Data sovereignty is the concept that each country maintains the data of its government, businesses and residents on its own local systems, and protects that information from foreign eyes. Today, data sovereignty is an integral part of national sovereignty. And the governments of the U.K. and the EU must not acquiesce to the wishes of big tech vendors — whether from the U.S. or anywhere else — if doing so weakens data privacy within their countries. Additionally, it is essential for political leaders to understand that the physical borders of a nation define its data sovereignty. When it comes to digitized data, sovereignty and privacy must be governed by the bounds of cybersecurity and in the realms of the cyber world. The idea of Google, Microsoft or any other large company having a presence abroad certainly isn’t new. But big tech companies are different from Coca-Cola, McDonald’s and Nike. They’re in the business of acquiring, refining and managing data — which can be extremely profitable. It’s no surprise to see tech leaders hoping to create as much business as possible in a European economy that now collectively generates $25 trillion annually. But for governments, the privacy rights of their citizens and residents must come first. Establishing trusted global alliances at the government level, ensuring the privacy and integrity of national data isn’t compromised, and being watchful in signing ambiguous agreements are vital. Eternal vigilance is the price of maintaining data sovereignty.

BRUSSELS — Europe’s powerful privacy activists are wielding a sharp new legal tool that, if successful, could see the cost of privacy breaches balloon into the billions for Big Tech. European consumers in recent years have seen a law take effect that allows them to club together to look for compensation for damages caused by companies. Armed with Europe’s blockbuster privacy law, the General Data Protection Regulation, internet users — often represented by savvy digital rights groups — are now gunning for big payouts.   The European Union has had a Collective Redress Directive in force since 2020, designed in the wake of the Volkswagen emissions scandal to better protect large groups of consumers from suffering the same harm, and to collectively look for compensation. One of the laws the directive can help enforce is the GDPR. Already, Dutch non-profit SOMI has launched collective redress actions against TikTok and Meta; the Irish Council for Civil Liberties has lodged one against Microsoft; and Austrian privacy group Noyb is preparing to launch its first action against credit ratings agency CRIF. Privacy groups see “a lot of potential” in collective redress as a new avenue, especially for GDPR breaches by Big Tech, said Ursula Pachl, who last year took on the role of spearheading collective redress actions at Noyb — one of Europe’s most prolific privacy watchdogs — after more than a decade working at powerful Brussels consumer lobby association BEUC. “Enforcement has always been the Achilles heel of the European Union, particularly in regards to consumer protection,” Pachl said. The GDPR in particular lends itself well to collective action because “everybody in Europe probably suffers from the same illegal behavior if there is a Big Tech company who does something which doesn’t respect the GDPR,” she said. Guillaume Couneson, a data protection lawyer with the firm Linklaters, said that when a breach is confirmed by a data protection authority, collective redress actions could “immediately [pop] up like mushrooms.” MULTIPLYING FINES A recent landmark court case highlighted just how much collective redress actions could sting tech firms and others alike. A judge at the EU’s General Court ruled in January that a complainant, Thomas Bindl, was entitled to damages when he was faced with “some uncertainty” about what happened to his data. Bindl’s case rested on his having clicked a “Sign in with Facebook” hyperlink displayed on a European Commission webpage. The judge ruled Bindl was owed €400 in damages — a judgement that was quickly seen as setting the bar for compensation for a single breach of the GDPR . Couneson said the case “surprised many by the height of the damages” and had raised immediate concerns for businesses about the multiplier effect of what happens if “it’s a million people claiming €400.” Thomas Bindl’s case rested on his having clicked a “Sign in with Facebook” hyperlink displayed on a European Commission webpage. | Olivier Hoslet/EPA That’s a daunting prospect for Big Tech firms, especially if such class action cases take off in Europe, where the tech sector has faced much heavier regulatory scrutiny and court losses than in the United States. Class actions are predominantly a phenomenon of the U.S. legal system, where they are seen as a way to relieve courts of many similar cases and for consumers to get compensation in a more cost-effective way. But the U.S. system has also led to court cases driven by opportunistic litigation, with lawyers actively rallying plaintiffs to bring forward a case in order to take a cut of the winnings.   Countries like the Netherlands and Belgium have long traditions of collective action for consumers, while in other EU countries legal routes have been limited or don’t exist. But before the directive, legal avenues to take consumer group actions were “quite patchy” across the EU, said Florence Danis, also a lawyer at Linklaters.  The first article of the EU directive on collective redress says it will put in place “appropriate safeguards to avoid abusive litigation.” The power to take up cases is granted only to not-for-profit, independent, consumer-focused organizations, while EU countries are required to create a legal route for these “qualified entities.”  According to Karen Shin, a California-based privacy lawyer at law firm Blank Rome, non-profits might be less inclined to take genuine cases due to the costs they could trigger. In many EU countries as well as in the United Kingdom, the losing side of a court case pays for attorney’s fees and costs, which “may limit the usage of class actions in the EU,” she said.   NEW PRIVACY BATTLEGROUNDS Enforcement of the GDPR was designed to be the domain of national data protection authorities across the EU. Because the principle of a “one-stop shop” regulator was built into the law, most of the landmark privacy cases have fallen into the hands of Ireland’s chief regulator, the Irish Data Protection Commission. Charged with regulating the many Big Tech companies headquartered in the country, the Irish regulator has handed down most of the biggest fines in the history of the GDPR, including the €1.2 billion against Meta over data transfers to the U.S. and the €530 million against TikTok relating to Chinese data transfers. But those fines took years to decide. For years, civil society and other data protection regulators were left frustrated over perceived inaction by the Irish DPC. Noyb has repeatedly criticized the Irish regulator over what it describes as tardy or lenient enforcement against Big Tech. A 2023 report from the Irish Council of Civil Liberties estimated that 67 percent of the Irish DPC’s EU-level investigations had been overruled by a majority of its European counterparts demanding tougher enforcement action. Ireland has also thrown up barriers to the use of collective action, through both centuries-old laws and its implementation of the new directive. The country’s legal system prohibits third-party funding of collective actions, harking back to old laws from as early as the 14th century that were reaffirmed by the Irish Supreme Court in 2017. Ireland has also limited contributions from consumers to collective cases at €25 per person. This is something that Noyb, a familiar presence in Irish courts, has raised as a concern with the European Commission, arguing it infringes on the EU directive. EU countries “[have] a positive obligation to make sure that financially it’s not an obstacle” to start collective action cases, Pachl said. Ireland will still be an “obvious forum” for GDPR collective redress actions, given that many Big Tech defendants are based there, said Linklaters’ Danis. But, she added, consumers are not geographically bound by the directive: “Even if you’re an Irish plaintiff or representative, you could go before the French court to claim damages to the benefit of French consumers, for instance.”