In a world where data is the new gold, the question arises: who guards your digital safe? Especially now that Donald Trump is back in power in the United States, the protection of personal data is coming under heavy pressure, and that also affects European companies, governments and citizens.
1. The crumbling protection of privacy in the U.S.
The United States does not have an overarching national privacy law as we have in Europe. Instead, there are fragmented sectoral rules, with large gaps in personal data protection. U.S. government agencies, such as the NSA, can request data from companies like Google, Microsoft, Amazon and Meta under surveillance laws.
What makes the situation extra worrisome: the main U.S. regulator in this area, the Privacy and Civil Liberties Oversight Board (PCLOB), has effectively been eliminated. After three critical members were fired by President Trump, only one member remains. And all this while this regulator was supposed to guarantee that European privacy rights would be respected in the U.S.
Trump has also signed a presidential order that calls into question the entire Data Privacy Framework (DPF). This very agreement was meant to ensure secure data exchange between Europe and the US, but now it too - like its predecessors - is in danger of being destroyed.
Gertjan Westerlaken, privacy & security officer Johan.nl: "That the US is allowing privacy to erode even further is also clear from their latest budget and tax bill, Trump's 'One big, beautiful bill.' This bill - recently passed by the House of Representatives - gives AI free rein. In fact, American states are not allowed to pass their own legislation to curb artificial intelligence for the next 10 years. And everyone knows: AI platforms thrive only thanks to their enormous data hunger. And what data that is, everyone also knows: your data, your personal data."
2. How has Europe arranged this?
Within the European Union, we have the General Data Protection Regulation (GDPR ) - known internationally as the General Data Protection Regulation (GDPR). This law is strict, uniform and applies to all EU member states. In addition, the AVG has extraterritorial effect: companies outside the EU must also comply when processing data of EU citizens.
There is also a data storage principle in Europe: personal data may only be stored outside the EU if the country in question offers an equivalent level of protection. The EU tests this carefully and previously declared that the U.S. failed in this. Twice before, the European Court of Justice has declared a data deal with the U.S. invalid.
With the AVG, Europe is basically one jurisdiction, which means data can move freely within the EU as long as it is properly secured. Unlike the U.S., here the government cannot simply request your data without the intervention of a judge or legal basis.
Gertjan Westerlaken, privacy & security officer Johan.nl: "The AVG is a powerful European response to the need to protect personal data. Because Johan.nl was founded in the same period in which the AVG came into being, we have embedded the principles of 'privacy-by-design' in our software, processes and way of working from the beginning. As a result, our platform is inherently secure and fully AVG compliant.
Since its inception, our customer data has deliberately been stored exclusively on servers in Dutch data centers. At the same time, building a secure and scalable platform sometimes requires choices in which foreign technology cannot be completely avoided.
For example, in addition to our Dutch servers, we use Cloudflare as an extra layer of security. Of course, we do this under strict conditions and with additional measures to maintain maximum control over our data. For example, our SSL certificates via Cloudflare are managed exclusively on European servers, so that sensitive information remains within the EU.
In this way, we combine global technological strength with European privacy values - an approach that is more important than ever in today's geopolitical climate."
3. What is the risk of U.S. software vendors for research?
To conduct surveys - think health surveys, customer satisfaction, policy analysis - organizations often use U.S. tools such as SurveyMonkey, Google Forms, Microsoft Forms, Qualtrics or QuestionPro. But there are some risks here:
- The data collected through these tools regularly ends up (invisibly) on U.S. servers.
- When you work with sensitive personal data (such as in healthcare, government, or education), there can be serious privacy risks - and possible legal consequences for your organization.
Specifically, what does this mean for your organization?
If you collect or process personal data with U.S. software, you run the risk of:
- European privacy rules are being violated.
- Access to your own data is compromised, for example, if the U.S. suddenly blocks certain access.
- You risk legal sanctions from European regulators.
- Your data will start being used in AI training models, further losing your grip on data protection.
Conclusion: European data belongs in Europe
The message is clear: protect your organization, your employees and your customers by consciously choosing AVG compliant software whose data is stored and managed in the EU. There are plenty of European alternatives for research and data processing tools that do comply with our privacy rules.
At a time when privacy is under pressure, it is crucial not to lose control of your own data.
Gertjan Westerlaken, privacy & security officer Johan.nl: "In the end, both privacy and information security are about one simple motto: 'Say what you do; do what you say and prove it'.
We have been able to fully implement the promises and core values from our privacy statement in our organization and our software because, from day one, we ask ourselves the same question over and over again: 'does this contribute to the privacy of our customers?' If no: get rid of it. If yes: do it!And as for demonstrability: since 2018, Johan b.v. has been ISO 27001 certified. Since then, it has been demonstrated every year again that Johan b.v. meets strict requirements regarding security and privacy. In addition, Johan b.v. is also NEN 7510 certified - the Dutch standard for information security in healthcare. This certification underlines that Johan b.v. meets the highest security standards when processing health data."
Want to be sure your organization is truly AVG-proof?
Let us take a no-obligation look with you. We are happy to help you understand your software usage and advise on safe, powerful European alternatives. Please contact support@johan.nl.