The “EU Servers” Illusion
You have probably heard that storing your data on EU servers keeps it safe from US surveillance. It sounds logical. But here is the problem: the CLOUD Act and GDPR are on a direct collision course, and where the servers sit is not actually what matters. What matters is where the company is incorporated. If it is a US company, US law can reach your data – no matter which country the servers are in.
What Is the CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act – or CLOUD Act – was signed into US law in 2018. It gives US law enforcement (the FBI, the Department of Justice) the power
to demand data from US companies stored anywhere in the world.
In practice:
- A US company gets a court order or subpoena
- It is legally required to hand over the data
- This applies even if the data is sitting on servers in Germany, France, or anywhere else in the EU
- The person whose data is taken may never be told
The US can also sign data-sharing agreements with other governments under the CLOUD Act. But there is no such agreement with the EU – and negotiations
have stalled repeatedly.
What Does GDPR Say?
The General Data Protection Regulation (GDPR) has been in force since May 2018. It
gives people in the EU strong rights over their personal data and puts strict obligations on anyone who handles it.
The parts that clash most directly with the CLOUD Act:
- Lawful basis: You can only share or transfer personal data if you have a valid legal reason – consent, contract, legal obligation, etc.
- Third country transfers: Sending data outside the EU/EEA is only allowed if the receiving country offers equivalent protection, or if proper safeguards are in place.
- Transparency: People must know how their data is used and who can access it.
How the CLOUD Act and GDPR Actually Conflict
Here is where it gets uncomfortable for anyone using a US cloud service.
1. Companies Are Caught Between Two Laws
Under GDPR, a company cannot just hand over EU user data to a third party without a proper legal basis. But the CLOUD Act can force exactly that. A US company ordered to hand over data has two bad options: comply with the CLOUD Act and potentially violate GDPR, or refuse and violate US law. There is no clean way out.
2. “EU Servers” Does Not Mean “EU Law”
Many US cloud providers sell EU data residency as a privacy feature. It does matter for some things – but not for the CLOUD Act. US jurisdiction
follows the company, not the server. If a US company controls your data, even on European infrastructure, it is still within reach of US law enforcement.
3. What Happened with Privacy Shield
In 2020, Europe’s top court (the Court of Justice of the EU) struck down the EU-US Privacy Shield agreement – the framework that was supposed to make data transfers between the EU and US legal. The reason? US surveillance law did not offer EU residents adequate protection. This is known as the Schrems II ruling, named after the Austrian privacy activist who brought the case.
In plain terms: Europe’s court looked at how US law treats EU data and said it was not good enough.
4. The New Framework – Better, But Not a Full Fix
In 2023, the EU and US introduced a replacement called the Data Privacy
Framework (DPF). It added new safeguards and gave EU residents a way to complain if their data was misused. But:
- It is already being challenged in court again (activists argue it does not fix the core problem)
- It does not cancel out the CLOUD Act – US authorities can still demand data under national security orders
- Being DPF-certified does not make a US company immune to CLOUD Act requests
The European Data Protection Board has consistently warned that transfers to the US carry risks that organisations need to
assess carefully.
What This Means for Your Business
If you are running a business in the EU and storing customer data with a US provider, this is not just a theoretical issue. It has real compliance implications – especially if you are dealing with the kind of data covered by regulations like the EU
AI Act, which puts strict rules on how personal data is used in automated systems.
- If US authorities access your customer data, you could be in breach of GDPR – even though you did nothing wrong
- US gag orders can prevent the provider from telling you it happened
- The compliance risk falls on you, not on the US provider
- Regulators in Germany (BfDI) and France (CNIL) have explicitly warned against using certain US services for sensitive data
And if you are an individual: your files, documents, and communications could theoretically be accessed by US law enforcement without your knowledge, with no direct legal recourse available to you as an EU resident.
What to Check Before Choosing a Cloud Provider
Before trusting any service with your data, these are the questions worth asking:
| Question | Why It Matters |
|---|---|
| Where is the company incorporated? | US-incorporated = CLOUD Act jurisdiction, regardless of server location |
| Where are the servers? | Matters for GDPR data residency and some local regulations |
| Does the provider offer zero-knowledge / client-side encryption? | If they can’t read your data, they can’t hand it over |
| What legal framework governs them? | Swiss law, EU law, or US law – each has different implications |
| Do they publish transparency reports? | Shows whether they have received and responded to government requests |
| Do they have a Data Processing Agreement (DPA)? | Required for GDPR compliance when handling business data |
The Safest Option: Providers Outside US Jurisdiction
The cleanest way to avoid CLOUD Act exposure is to use a provider that is not subject to US jurisdiction at all – one incorporated outside the US with
no significant legal presence there.
European and Swiss providers operate under entirely different legal frameworks. Switzerland in particular has some of the world’s strongest data
protection laws and is not subject to US extraterritorial legislation – which is why a number of privacy-focused services are based there.
On top of that, providers that offer client-side encryption (also called zero-knowledge encryption) give you an extra layer of
protection. Your files are encrypted on your device before they are uploaded, and only you hold the key. Even if a provider is compelled to hand over
data, all they can give is encrypted files that are useless without your key.
If you are also thinking about where to base your business from a legal and tax perspective, it is worth reading our breakdown of EU company tax rules – the country you register in affects more than just your tax bill.
Bottom Line
The CLOUD Act and GDPR pull in opposite directions. One extends US government reach around the world; the other is designed to protect Europeans’ data rights. When a US company holds your data, those two forces collide – and you are the one caught in the middle.
“EU servers” is not the same as “EU law.” Check the legal address, not just the server address.