Analysis: Rising data sovereignty concerns in Europe following Donald Trump’s election as US President in January are increasing interest in Europe-based storage providers such as Cubbit, OVHcloud, and Scaleway.
The EU has GDPR, NIS2, and DORA regulations that apply to customer data stored in the bloc. However, US courts could compel companies under US jurisdiction to disclose data, potentially overriding EU privacy protections in practice.
EU data regulations
GDPR, the General Data Protection Regulation, harmonized data privacy laws across Europe with regard to the automated processing of personal data as well as rules relating to the free movement of personal data and the right to have personal data protected. GDPR’s scope applies to any organization located anywhere that processes the personal data of EU residents.
NIS2, the EU’s cybersecurity Network and Information Security 2 directive, took effect in October last year with operational security requirements, faster incident reporting, a focus on supply chain security, harsher penalties for non-compliant organizations, and harmonized rules across the EU. While NIS focuses on the security of network and information systems, the UK GDPR is concerned with the processing of personal data.
DORA, the EU regulation on Digital Operational Resilience for the financial sector, establishes uniform cybersecurity requirements for financial bodies in the EU. DORA and NIS complement and coexist with GDPR.
There is an EU-US Data Privacy Framework (DPF) set up in 2023. This is a legal agreement between the EU and US intended to allow the secure transfer of personal data to US companies that participate in the framework, thus ensuring that the data is protected at a level comparable to the EU’s GDPR.
US companies – excluding banks and telecom providers – can self-certify through the Department of Commerce, committing to privacy principles like data minimization, purpose limitation, and transparency. Periodic reviews by the European Commission and data protection authorities will monitor compliance.
GAIA-X
Lastly, there is a European GAIA-X cloud framework, launched in 2019 to create a federated, secure, and sovereign digital cloud infrastructure for Europe. It aims to ensure that European data remains under European control, adhering to EU laws such as GDPR. But it is a framework and new and existing cloud service suppliers in the EU have to adopt it.
US suppliers like AWS, Azure, Microsoft, and Palantir have joined GAIA-X as not quite full members. They are subject to US jurisdiction under the CLOUD Act, potentially compromising the initiative’s goals. French founding member Scaleway left the organization in 2021 due to such doubts.
US supplier EU data sovereign clouds
US-based public cloud suppliers have set up operations they say comply with GDPR rules. AWS has set up its European Sovereign Cloud, standalone cloud infrastructure physically located in the EU (starting with Germany), operated by EU-resident personnel, and designed to keep all data and metadata within EU borders. It enables customers to select specific EU region centers, such as Frankfurt, Ireland, and Paris, for data storage and processing.
Azure supports GDPR constraints with an EU Data Boundary concept. This ensures customer data for services such as Azure, Microsoft 365, and Dynamics 365 is stored and processed within EU and European Free Trade Association (EFTA) regions. Azure also provides multiple EU regions, such as Germany, France and Sweden, to further localize data within the EU geography and says it supports the GAIA-X framework.
Google Cloud partners with EU suppliers, such as T-Systems in Germany, to offer local sovereign cloud options, restricted to, for example, Belgium, Finland, or Germany. Data residency and operations are managed within Europe, sometimes with encryption keys controlled by external partners rather than Google. Even Oracle has set up an EU-only sovereign cloud.
US law and EU data sovereignty
However, certain US legal rights affect the situation and raise doubts about the ability of US-based EU sovereign cloud providers to refuse US government requests for access to EU citizens’ data.
The 2008 Foreign Intelligence Surveillance Act’s section 702 (FISA 702) authorizes the warrantless collection of foreign communications by US intelligence agencies like the NSA, targeting non-US persons located outside the United States for national security purposes. A Court of Justice of the European Union (CJEU) ruling in 2020 declared that FISA 702’s lack of judicial oversight and redress for EU citizens makes US privacy protections inadequate under GDPR.
The 2018 CLOUD (Clarifying Lawful Overseas Use of Data) Act raises questions about the vulnerability of US public cloud suppliers to government demands for access to their EU-stored data. It allows authorities to compel US-based tech companies to provide data about a specific person or entity, stored anywhere in the world, under a warrant, subpoena, or court order.
Companies can challenge such US orders in court if they conflict with foreign laws like GDPR, and if the target isn’t a US person and doesn’t reside in the US. This CLOUD Act could override the 2023 EU-US Data Privacy Framework.
Until a court rules that US public clouds and supplier-controlled EU sovereign clouds are not subject to FISA 702 and/or CLOUD Act requests for access to EU citizens’ data, and can refuse them, their solid adherence to EU data privacy laws must be in doubt.
We might imagine what could happen if the US Trump administration told a US public cloud supplier to give it access to an EU citizen’s data. They could well accede to such a request.
The most certain way for an EU organization to ensure that citizens’ private data is not accessible to US government inspection is to have it stored in strictly EU-controlled IT facilities, such as their own systems, France’s OVH Cloud, Cubbit’s decentralized cloud, and other regional cloud storage suppliers.