Myth 1: “Our data is stored in an EU data centre, so it is covered by EU law”
This is the most common misunderstanding in the market, and the most dangerous one.
Data residency and data sovereignty are not the same thing. Residency is a geographical fact: it tells you where the server physically sits. Sovereignty is a legal reality: it tells you which jurisdiction’s laws govern that data and who has the authority to compel access to it.
The critical instrument here is the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018). Under the CLOUD Act, US authorities can compel a US-domiciled technology company to produce data held on its servers anywhere in the world, including within the European Union. The physical location of the data centre is legally irrelevant. If your cloud provider holds US incorporation, your data in Frankfurt is still potentially accessible to US government agencies under a valid CLOUD Act order, regardless of what the provider’s contractual terms say about EU jurisdiction.
Why GDPR compliance doesn’t close the gap
The General Data Protection Regulation (EU Regulation 2016/679) does not resolve this conflict. GDPR governs how organisations collect, process and transfer data, and it imposes strict conditions on transfers of personal data outside the EEA. However, GDPR compliance is a separate question from CLOUD Act exposure. An organisation can be fully GDPR-compliant and simultaneously hold data that is legally accessible to US federal agencies. These are two different legal frameworks operating in parallel, and assuming that GDPR compliance provides a shield against extraterritorial US law is a mistake that has caught out a number of organisations.
The European Court of Justice reinforced this tension in its Schrems II judgment (Case C-311/18, 2020), which invalidated the Privacy Shield framework precisely because US surveillance law created risks that EU data protection law could not adequately counteract. While the EU-US Data Privacy Framework (adopted in 2023) has attempted to address this, legal challenges are already underway and the framework’s long-term durability cannot be guaranteed.