EU Data Centre, US Rules: Why Server Location Does Not Protect You

You chose eu-central-1. Frankfurt. Your data never leaves German soil, your procurement team checked, your compliance officer signed off, everyone moved on.

This is how basically every European company thinks about cloud security. Pick a local region, tick the GDPR box, stop worrying. And its wrong. Not in some edge-case theoretical way. Fundamentally, structurally wrong.

What matters is not where the server sits. Its who owns it. If your provider is an American company, US law enforcement and US intelligence agencies can force them to hand over your data regardless of which continent the hardware lives on. Server in Frankfurt, warrant from Virginia, and the provider has no choice but to comply.

This isnt hypothetical. Its the explicit, intended purpose of two US laws: the CLOUD Act and FISA Section 702. Between them they give the US government a legal pipe into any data centre run by an American company, anywhere on Earth. Theyve been on the books for years. Most people just havent read the fine print.

The Clarifying Lawful Overseas Use of Data Act passed on 23 March 2018. The whole thing boils down to one sentence: US providers must comply with legal process requiring disclosure of data "regardless of whether such communication, record, or other information is located within or outside of the United States."

That sentence exists because of a fight between Microsoft and the FBI. In 2013, the feds wanted emails sitting on Microsoft servers in Dublin. Microsoft said no, a US warrant shouldnt reach Irish soil. The Second Circuit agreed in 2016. So Congress just... changed the law. The CLOUD Act was written to make sure jurisdiction follows the company, not the server. We cover the whole saga in our Microsoft Ireland case piece.

In practice it works like this. A federal court sends a warrant to AWS, Microsoft, or Google saying produce all records for account X. Provider looks it up, data is in eu-west-1 Dublin. Doesnt matter. Under the CLOUD Act they have to hand it over, same as if it was in Virginia. Refuse and youre in contempt.

Theres a narrow "comity" escape hatch. Providers can push back if compliance would break the laws of a "qualifying foreign government." Catch is, that only works for countries with a CLOUD Act executive agreement. The EU doesnt have one. As of 2026 only the UK does. For EU data the comity provision is basically decorative. See our full CLOUD Act breakdown for the legal detail.

The CLOUD Act is about law enforcement, FBI cases, criminal investigations, subpoenas. FISA 702 is about intelligence. And its scope is much wider.

Section 702 of the Foreign Intelligence Surveillance Act lets the NSA hoover up communications and data of non-US persons from American "electronic communications service providers" without getting individual warrants. The people being surveilled dont have to be suspected of anything. They dont get told. There is no judge reviewing individual collection decisions, the FISA Court just rubber-stamps targeting procedures (broad categories), not specific people.

AWS, Microsoft, and Google are all classified as electronic communications service providers under 702. When the NSA sends a directive, the provider must comply and is legally barred from telling the affected customers. This isnt some theoretical scenario. It was the operational backbone of PRISM, the programme Snowden blew the whistle on in 2013.

In April 2024, Congress reauthorised and expanded FISA 702 through RISAA (Reforming Intelligence and Securing America Act). They broadened the definition of who counts as an electronic communications service provider, pulling in even more companies. The programme runs through April 2026.

So if youre a European company on AWS eu-central-1, heres what that looks like: the NSA can direct Amazon to hand over data about your European customers, from the Frankfurt data centre, with no warrant, no notification to you, and Amazon literally cannot tell you its happening. Your data never left Germany. A copy of it ended up in Fort Meade, Maryland anyway.

All three big US clouds have put out EU data boundary announcements since Schrems II. They sound reassuring. Read the fine print and you get a different picture.

AWS. Amazon lets you pick EU regions and their GDPR Centre says customers can keep data in the EU. Great. But the AWS Information Requests page also says they handle law enforcement requests "in accordance with applicable law", which for a company incorporated in Seattle means the CLOUD Act. Their transparency reports arent small either: 1,379 subpoenas, 757 search warrants, and 305 court orders from US authorities in just the first half of 2023.

Microsoft. The EU Data Boundary for the Microsoft Cloud launched in May 2022 and promises all customer data stays in the EU. Sounds great until you check Microsofts own Law Enforcement Requests Report: over 56,000 US government requests for customer data in 2023. The EU Data Boundary docs quietly mention that "lawful government requests" can override the boundary. So much for the promise.

Google Cloud. Google did something more interesting, they partnered with T-Systems (Deutsche Telekom) on a Sovereign Cloud in Germany where T-Systems holds the encryption keys. This is genuinely the strongest model of the three because it puts a non-US entity between Google and the data. Problem is its only available in Germany, only for specific setups. The vast majority of Google Cloud customers are running on standard regions where Google LLC has full operational control. Googles Transparency Report: over 67,000 US government data requests in 2023.

Same story three times. They all offer data residency controls that keep your bits physically inside the EU. None of them can promise that the US government wont come knocking, because US law doesnt give them that option. The fine print always carves out an exception for "lawful government requests." And "lawful" is defined by American courts, not European ones.

Heres the impossible situation. GDPR Article 48 says third-country court orders demanding a data transfer can only be enforced if theres an international agreement like a mutual legal assistance treaty backing it up. A CLOUD Act warrant is a third-country court order. Theres no US-EU executive agreement. So when a US provider hands over EU personal data to comply with the CLOUD Act, they are violating GDPR Article 48.

And if they refuse? Contempt of court in the US.

You cant engineer your way out of this. Encryption doesnt help if the provider holds the keys, and they do by default for every managed service on every hyperscaler. Contracts dont help because no clause in a DPA overrides a federal court order. Picking a different region doesnt help because region selection doesnt change the providers legal obligations. Its a structural problem, not a configuration problem.

The CJEU basically said this in Schrems II. They killed Privacy Shield specifically because US surveillance law gives authorities access to data held by US providers in ways that are fundamentally incompatible with EU rights. The Data Privacy Framework (adopted July 2023) tries to patch this with Executive Order 14086, but critics point out the executive order doesnt actually change the surveillance architecture. Its widely expected to be challenged before the CJEU.

The European Data Protection Board has said explicitly that CLOUD Act orders cannot be a valid legal basis for transfers under GDPR. Thats the EUs own regulatory body telling you, in writing, that when your US cloud provider obeys a US court order for your data, its a GDPR violation. Both sides of the Atlantic are telling providers to do contradictory things and nobody has a fix.

If you want to actually eliminate US jurisdictional exposure, you have to take the US company out of the picture. Not partially, not behind a proxy, completely. That means a cloud provider thats:

• Headquartered and incorporated in the EU — no US parent, no US subsidiary, no controlling shareholder thats American
• Running data centres in the EU — no operational dependencies on US infrastructure
• Simply not subject to US courts — because theres no corporate entity or presence giving them jurisdiction

OVHcloud (France), Hetzner (Germany), Scaleway (France), IONOS (Germany), Infomaniak (Switzerland), Exoscale (Switzerland) — they all fit. If a US court sends a CLOUD Act warrant to any of these companies the answer is short: were not subject to your jurisdiction. No conflict, no comity analysis, no drama.

Theres also a middle ground that might work for some organisations. Googles T-Systems partnership for its German Sovereign Cloud puts encryption keys and operational control in the hands of a non-US entity. Microsoft has done similar deals with EU operators in some countries. These "operated-by" arrangements havent been tested in court so nobody really knows if theyd hold up, but structurally they do break the chain of US legal control. If you need hyperscaler capabilities and cant fully migrate to EU providers yet, its probably the best compromise available right now.

If youre thinking about making the switch, our piece on vendor lock-in with US hyperscalers covers what the migration actually costs. For the full legal picture, read our explainers on the CLOUD Act, FISA 702, and the Microsoft Ireland case. And for the bigger strategic question, theres our take on what digital sovereignty actually means.