Your Cloud Says 'EU Region'. Your Data Can Still Reach US Courts.
A US Supreme Court ruling just weakened the legal framework behind EU-US data transfers, and a separate US law has made server location irrelevant for years. Here is what changed and why real EU data sovereignty is more important than ever.
You check where your data is stored and see 'EU region', so you assume you are protected. For most tools built on American infrastructure, however, this assumption is incorrect. A recent US Supreme Court ruling has also now considerably weakened the legal basis for EU-US data transfers. Additionally, a separate US law has rendered the 'EU server region' irrelevant for years, a fact that many businesses have ignored or that has unfortunately gone unnoticed by most.
The Legal Foundation Just Cracked
The EU-US Data Privacy Framework (DPF) allows companies to legally transfer personal data from the EU to certified US companies. That framework depends on two US bodies acting as independent watchdogs: the FTC, which enforces privacy commitments, and the Privacy and Civil Liberties Oversight Board (PCLOB), which oversees US intelligence agencies.
In June 2026, the US Supreme Court ruled in Trump v. Slaughter that the FTC is not independent from the President after all, overturning the decades-old precedent that had protected agency commissioners from at-will removal. The EU's 2023 adequacy decision explicitly relied on that supposed independence as a safeguard for EU citizens' data. Separately, the PCLOB has already lost three of its four sitting members, all of whom were fired by the current administration in January 2025. However, a federal court ruled that these dismissals were unlawful and ordered reinstatement. This litigation remains unresolved and is now effectively on hold pending the outcome of Trump v. Slaughter. In practice, neither watchdog is currently functioning as the independent body that the EU assumed it was when it approved the framework.
Max Schrems and noybhave announced that they are preparing to launch a legal challenge against the DPF. If successful, this would be the third EU-US data transfer deal to collapse in a decade, following the Safe Harbour deal in 2015 and the Privacy Shield deal in 2020. It is important to note that the DPF has not yet been struck down. The ruling establishes legal grounds for a challenge, but the framework remains formally in force unless and until the European Commission revisits its adequacy decision or EU courts rule against it in response to a new complaint. Both previous collapses left companies with almost no transition time to find a new legal basis, and the same is likely to happen if the DPF meets the same fate.
The Problem Runs Deeper Than One Framework
Even setting the Data Privacy Framework aside, a separate US law creates a more permanent structural issue. The CLOUD Act, passed in 2018, compels any US-headquartered company to hand over data on a valid US legal order, regardless of where that data physically sits.
This is the part that is constantly overlooked, even by European companies who believe they have already solved it. Selecting a data centre region in the EU on AWS, Azure, Google Cloud, Cloudflare, Vercel, Supabase and similar providers offers protection against one specific legal issue: unauthorised data transfer outside the EU under the GDPR. However, this protection is debatable, as some EU regulators have argued that a US parent's legal exposure under the CLOUD Act does not automatically constitute a GDPR "transfer" requiring its own legal basis. However, what EU-region hosting does not do is shield you from the CLOUD Act itself, since the law's authority follows the company's headquarters rather than the server's location. AWS, Microsoft, Cloudflare, Vercel, Supabase and Google are all US companies. A subpoena served on Amazon in Seattle would reach customer data in Amazon's Frankfurt region in the same way as it would reach data in Ohio.
The Hyperscalers Know This Too
This is not a theoretical concern the industry has ignored. In order to avoid losing clients who are becoming aware of the US Cloud Act, Amazon's AWS has gone even further by opening its European Sovereign Cloud in early 2026. This is a physically and logically separate infrastructure in Brandenburg, Germany, run under a distinct EU-governed corporate structure with EU nationals as managing directors and backed by an investment of €7.8 billion. Microsoft and Google have pursued similar paths through local partners. The fact that hyperscalers are building entirely separate corporate and legal structures to address this problem is itself an admission that a normal "EU region" checkbox was never sufficient.
Even so, Brussels has started tightening the screws further: in June 2026, the European Commission moved to bring Microsoft Azure and AWS under stricter Digital Markets Act obligations specifically to curb their dominance and support European alternatives . The regulatory direction of travel is unambiguous, and it is moving away from trusting US corporate structures to self-certify sovereignty.
What Actually Closes the Gap
The only structural fix is choosing providers with no US parent company and no US legal nexus at all. These providers sit outside CLOUD Act reach because the law that compels disclosure never applies to them in the first place:
- No US parent company or corporate ownership structure
- No US legal nexus that a subpoena or court order could reach
- Data residency and processing entirely within EU jurisdiction
- Full GDPR protection without a "transfer" question to debate
- Often lower cost than hyperscaler sovereign-cloud tiers, since no separate legal entity overhead is required
Some well-known European alternatives:
OVHcloud is a French provider and the largest cloud infrastructure company headquartered in the EU. It offers full compute, storage, and hosting services with no American ownership or legal exposure, and has positioned itself explicitly as the sovereign alternative to the American hyperscalers.
Scaleway is another French provider, known for developer-friendly infrastructure, GPU instances for AI workloads, and a growing footprint among European startups that want to avoid US cloud dependency from day one rather than migrate away from it later.
StackIT is the cloud arm of the Schwarz Group, the German company behind Lidl and Kaufland, built specifically to give European enterprises a sovereign alternative with the operational scale to support serious workloads.
Ionos is a long-established German provider offering hosting, cloud infrastructure, and domain services, widely used across Europe as a straightforward, GDPR-native alternative to US-based hosting.
| Aspect | US Hyperscaler (EU region) | AWS European Sovereign Cloud / Azure Sovereign Cloud | EU-Native Provider |
|---|---|---|---|
| Corporate ownership | US parent | US parent, separate EU legal entity | EU-headquartered, no US ownership |
| CLOUD Act exposure | Yes | Reduced, still there but contractually complex. Still US parent | None — outside US jurisdiction |
| GDPR "transfer" question | Debated/unclear | Designed to avoid it | Not applicable — no transfer occurs |
| Cost premium | Standard pricing | 20-30% higher | Often lower than sovereign-cloud tiers |
| DPF dependency | High, if data leaves EU | Reduced | None |
Data sovereignty is not a marketing distinction. It is a jurisdictional one. A European company with no US ownership cannot be compelled by a US court order, because US courts have no legal authority over it.
For organisations and individuals who require confirmation that EU law, rather than US law, applies to their data on a global scale, the only long-term solution is to choose infrastructure that is wholly owned and headquartered within the EU.
Are you tired of Google tracking every click you make? Are you also fed up with U.S. providers like DuckDuckGo, which indirectly funds companies like Microsoft in the background through its use of Bing? Then try out the privacy-friendly European search engine xPrivo Search. xPrivo Search shows what searching without U.S. surveillance looks like: purely European, technologically independent, radically private, and with an independent European search index. Try it for free and anonymously, and escape Big Tech and the data grip: https://www.xprivo.com/search