All systems operational Your IP: 216.73.216.63 info@cloudhosting.lv +371 66 66 29 69 Client area

← All questions

EU vs US cloud: why your data location matters

Ask most companies where their data is and they will name a city: "Frankfurt", "Amsterdam", "our servers are in the EU". That answer feels reassuring, but it covers only one of three questions that actually decide who can lawfully read your data. Physical location matters. It is not the whole story.

Three questions, not one

  • Where does the data physically sit? The country whose ground the disks stand on.
  • Which legal system governs the provider? Jurisdiction follows the company, not the hardware. A US-owned provider stays subject to US law even when the server is in Riga or Amsterdam.
  • Who holds the encryption keys? If the provider can decrypt your data, it can be compelled to hand over the plaintext. If only you hold the keys, it cannot.

A US hyperscaler's "EU region" answers question one and fails questions two and three. That gap is where data sovereignty is won or lost.

The US laws that reach across the ocean

The CLOUD Act (2018) lets US authorities compel any US-based company to produce data it controls, wherever in the world that data is stored, and regardless of whether the data subject is American. An EU data centre operated by a US parent is within reach.

FISA Section 702 authorises bulk collection from US electronic communications providers, specifically targeting non-US persons located outside the United States. For a European customer of a US cloud, that is not a loophole; it is the design.

What EU law actually says

GDPR Article 48 states that a foreign court or authority order is only enforceable in the EU when it rests on an international agreement, such as a mutual legal assistance treaty. A CLOUD Act warrant is a unilateral US instrument, so it does not meet that bar, yet a US provider can still be forced to comply on the US side.

In Schrems II (2020) the Court of Justice struck down the Privacy Shield because US surveillance law gave authorities access incompatible with EU rights and left EU citizens without effective redress. Its successor, the EU-US Data Privacy Framework (2023), governs transfer paperwork but does not switch off the CLOUD Act or FISA 702; a further challenge, widely called Schrems III, is working through the courts. The EU Data Act and NIS2 push the same way: keep control of data inside the EU and block unlawful third-country access.

Standard contractual clauses alone do not close the gap. The European Data Protection Board has been explicit that contracts cannot bind a foreign government; only technical measures can.

How to check a provider yourself

Verify the physical location and the network operator:

whois 91.220.43.220 | grep -Ei 'country|netname|org'
curl -s https://ipinfo.io/91.220.43.220

Then answer the two harder questions on paper:

  • Read the provider's DPA and sub-processor list. A US parent or US sub-processor puts you back under US jurisdiction.
  • Confirm the operating legal entity is registered in the EU/EEA, not a local reseller of a US platform.
  • Ask where encryption keys are held. "In the EEA, and you can hold your own" is the answer you want.

Where the stakes are high, encrypt before the data ever reaches the provider, so the plaintext never exists on their side:

# encrypt a file with a passphrase you control
age -p secrets.tar > secrets.tar.age
# or full-disk encryption on your own VPS volume
cryptsetup luksFormat /dev/vdb

Takeaway

"Hosted in the EU" is necessary but not sufficient. Real data sovereignty needs all three: EU soil, an EU-domiciled provider outside US jurisdiction, and encryption keys you control. Check the corporate ownership and the sub-processor list, not just the data-centre map. This is general information, not legal advice; for a specific compliance case, confirm with a qualified adviser.

Ready to start?

Deploy in minutes or talk to an engineer about what fits your project.