← Blog

Datenschutz & Souveränität

Why "EU Region" is not GDPR-compliant: The US CLOUD Act explained

Many AI providers advertise "Hosting in the EU." However, as long as the operator is a US corporation, the US CLOUD Act applies — regardless of the server location. What Schrems II, FISA 702, and the Data Privacy Framework actually mean.

Felix Stürmer· 03 July 2026· 4 min read
Why "EU Region" is not GDPR-compliant: The US CLOUD Act explained

"Our data is located in a data center in the EU region." This sentence sounds reassuring — yet it is one of the most persistent misconceptions when using AI in a company. The storage location of the data says almost nothing about who is legally allowed to access it. According to the Bitkom Cloud Report 2025 78% of German companies already consider the dependence on US cloud providers to be too great — 82% want hyperscalers from Germany or Europe.

What the US CLOUD Act actually regulates

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US law from 2018. The newly inserted norm 18 U.S.C. § 2713 obligates US companies to grant US authorities access to data upon order — specifically, in the wording of the norm analyzed by legal scholar Prof. Jennifer Daskal in eucrim:

"…regardless of whether such communication, record, or other information is located within or outside of the United States.

The decisive factor is therefore not the storage location, but "possession, custody, or control" — in other words, control. A US corporation with a data center in Frankfurt is still subject to the disclosure requirement.

⚠️

Key takeaway: The decisive factor is not WHERE your data is located, but WHO legally controls it. A US parent company is subject to the CLOUD Act — including for its European subsidiaries and EU data centers.

The path of your data with a US provider with an "EU Region"
Your inputPrompt & DocumentEU Data Centeroperated by US corporationUS Parent Companysubject to the CLOUD ActUS Authoritypossible access
The EU region does not change the legal ownership — the chain ends in the USA.

Residency is not sovereignty

Experts distinguish between data residency (where data is physically located) and data sovereignty (which legal system it is subject to). The "EU region" of large providers only fulfills residency. The European Court of Justice emphasized exactly this risk in the Schrems II ruling (C-311/18, 2020) and overturned the Privacy Shield at the time:

"Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 is invalid."

The background is the US surveillance law FISA 702, which allows access to the communications of non-US persons via programs such as PRISM — without individual judicial review and, as the ECJ found, without equivalent legal protection for EU citizens.

Why the Data Privacy Framework does not solve the fundamental problem

Since July 2023, there has again been an adequacy decision with the EU-US Data Privacy Framework (Decision (EU) 2023/1795). However, it only creates a certification and complaint mechanism — it neither changes the CLOUD Act nor FISA 702. The surveillance laws remain in force. This is already the third attempt after Safe Harbor (overturned in 2015) and Privacy Shield (overturned in 2020), and the DPF is also being legally challenged.

The European Data Protection Board (Recommendations 01/2020) requires additional technical measures for data falling under FISA 702 — practically encryption where the US provider has no key access. This is exactly what "EU-region" offerings generally do not provide.

What this means for AI tools

Most popular AI tools — Microsoft Copilot, ChatGPT Enterprise, Azure OpenAI, and Azure AI Foundry — are operated by US corporations. How reliable these promises are was shown in a hearing in the French Senate: Microsoft's legal counsel for France, Anton Carniaux, could not guarantee, according to The Register, that the data of French citizens would never reach US authorities without consent:

"No, I cannot guarantee that, but, again, it has never happened before.

This is particularly sensitive with AI: prompts and uploaded documents contain a company's most sensitive information. If the GDPR is violated, fines of up to €20 million or 4% of annual turnover are threatened.

Realistic risk of access by US authorities
US providers, "EU-region"80%
US providers with EU subsidiary55%
Kasimir — German data center3%

This is what real data sovereignty looks like

The only reliable way to exclude the CLOUD Act is a provider that is not subject to US law at all:

  • Operation in a German data center — physically and legally in Germany.

  • German legal entity, no US parent company — the CLOUD Act has no leverage.

  • AI models on own, European infrastructure — no detour via US services.

  • Which criteria such a platform must meet is shown in our post GDPR-compliant AI: the most important selection criteria.

Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach. Data residency AND data sovereignty from a single source.

Conclusion: Do not ask "where", ask "who"

"Hosting in the EU" is a marketing promise, not legal protection. As long as a US corporation stands behind the service, the residual risk of the CLOUD Act remains. A comprehensive overview is provided in our Guide to GDPR-compliant AI for companies; how to use ChatGPT & Co. in a team in a data-protection-compliant manner can be read in ChatGPT and data protection in the company.

Sources

GDPR-compliant AI from a real German data center

Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach.