data.day
sovereignty / gdpr / cloud act

EU Hosted Does Not Mean Sovereign. It Often Means a US Keyhole.

Why hosting data in Frankfurt does not protect you from the US Cloud Act, and how to verify true data sovereignty.

Lars Parse Lars Parse

Geography Is Not Jurisdiction

There is a pervasive myth in the European market. It is the myth of the “Local Datacenter.” Marketing teams show you a beautiful map. They place a pin in Berlin, Zurich, or Amsterdam. They tell you: “Your data stays here.”

This is a statement of geography. It is not a statement of law.

The Machine exists in a physical location, but the entity that controls The Machine exists in a legal jurisdiction. If you store your client secrets on a server in Frankfurt, but that server is owned by a company headquartered in Seattle, your data is effectively in Seattle.

The False Security: The Branch Office Defense.

The US Cloud Act (Clarifying Lawful Overseas Use of Data Act) established a clear precedent. It asserts that US law enforcement can compel US technology companies to provide data stored on their servers, regardless of whether that data is located within the United States or on foreign soil.

Therefore, when a US vendor tells you they are “GDPR Compliant,” they mean they have paperwork in place. They do not mean they can defy a federal warrant.

If a subpoena arrives at their HQ, they have two choices:

  1. Hand over your data.
  2. Commit a felony.

Do not gamble your business on the hope that a vendor will choose prison to protect your files.

The Mathematical Reality: Corporate Sovereignty.

To achieve true sovereignty, we must look at the corporate family tree, not the server map. We must ask: “Who owns the entity that owns the keys?”

If the answer involves a US parent company, a US continuous access capability, or significant US ownership control, the “Trust Boundary” is compromised.

This does not mean you cannot use these services. It means you must not use them for secrets unless you apply your own encryption first.

If you encrypt the file on your machine, and send the encrypted blob to the US-owned server in Frankfurt, you are safe. Not because of the law, but because of mathematics. The Cloud Act can demand the data, but it cannot demand a key that the vendor does not possess.

Consequently, we must stop reading marketing brochures and start reading corporate structures.

  • Is the vendor a US subsidiary?
  • Do they have “Follow the Sun” support where a technician in Texas can access the server in Dublin?

If the answer is yes, you are not renting a safe in Europe. You are renting a locker in an American embassy. Proceed accordingly.

FAQs

But the vendor signed a DPA promising protection.

A Data Processing Agreement is a contract. The US Cloud Act is federal law. In a conflict, the law wins. The vendor will breach your contract to avoid going to jail.

Does encryption protect me from this?

Only if you hold the keys. If the vendor holds the keys, they can be compelled to use them.

Are there actual EU-owned clouds?

Yes. They are often less polished than the American giants. This is the trade-off. You accept less shine to gain actual walls.