It's a platitude that data protection is important. Yes: data is the oil of the 21st century, data protection is a compliance task, and a personal data breach can spell the end of a company's reputation with customers and suppliers. Every company knows this.
In practice, however, data protection is often approached not through pragmatic action but by applying bureaucratic rituals. The latter mainly on paper in the form of lists and directories, DPAs and contingency plans. As important as it is to have an overview of data processing operations and contracts for commissioned processing, however, data protection is also a task that must inform the structural setup of corporate IT. When companies are asked specifically how this structure is set up, the answer is usually that they keep their data on servers in the EU. Everything is therefore fine.
But: is that enough, or does that put a band-aid on a broken limb?
Server location vs. location of the server operator
A server location in the EU is a good start. Beyond that, however, it also depends on who owns the server on which the data is stored.
If they sit on a server owned by the data processor themselves, whether in their own data center or in a co-location solution, no special questions arise. The business has its own IT, which must be designed with technical and organizational measures in place so that it functions in compliance with data protection requirements.
But a lot of data and applications live in the cloud these days. And "cloud" is first of all just the name for a computer that is owned by someone else. The cloud operator thus processes data for a third party: a case of commissioned processing. This process does involve a transfer of personal data.
Such a data transfer is not a problem as long as it takes place in the EU or in a country in which the GDPR is applicable. So, if the server is located in Europe, then everything should be fine, should it not?
Data transfers have many forms
A data transfer to a third country such as the USA is not only present when someone actively sends data, but also when they enable access to the data from the third country. A simple example: if a company sets read rights concerning a directory on a server located in the EU in such a way that the data on it can be accessed from the USA, then I am transferring data.
But that's exactly what happens when one processes data in a cloud that belongs to a US company. And that also includes companies whose parent company is based in the USA. This is because these companies are subject to very extensive obligations to disclose data to US security and investigative authorities under US law, in particular the Patriot Act and the Cloud Act. Whether the data is physically stored in the USA or the EU is irrelevant.
To put it more bluntly: storing data on a server or in a cloud that is owned, even indirectly through a corporate structure, by a U.S. company is a data transfer to the United States.
GDPR and US Cloud Act: contradictions that are not easy to resolve
Such a data transmission cannot always be designed in a legally secure way.
The USA and the EU had tried in two attempts to find a basis for such data transfers, namely in the form of the "Safe Harbor" agreement and later the "Privacy Shield". However, both instruments were declared invalid by the European Court of Justice (ECJ) in the Schrems I and Schrems II judgments. They can therefore no longer serve as a basis for data transfers.
A third attempt is currently implemented: The EU-US Data Privacy Framework (EU-US DPF), which forms the basis for an adequacy decision of the EU commission. Technically, this enables data transfers to the US without violating the GDPR per se.
However, there are two reasons to be cautious.
First, it is not clear if the EU-US TPF will hold water. It will still need to be tested in court, and as it looks suspiciously similar to Safe Harbor and Privacy Shield, it may face the same destiny. It is therefore unwise to base long-lasting decisions (such as installing a certain software infrastructure) on the existence of the EU-US TPF.
But even if the courts should wave the transfer mechanism through, that does not make the US Cloud Act go away. US authorities will still have access to data, and judging by the past, they will use it. Whoever has sensitive data and trade secrets to protect, or transfers data to and from critical infrastructure, may think twice.
Result & Recommendation
Storing data on a server that is located in the EU is not a silver bullet that magically takes care of all data protection requirements. The decisive factor is that the company operating the servers, or the cloud must also be able to comply with the requirements for the commissioned processing of personal data. And for that, not just the server location but also the seat of the operating company – and their holding or parent company – need to be considered.
Wherever practical, European operators should therefore be selected.
Note: This article was first published in January 2022 and last updated and corrected in February 2024