Company headquarters and server location - both must be right for data protection
Storing data in the EU is not a silver bullet for all data protection requirements. Compliance also depends on who owns the server.
It's a platitude that data protection is important. Yes: data is the oil of the 21st century, data protection is a compliance task, and a personal data breach can spell the end of a company's reputation with customers and suppliers. Every company knows this.
In practice, however, data protection is often approached not through pragmatic action but by applying bureaucratic rituals. The latter mainly on paper in the form of lists and directories, DPAs and contingency plans. As important as it is to have an overview of data processing operations and contracts for commissioned processing, however, data protection is also a task that must inform the structural setup of corporate IT. When companies are asked specifically how this structure is set up, the answer is usually that they keep their data on servers in the EU. Everything is therefore fine.
But: is that enough, or does that put a band-aid on a broken limb?
Server location vs. location of the server operator
A server location in the EU is a good start. Beyond that, however, it also depends on who owns the server on which the data is stored.
If this is your own server, whether in your own data center or in a co-location solution, no special questions arise: you have your own IT, which must be designed with technical and organizational measures in place so that it functions in compliance with data protection requirements.
But a lot of data and applications live in the cloud these days. And "cloud" is first of all just the name for a computer that is owned by someone else. The cloud operator thus processes data for a third party: a case of commissioned processing. This process does involve a transfer of personal data.
Such a data transfer is not a problem as long as it takes place in the EU or in a country for which a so-called adequacy decision exists. According to Article 45 (1) of the GDPR, this is a decision by the European Commission that data in the country concerned is protected to a similar extent as in the EU. Such decisions exist for Argentina, Israel, Switzerland and Japan, for example. However, not for the USA, where many cloud service providers are based.
However, if the server is located in Europe, then it shouldn't matter, right?
Data transmission has many forms
A data transfer to a third country such as the USA is not only present when someone actively sends data, but also when they enable access to the data from the third country. A simple example: if I set read rights concerning a directory on a server located in the EU in such a way that the data on it can be accessed from the USA, then I am transferring data.
But that's exactly what happens when one processes data in a cloud that belongs to a US company. And that also includes companies whose parent company is based in the USA. This is because these companies are subject to very extensive obligations to disclose data to US security and investigative authorities under US law, in particular the Patriot Act and the Cloud Act. Whether the data is physically stored in the USA or the EU is irrelevant.
To put it more bluntly: storing data on a server or in a cloud that is owned, even indirectly through a corporate structure, by a U.S. company is a data transfer to the United States.
GDPR and US Patriot Act: contradictions that can hardly be resolved
Such a data transmission can hardly be designed in a legally secure way.
The USA and the EU had tried in two attempts to find a basis for such data transfers, namely in the form of the "Safe Harbor" agreement and later the "Privacy Shield". However, both instruments were declared invalid by the European Court of Justice (ECJ) in the Schrems I and Schrems II judgments. They can therefore no longer serve as a basis for data transfers.
Apart from an explicit declaration of consent by the data subject in the event of data transfer to the USA, only the EU standard contractual clauses ("SCC") remain as a possible instrument for transfers. In these, a processor in the U.S. undertakes to comply with appropriate data protection safeguards and grants data subjects' enforceable rights and effective legal remedies. One can imagine this as meaning that the basic regulations of the GDPR are also recognized by the US processor.
Of course, these guarantees and remedies must not just be on paper, but must also work in practice. And that is precisely what they do not do. This is because the legal system in the USA imposes obligations on US cloud operators that clearly contradict the rules of the GDPR. US companies are obliged to transfer data to US authorities, even if the data subjects in the EU have no effective legal remedy against such a transfer or do not even know about it. Under the US Patriot Act, this applies even if this data is stored on EU servers.
Thus, U.S. cloud operators must choose between breaking U.S. law or breaking the rules of the EU's SCC clauses. It doesn't take much imagination to see how this decision will turn out.
But large US player "guarantee" me that they are data-compliant with their European servers; how should I react to this?
Result & Recommendation
Storing data on a server that is located in the EU is not a silver bullet that magically takes care of all data protection requirements. The decisive factor is that the company operating the servers or the cloud must also be able to comply with the requirements for the commissioned processing of personal data. This will hardly ever be the case with US companies, even if they use European subsidiaries.
Wherever practical, European operators should therefore be selected.