Data in Europe is not enough. Why can the American cloud be a legal trap?
The world of cloud services is globally dominated by three American technology giants – Amazon, Microsoft and Google. The European market is no exception, and the Czech market is no exception either.
When the GDPR came into place, everyone started to worry about where their data was stored. American companies built networks of data centers in the EU and everything seemed to be solved. But this issue is not that simple.
Storing data within the European Union alone does not guarantee compliance with the obligations under the General Data Protection Regulation. Companies may therefore find that, although they use a data center within the EU, they do not meet the requirements imposed by the GDPR. In this article, we will analyze why this is the case and what are the possible solutions.
A View Through the Lens of GDPR
The aim of this regulation is to protect the data of EU citizens. Therefore, all paragraphs of this regulation revolve around ensuring maximum protection against unauthorized access. In IT, we know the concept of zero trust and the Personal Data Protection Regulation is also governed by this principle.
Countries outside the European Union are not automatically considered safe allies who approach European data with the same attitude that the GDPR requires. In order to fulfill legal obligations, it is therefore necessary for foreign countries to conclude international agreements with the EU that ensure full data protection even outside the EU (GDPR Articles 44-49).
Bilateral Relations Between the EU and the US
These two befriended parties had a so-called Privacy Shield between them. However, this measure was annulled by the Schrems II judgment. This was because a situation arose that demonstrated that the US did not comply with the level of protection expected by the EU under the GDPR.
With this judgment, the EU Court of Justice made it clear that transatlantic data transfers without appropriate safeguards were unacceptable.
End of the EU-US Cooperation
This came in the form of the CLOUD Act. This is an American regulation that gives American authorities the green light to obtain data from American companies. It doesn’t matter where the data is stored. Access is possible because the company falls under American jurisdiction.
As a customer of an American cloud provider, however, you may not even know about the violation of your privacy and the disclosure of data that you store in the cloud. Under the CLOUD Act, companies may obligated to maintain confidentiality and any disclosure of data that the American government uses under this regulation.
An Attempt to Mend Relations
In 2023, the possibility of secure use of US clouds by European companies arose. The DPF, or Data Privacy Framework, defines a framework for data transfers to the US. The DPF is a mechanism recognised by the Commission, but it is already facing legal criticism and is likely to be challenged like its predecessor.
This framework is voluntary and only applies to companies that self-certify. The fundamental problem, however, is that this framework does not address the CLOUD Act or other US laws that require US companies to disclose data stored by their customers.
If you want to check whether your provider is DPF certified, you can check at https://www.dataprivacyframework.gov/.
What Does This Mean for Czech Companies?
The abovementioned legal complexities bring great complications to Czech companies. If you use the American cloud, then you may face the risk of legal liability for violating the GDPR and subsequent sanctions from the Office for Personal Data Protection (ÚOOÚ) or European authorities.
These consequences can come out of the blue because the provider may be obligated to maintain confidentiality if it has made your data available to the American government. In addition to legal and financial consequences, you may also face a loss of reputation and credibility.
Of course, we are talking about extreme cases, but it is good to remember the potential that some corporate actions have. Even if you do not store personal or sensitive data in the American cloud, it is worth considering whether even purely operational information is something you want to make available to the American government.
What Can You Do About It?
If, like many other Czech companies, you have your IT operations in the American cloud, don’t panic. Although the subsequent steps are not completely simple and quick, all is not lost.
- First, assess whether you are storing data in the cloud that falls under the protection of GDPR.
- Then you need to assess whether you want to store your internal information and know-how in a place that can be handed over to a foreign government.
- Then it’s time to analyze your needs, risks, and IT solution architecture. This will help you find an effective infrastructure solution that will not be legally risky.
- The main step is choosing the right partner for an objective assessment of the situation.
Take advantage of our CTO consultation. We recommend consulting your data strategy with experts who have experience in designing solutions that are GDPR compliant and meet operational efficiency requirements. A technology-agnostic approach is the key to sustainable IT today.
There Are Alternatives
Of course, there are. There are actually several alternatives, but only one will be the best for your situation. There is no one-size-fits-all solution. That is why properly set up analysis is so crucial.
For a better understanding of this issue, you can watch the excellently prepared lecture by David Michels, a researcher from Queen Mary University of London, from the event The European Sovereign Cloud Day 2025.
Can Czech Companies Use the American Cloud?
Of course, the answer is yes. It is entirely up to you how you run your IT. But it is necessary to be aware of the risks associated with the given choice. And in the case of American clouds, the consequences can be catastrophic.
With regard to world events, the issue of sovereignty will become increasingly relevant. Someone has to solve this issue at the state level, someone else at the technological level. However, the goal of companies should be to choose a solution that does not pose a high legal risk, preserves internal know-how and does not expose the company to dependence on a foreign government.
