It’s a quiet Thursday morning. Somewhere in Helsinki, a government official opens their laptop, ready to review confidential research from a national university. Across Europe, millions of similar moments are unfolding: Emails, documents, contracts, ideas, private data flowing effortlessly across the cloud.
Now imagine that all of that – everything from government secrets to private medical data – can be legally accessed by a foreign government, at any time, and without the person or business knowing. Not because of a cyberattack. Not because of a breach. But because the law says so.
This is not a dystopian plot. It’s the reality created by two US laws that most Europeans have never heard of, yet which define the safety of our data and the independence of our institutions. Let me explain, simply, how this works – and why every European leader, from CEO to civil servant, needs to care.
What’s Data Sovereignty, and Why Does It Matter?
Data sovereignty is the idea that digital information is subject to the laws of the country where it’s physically stored. For most people, it sounds obvious: If my files are in Helsinki, Finnish law applies, right?
Well, yes – and no.
If you use US-based cloud providers like Microsoft, Google or Amazon Web Services, you’re also within the reach of US law, because the service providers are bound by US laws. Two laws, in particular, are causing headaches for European business and government leaders:
- The US Cloud Act (Clarifying Lawful Overseas Use of Data Act, 2018)
- FISA 702 (Foreign Intelligence Surveillance Act, Section 702, last renewed 2024)
Let’s unpack why these laws mean your “private” data may be anything but.
The US Cloud Act: Your Data, Their Rules
In 2018, the United States passed the Cloud Act, which allows US law enforcement agencies to demand access to data stored by US-based cloud service providers, no matter where in the world that data physically resides.
Example: You’re a Finnish company, using a Microsoft 365 server hosted in Sweden. If a US government agency presents Microsoft with a valid legal order, Microsoft must hand over your data, even though it never left Europe. Microsoft cannot refuse, even if this breaks local (e.g. GDPR) rules. In most cases, they’re also not allowed to tell you.
But don’t just take my word for it – here’s the official resource from the US Department of Justice.
Let’s make this clear:
If a European company, university, hospital, or even government office uses Microsoft 365, Google Workspace, Amazon AWS, or any US-based cloud provider – even if the servers are located in Berlin, Paris or Helsinki – US authorities can legally demand access to all that data. And those providers are legally forbidden from telling the customer that this is happening.
FISA 702: The Secret Back Door
If the Cloud Act is a front door, FISA 702 is the back one. FISA Section 702 lets US intelligence agencies (notably the NSA) collect data – including emails, messages, and cloud files – about non-Americans located outside the US, from US companies. All that’s required is that the information “relates to foreign intelligence.” No warrant, no user notification.
If you’re in Europe, you have zero rights to challenge this in a US court. Even GDPR cannot stop this, because US law trumps your privacy as soon as US tech is in play.
The Illusion of "Local Hosting" with US Providers
A common refrain from sales teams is, “Your data is stored in the EU, so you’re covered by GDPR.” But if the tech provider is US-based, the laws above still apply. Location of the server doesn’t matter, what matters is where the company’s headquarters are – or the mother company’s, if we’re dealing with a European subsidiary.
This is not a theoretical risk:
In 2025, Germany’s Schleswig-Holstein state government is banning Microsoft programs at work. economictimes
Danish ministries and cities are moving to Linux, citing “digital sovereignty” and the geopolitical risks of US providers. pcmag
France has its own “Cloud au Centre” policy to prioritise national and EU-hosted solutions. fieldfisher
A Simple, Chilling Example
Imagine a European government agency – let’s call them a “Blue-Eyed Gov” – uses Microsoft 365 for all internal communication, hosted in Germany. Suddenly, a US agency issues a lawful order under the Cloud Act or FISA 702. Microsoft must hand over all of Blue-Eyed Gov’s data – emails, contracts, even confidential strategy – and isn’t even allowed to warn Blue-Eyed Gov that their data has been accessed.
Now, swap “government” for your own business, your research group, your law firm, your hospital, or your private life. Your data is not safe from foreign access if a US company is in the loop, even if you think you’re protected by European law.
Is Europe Really Any Better?
Here’s where we must be honest. Yes, European intelligence agencies (like Germany’s BND) can tap network traffic at backbone exchanges (see Spiegel report). But these are network intercepts – think wiretaps – not “grab all the cloud data from every private company” orders.
No EU law (to my knowledge or in public record) allows authorities to demand global data access from private EU tech companies, let alone ban them from notifying the affected user.
Where state secrets or terrorism are concerned, law enforcement can request data, but usually with court oversight (see Germany’s “Posteo” court case). There is simply no European equivalent to the US Cloud Act or FISA 702. If I’m wrong, I welcome corrections from the legal community – but none have surfaced in recent industry debate, quite the contrary.
Why "Compliance" Isn’t Enough
Some US cloud providers market their services as “GDPR-compliant” or “EU-compliant”, but as long as US law applies, your data is at risk. The compliance promise is a marketing term – not a legal shield.
When “close enough” really means “not close at all”, risk is hiding in plain sight.
The Case for European-Built, European-Hosted Solutions
If your organisation cares about:
Data privacy
National resilience
Protecting intellectual property
Maintaining citizen trust
…then relying on “compliant” US-based platforms is not good enough. Only European-built, European-hosted solutions by design (not just by marketing) can keep your data out of reach from foreign laws and eyes.
A Personal Perspective
I’ve spent the past year building NORAI RAG Bot, a fully European platform for AI and data that never calls external APIs or relies on US infrastructure. Not because it’s trendy, but because, as I see it, Europe needs solutions that truly keep business, research and personal data sovereign.
If we want to stay globally competitive, keep our secrets and honour the trust of our citizens, “close enough” compliance just doesn’t cut it. We must demand more from our technology – by building it ourselves, on our own turf, with our own rules.
Victor A. Lausas
Chief Executive Officer
Subscribe to North Atlantic’s email newsletter and get your free copy of my eBook,
Artificial Intelligence Made Unlocked. 👉 https://www.northatlantic.fi/contact/
Discover Europe’s best free AI education platform, NORAI Connect, start learning AI or level up your skills with free AI courses and future-proof your AI knowledge. 👉 https://www.norai.fi/
