Does using overseas hosting break GDPR?

I’m a little confused with GDPR. I’ve been aware that you cannot transfer personal data outside your jurisdiction (I’m in the uk). However, the US implemented a law giving them access to cloud data from any US company stored anywhere in the world:

Q: Does that mean that my organisational personal data stored in AWS in a UK location can be accessed by the US government if they subpoena Amazon in the US?

This brings into question form data collected from our website stored on US servers in a US hosting company through something like machforms?

If this is correct what does it mean for using Office365. If data can be accessed by the US government from any US company’s cloud service won’t it force users to only use national companies?

The simple answer is yes. You can avoid it through complicated agreements with vendors, but until a new Privacy Shield law is implemented you cannot use non-EU solutions safely and easily.

Any complicated answer would involve a pretty deep conversation…

Note: no idea about the UK, I work in Norway and Sweden.

1 Like

Thanks for that.

Doesn’t that mean that you cannot use any company registered in the US? How does that work for corporates using Office 365 or Google Workspace? For that matter doesn’t that mean that even Apple’s iCloud can’t be used?

Does GDPR require that you bar the government from access to data? I know there are a fair number of treaties between US / EU / UK / etc. regarding criminal matters, so would “the US government got access to the data while they were investigating a crime” actually put your business in violation of GDPR?

Not a lawyer, so I don’t know - but I would think it would be very low on their list of things to go after people for.

Also, the US passing a law that they can access data on a data center elsewhere in the world may not even be legal. Although you wouldn’t want to rely on that law being tested. :slight_smile:

No, that is actually hanging pretty high in Europe, specifically since the NSA was caught red-handed reading the Mails and SMS of Europes highest ranking politicians, and the complete Mail-Traffic in Europe!
A result of that was the new GDPR, and an encrypted Mail-Traffic as standard within at least Germany


Yes, the Schrems-II verdict made that crystal clear :slight_smile:


Oh, you as a private individual can use anything you want, but if you work for a company that stores data for OTHER people, including your employees, you need to work REALLY hard to avoid breaking GDPR.

We had to spend two months writing risk evaluations and other documentation to use GitHub at my last project.

Basically data residency is a pit of vipers right now.

It’s possible this will be solved cryptographically, but more likely a new Privacy Shield law that disallows any country from just “taking what they want” will be the solution.
Though I don’t think anyone thinks the US will join that, so all the big tech companies will probably become Irish companies soon.

That also means fewer American jobs, fewer datacenters, and a LOT fewer tax dollars.

1 Like

I’m in the UK so it does matter for uk citizens. As the US can access the data through the back door of US companies, it may well cause a problem for me here with the Information Commissioners Office (ICO).

This hadn’t really crossed my mind until I read an article that Austria has stated that google analytics may well be illegal because of the US’s legislation I mentioned above.

My headache comes with asking myself what it means for my organisation to store personal or sensitive information on my hosting companies servers (dreamhost via machforms), personal or sensitive data in Apple’s iCloud and Office 365. Having to remove this would be a major headache. It would also signal that I need to us a UK hosting company for our website and just about any other cloud service.

Data can be transferred outside the EU but only if the destination country is established as adequate by the EU Commission (USA are not deemed as a secure country), the data controller ensures data safety, or the data subject gives his consent with such transfer.

Even GDPR can not prevent state authorities from accessing the data so long the destination country follows adequate legal procedures.


Your link was to a bill apparently introduced in the U.S. Senate and referred to committee in 2018. As far as I can tell, no further action was taken on the bill.

As I read the actions (twice) of the Court of Justice of the European Union, the CJEU is trying to apply data protections available to EU citizens to the rest of the world. And if the rest of the world (individually as separate countries) does not cooperate, they will be cut off from the EU. As a result, the EU will have isolated itself from the rest of the world data-wise.

I found this to be a readable and useful article by the Brookings Institute The Court of Justice of the European Union in Schrems II: The impact of GDPR on data flows and national security

The purpose of the EU-Regulations and Judigation, is to protect the citizens from unlawful, uncontrolled access towards their data.
As long as a country like the US, and a lot of others as well(!), is not observing at least minimum international standards in the way foreign citizens are treated, a kind of a “isolation” is the only way.


Per the article @karlnyhus linked, it seems that EU member states are treated differently (i.e. given more latitude with personal data) than non-EU entities.

That may be the case, but I think this may backfire on them unless they’re willing to build their own complete IT infrastructure. Either that or solution providers will appear that utilize strong cryptography, at which point it doesn’t matter where the data is physically stored.

Here’s the DOJ’s website:

They specifically itemize what the act does and doesn’t say, and helpfully note treaties under the CLOUD Act with various other countries. Obviously legal interpretation is beyond the scope of this forum, but that’s where @svsmailus should probably start reading. :slight_smile:

Thank you for the additional information. So the bill did become law but is not unilateral by the United States. It allows/requires an agreement (treaty?) to be signed with other countries. Bilateral agreements have been signed with the United Kingdom and Australia (two of “The Five Eyes” in the intelligence world) and negotiations are in progress with the EU.

They’re applying it to data of and about EU citizens regardless. Basically just trying to close the loophole of processing data in “offshore” jurisdictions with lower levels of privacy protection.

Given the egregious global overreach of U.S. law, the utter disregard of other jurisdictions’ privacy laws and legal processes, and the blatant contempt U.S. privacy regulations show for non-U.S. citizens/persons and their data and privacy, severing data flows to the U.S. is only a logical consequence. It’s overdue.


Please read my comment that posted just above yours at almost the same time. Also read helpful comments and link by @webwalrus just above my post.

I did.

I also consulted the DOJ’s FAQ on it…

It doesn’t. It does allow for unilateral access:

21. Does the amendment of the Stored Communications Act in the CLOUD Act allow the United States to unilaterally obtain foreign nationals’ data held overseas?

Answer: “U.S. law provides that companies subject to U.S. jurisdiction may be compelled, pursuant to a court order, to produce data subject to their control regardless of where the data is stored. (…) Where no CLOUD Act agreement is in place, a company’s compliance with a U.S. court order might conflict with a foreign country’s law forbidding production of data. In such cases, the U.S. government could elect to pursue alternate channels, such as narrowing or modifying a request to avoid the conflict; resolving the conflict through closer inquiry or good-faith negotiation; or making the request under an applicable MLAT. Should the U.S. government seek to enforce the order notwithstanding a conflict with foreign law, U.S. courts can be expected to apply long-standing U.S. and international principles regarding conflicts of law to ensure appropriate respect for international comity by applying a multi-factor balancing test, taking into account the interests of both the United States and the foreign country.”

:point_right: Cutting through all the legalese mumbo-jumbo: Yes, it very much does allow for unilateral access.

1 Like

Unilateral access is not granted to anyone. U.S. Courts may try to enforce their request for data but as your own quote says,

U.S. courts can be expected to apply long-standing U.S. and international principles regarding conflicts of law to ensure appropriate respect for international comity by applying a multi-factor balancing test, taking into account the interests of both the United States and the foreign country.”

That doesn’t sound unilateral to me.

1 Like

U.S. courts deciding on U.S. requests for access based on U.S. law is exactly that:
A unilateral application of law.

“Applying long-standing principles of conflicts of law” and “balancing tests” are as much a pinky swear as saying: “Yeah, we may be doing it unilaterally - but we promise we won’t abuse it (and infringe on your foreign law) too badly!”

Why should European/Russian/Chinese/ -Your Favorite Country -, law apply in the US? (Or US law apply anywhere else.)

This is a serious question. I tend to agree with the GDPR, and wish the US had similar privacy laws. But I do not understand how the European Union can unilaterally apply their law in the US.

I would think this applies both ways. If the EU was going after a company based in the EU, and that company had data stored in the US somewhere, would the EU not demand the right to force said company to retrieve and produce the data?

It’s not like the EU doesn’t insist their local law applies to other countries. If I run a small, locally-owned business selling widgets on eBay, and I sell one to somebody in Germany, the EU seems pretty insistent that I’ve just fallen under the scope of their GDPR law.

Reference GDPR Frequently Asked Questions

GDPR protects the personal data and the rights of data subjects as long as they are EU citizens, no matter where they are living. GDPR Article 3 explains that any company in the world that employs or does business with EU citizens must comply with GDPR regulations. So a company that hires or does business with any EU citizen must appoint a Data Controller whose job it is to supervise data collection by Data Processors.

1 Like