Is Your Data Really Safe in the EU?

How US surveillance laws still reach into European servers — and why encryption architecture matters more than where your provider’s HQ is

Your data might be stored in Europe. But that doesn’t mean it’s protected.

Thousands of organisations are unknowingly exposed to foreign surveillance, regulatory risk, and silent compliance breaches — not because their data left the EU, but because the companies holding it remain subject to US law.

Here’s what you need to understand, and what genuinely safe looks like.

The CLOUD Act: A Silent Threat to European Data

The CLOUD Act (Clarifying Lawful Overseas Use of Data) is a US law passed in 2018 that gives American authorities the power to demand access to data held by any US company — regardless of where that data is physically stored.

If your organisation uses US providers like Microsoft, Google, Dropbox, or Amazon Web Services, your data could be handed over to US law enforcement without your knowledge, and potentially in direct conflict with GDPR.

This isn’t theoretical.

4 Real-World Cases That Prove the Risk

Meta (Facebook): €1.2 billion GDPR fine

In May 2023, Meta was fined €1.2 billion by Ireland’s Data Protection Commission for transferring EU user data to the US without adequate protections. Even data hosted in Europe remained accessible under US surveillance frameworks like FISA 702 — a clear GDPR violation (EDPB).

Microsoft: Access to Irish servers

The US government demanded access to emails stored in a Microsoft data centre in Dublin. Microsoft contested the warrant, but the passage of the CLOUD Act made clear that US companies can be legally compelled to hand over data stored anywhere in the world (Stanford Law Review).

Google Analytics: Ruled unlawful across the EU

Between 2022 and 2023, data protection authorities in Austria, France, and Italy ruled that Google Analytics unlawfully transferred EU user data to the US, lacking adequate safeguards (Plausible.io).

Amazon Web Services: Hybrid storage risks

AWS operates data centres across Europe, but its US ownership makes it subject to CLOUD Act demands. Data stored in Frankfurt or Dublin could, in principle, be accessed by US authorities — creating GDPR and data sovereignty concerns for any organisation relying on AWS alone as their protection strategy (AP News).

How Does a US Government Data Request Actually Work?

Many organisations assume that if the US government wanted data from a provider like Microsoft or AWS, it would involve a lengthy, visible legal process — something they’d hear about and have time to respond to. In practice, it’s often far simpler and faster than that.

There are several legal mechanisms available, each with a different threshold:

• Basic subpoena: For subscriber information — names, addresses, IP logs — the government doesn’t need a judge’s approval at all. It’s an administrative process. Microsoft receives it, validates it, and typically complies within days.
• Court order: For more detailed records, prosecutors must show “specific and articulable facts” to a judge — a lower bar than full probable cause. This can move within days to a couple of weeks.
• Search warrant: To access the actual content of documents or communications, a full warrant requiring probable cause is needed. More rigorous — but for national security matters, courts can move very quickly.
• FISA orders and National Security Letters (NSLs): Under the Foreign Intelligence Surveillance Act, the government can obtain orders from a secret court. NSLs go further still — issued directly by the FBI without any judicial approval whatsoever.

The Detail Most Organisations Don’t Know About: Gag Orders

NSLs and many FISA orders come with a gag order — a legal prohibition on the provider informing the affected customer that a request was ever made. Not temporarily. In many cases, permanently.

That means your cloud provider could be legally compelled to hand over your data, and legally prohibited from ever telling you it happened. No notification. No opportunity to respond. No way to inform your own clients.

For compliance teams, this isn’t a theoretical edge case — it’s a structural feature of US surveillance law. And it applies to every US-owned provider, regardless of where your data is physically stored.

This is precisely why the architecture matters so much. If a provider receives a gagged NSL but holds only encrypted ciphertext — with no access to the keys — there is simply nothing of value to hand over. The legal process becomes irrelevant. You cannot be harmed by the secret surrender of data that cannot be read.

Why This Matters for Professional Firms

If your business handles client data, legal documents, financial reports, or sensitive records, you may be:

• In breach of GDPR without realising it
• Violating data sovereignty principles
• Exposing clients to surveillance without consent

In many scenarios, you may not even be legally permitted to notify affected individuals — a nightmare for compliance teams and the clients who trust you.

The Real Question Isn’t Where Your Data Is — It’s Who Controls the Keys, and Where

Most conversations about data sovereignty focus on the wrong thing.

The question isn’t simply whether your provider has a data centre in London or Frankfurt. Two more important questions are: who holds the encryption keys, and where do they live?

Consider two scenarios:

Scenario A: Your data is stored in an EU data centre, but your provider holds the encryption keys inside a US-owned system. A CLOUD Act demand could compel that US company to surrender both the data and the means to read it.

Scenario B: Your data is stored on US-owned infrastructure in London, but the encryption keys are held on a completely separate, UK-operated system — and all decrypt/encrypt operations happen exclusively there. A CLOUD Act demand on the storage provider yields only ciphertext. The keys are outside their reach entirely.

Projectfusion is Scenario B.

The architecture — not the postcode of a data centre — is what determines whether your data is genuinely protected.

How Projectfusion Protects You

We’ll be transparent with you: like many UK platforms, we use enterprise-grade infrastructure from Wasabi in London for data storage. We believe in being upfront about this — because where data is stored is only part of the answer.

The part that matters: our encryption keys never leave our UK servers.

Here’s the architecture that protects you:

• Encryption keys stored exclusively on UK infrastructure: Projectfusion manages and stores all encryption keys on our own UK-hosted servers — entirely separate from the storage infrastructure where your data resides.
• All encryption and decryption happens in the UK: When you upload or access a document, the cryptographic operations happen exclusively on our UK servers. Your data is encrypted before it is written to storage, and decrypted after it is retrieved — AWS never participates in that process.
• Wasabi sees only ciphertext — always: The data that sits on Wasabi infrastructure is fully encrypted and completely unreadable without the keys. Since those keys are held on a separate, UK-based system that Wasabi has no access to, even a CLOUD Act demand served on Wasabi would yield nothing of value — there is simply no readable data for them to hand over.
• UK-owned and operated: Projectfusion is a UK company, not a US subsidiary or reseller. Our operations, governance, encryption infrastructure, and legal obligations all sit firmly within UK jurisdiction.
• No cross-border transfers: Your data is hosted in London. There is no vague multi-region replication or cross-border backup.
• Built for regulated industries: We’re ISO 27001 certified, GDPR-aligned, and trusted by law firms, government bodies, and regulated organisations across the UK and EU.

Quick Self-Check: How Does Your Provider Actually Stack Up?

Ask your current provider these questions:

1. Where is your data physically stored — and can you get a straight answer?
2. Who holds the encryption keys — and where are those keys hosted?
3. Are encryption and decryption operations performed entirely within UK or EU jurisdiction?
4. If your storage infrastructure provider received a CLOUD Act demand, would they have any access to the encryption keys?
5. Does your provider hold ISO 27001 certification?

If your provider can’t give you a clear, technically specific answer to questions 2–4, you don’t have a data sovereignty strategy — you have a marketing claim.

Don’t Settle for Geography. Demand Architecture.

Data sovereignty isn’t just about which country a server sits in. It’s about who can read your data — and under what circumstances.

Projectfusion gives you real protection: transparent infrastructure, genuine encryption architecture, and the compliance credentials to back it up.

Talk to us or visit www.projectfusion.com to learn more.