Editors’ Choice: Get off of my cloud?

The European Union continues to grapple with the complex issue of cloud sovereignty, particularly concerning data transfers to the United States. Despite successive attempts to establish robust transatlantic data transfer mechanisms, the EU's approach is often perceived as falling short of achieving true digital autonomy. This article examines the legal landscape, including the pivotal Schrems II judgment, the subsequent EU-US Data Privacy Framework, and the extraterritorial reach of the US CLOUD Act, to highlight the persistent challenges and the EU's ongoing efforts to assert greater control over its digital infrastructure and data. It underscores the critical implications for legal professionals navigating cross-border data governance.

The quest for cloud sovereignty is not merely a political aspiration but a critical legal and economic imperative for the EU. It seeks to ensure that European data, when processed in the cloud, remains subject to European law and values, free from undue influence or access by third-country governments. This article will delve into the intricate legal developments that define this struggle, analyzing the effectiveness of current mechanisms and the enduring obstacles to the EU's goal of digital self-determination. We will explore how the interplay of EU data protection law and US surveillance legislation continues to shape the transatlantic data flow, impacting legal professionals and businesses alike.

Previous attempts to facilitate data transfers, such as the Safe Harbour framework and its successor, the EU-US Privacy Shield, were successively invalidated by the Court of Justice of the European Union (CJEU). The landmark Schrems II judgment (Case C-311/18) in July 2020 specifically invalidated the Privacy Shield, citing concerns over the extensive surveillance powers of US intelligence agencies under laws like Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12333 (EO 12333), and the lack of effective judicial redress for EU data subjects in the US. This ruling underscored that any data transfer mechanism must guarantee a level of protection "essentially equivalent" to that within the EU.

In parallel, the EU has launched initiatives like GAIA-X in 2020, aiming to build an interoperable, secure, and sovereign European data infrastructure that complies with EU standards and values. GAIA-X seeks to reduce reliance on dominant non-European cloud providers (primarily US hyperscalers like Amazon Web Services, Microsoft Azure, and Google Cloud, which control a significant portion of the European market) and foster digital autonomy. More recently, the European Commission proposed the Cloud and AI Development Act (CADA) in June 2026, which aims to strengthen Europe's cloud and AI ecosystem by building EU-based capacity, encouraging localized services through procurement rules, and introducing a cloud sovereignty framework with "Union assurance levels" for public sector providers. These initiatives demonstrate a clear policy direction, yet their practical implementation and ability to truly counter the dominance of US providers and the reach of US law remain ongoing challenges.

For legal professionals, this environment demands rigorous due diligence when advising clients on cloud strategies and cross-border data transfers. The need for Transfer Impact Assessments, the potential requirement for supplementary technical measures (such as customer-controlled encryption), and the inherent conflict posed by the CLOUD Act mean that simply relying on adequacy decisions or standard contractual clauses may not suffice. Practitioners must stay abreast of CJEU judgments, EDPB guidance, and the development of EU initiatives like GAIA-X and the Cloud and AI Development Act to ensure compliance and mitigate significant legal and financial risks, including GDPR fines that can reach up to €20 million or 4% of global annual turnover.