Microsoft is opening European sovereignty centres in Amsterdam, Brussels, and Munich. Amazon is launching a ‘European Sovereign Cloud’ out of Germany. Google is announcing new sovereignty features for its European cloud customers.
Sounds good. But one expert already named it for what it is: sovereignty washing.
Big Tech understands European concerns about data — and they’re playing them smartly. Servers in Frankfurt, Amsterdam, Ireland. European flags on the marketing page.
But here’s the problem: it doesn’t only matter where the server is. What matters is where the parent company is headquartered.
Microsoft, Google, and Amazon are American companies. They fall under the CLOUD Act — a US law that compels them to hand over data to American authorities, regardless of where that data is physically stored. An American court can force them to surrender your files without your knowledge, and European law does not necessarily prevent this.
GDPR still applies to American providers serving European customers. However, it primarily governs how companies process personal data within the EU. It does not automatically prevent foreign legal authorities from requesting access under their own national laws.
Many organisations and users assume that storing data in Europe guarantees full legal protection. In practice, the situation can be more complex.
The key question is simple: where is the parent company headquartered? Forget the location of the servers, what matters is where the company itself is legally based.
A company founded in Europe, European‑owned, and operating primarily under European jurisdiction is structurally different from an American provider with mere European data‑centres. The former is structurally less exposed to the CLOUD Act. The latter is, no matter how “European” the branding looks.
Other indicators include legal transparency, open source technology and no advertising model that relies on monetising user data.
Sovereignty is ultimately determined by legal structure, not marketing promises.
We wrote about European alternatives here.
This is no longer a theoretical risk. In recent years, several legal frameworks governing EU–US data transfers have been challenged or even invalidated. At the same time, U.S. authorities have broad powers to request data from American tech companies even when that data is physically stored in Europe.
For businesses, this creates uncertainty around compliance and liability. For individuals, it means less control over who may ultimately gain access to their information.
There is no reason to panic. But there is a reason to make a conscious choice about where your data is hosted and which legal system it ultimately falls under.
If the goal is to minimise exposure to foreign jurisdictional claims, legal structure plays a central role.
In practice, stronger forms of digital sovereignty often involve European-based providers, transparent technology, robust encryption models, and meaningful user control over access and keys.
Because in the end, sovereignty is shaped less by where servers stand and more by who holds legal authority.
