What 'EU Hosting' Actually Means in Law. Location, Jurisdiction, and Where Schrems II Still Bites.

Many German websites carry a line like “We host in Germany” or “Location EU, EU-hosted”. What is usually meant is that the provider uses a German data centre and, by implication, all data protection questions are answered. The legal picture is less simple.

Location and jurisdiction are two things

The physical location of the servers decides where the bits sit. Jurisdiction decides who can legally reach them. The two sometimes coincide, sometimes not.

If a German studio hosts with a fully German provider (Hetzner, IONOS, a mid-sized German data centre operator), location and jurisdiction coincide. The data sit in Germany, the provider is subject to German and EU law, no other state has legal leverage.

If a German studio hosts with the German subsidiary of a US group (Amazon Web Services EMEA SARL with the Frankfurt region, Microsoft Azure with Germany West Central, Google Cloud with the Frankfurt region), the data are in Germany but the provider is additionally subject to the US CLOUD Act of 2018. The CLOUD Act allows US federal authorities to compel a US-based service provider to disclose data regardless of where the data are stored, as long as the provider has legal control over the data. A German subsidiary of a US group does not have full legal separation from its parent in that regard.

What Schrems II made of this

In July 2020 the Court of Justice of the EU invalidated the Privacy Shield in Schrems II (C-311/18). The core of the ruling: third-country transfers of personal data are permissible only if the protection level in the third country is equivalent to the EU level. For the US level, the Court had substantial doubts, mainly because of US intelligence surveillance powers (Section 702 FISA, Executive Order 12333).

The ruling means that controllers who want to use US providers must conduct a Transfer Impact Assessment (TIA). The TIA examines whether the legal situation and actual conditions in the third country guarantee protection at EU level. For US providers, this was rarely the case after Schrems II without additional technical measures such as end-to-end encryption with keys the US provider does not hold.

The 2023 Data Privacy Framework

In July 2023 the EU Commission, with Decision 2023/1795, recognised the EU-US Data Privacy Framework as an adequacy decision. For US providers certified under the DPF, transfer is again treated as adequate, and the TIA duty largely falls away for those providers.

The DPF is a political bridge, not a final answer. Max Schrems’ organisation NOYB has indicated it will challenge it (informally “Schrems III”). The European Data Protection Board, in its opinion, raised reservations on several points, especially the independence of the new Data Protection Review Court. Anyone relying on the DPF today should check the certification status of the specific provider and have a fallback plan.

Data sovereignty is not the question of where the bits sit. It is the question of who has the lever to pull them out. A server address in Frankfurt without an EU corporate structure behind it is half an answer.

What this means in practice

For a small studio that wants to use the term “EU hosting” honestly, a few practical points emerge.

First: choose a provider whose corporate structure is in the EU. Hetzner, IONOS, OVHcloud, Scaleway, StackIT, Open Telekom Cloud are examples. For smaller data centre operators, it pays to check the imprint and ask about ownership structure.

Second: when using US providers (AWS, Azure, Google), check the DPF certification status of the specific service, run and document a Transfer Impact Assessment. Sensitive data categories (health, biometric, criminal records) deserve particular care; for these, self-hosting or an EU provider is often the more robust choice.

Third: technical measures as a fallback. End-to-end encryption with customer-held keys (BYOK) legally excludes a US provider from disclosing data, because without the key they cannot deliver meaningful disclosure. This is the most robust measure under Schrems II conditions.

Fourth: check the architecture for whether personal data need to reach the server at all. Local-only storage on the user’s device closes the hosting question for the data concerned because the server simply does not have them. A fuller architecture perspective is in the essay Privacy by Design in Health Apps.

What supervisory authorities check

The German data protection authorities have published several notices on cloud services, especially on Microsoft 365 and comparable platforms. Audits typically examine: the data processing agreements under Article 28 GDPR, the standard contractual clauses for third-country transfer, the TIA, the technical and organisational measures taken, the processing records under Article 30. Sanctions are rarely the first step; authorities mostly work through notices and hearings, but the duties are enforceable.

Anyone promising “EU hosting” should understand what the term means. A server in Frankfurt under a US subsidiary is EU hosting in a geographic sense but not full EU hosting in a legal sense. The difference is worth knowing.

Frequently asked

Is a server in Frankfurt automatically GDPR-compliant?

No. The physical location of the servers does not decide on its own. If the cloud provider has a US parent company (for example AWS, Microsoft, Google), it can be compelled under the US CLOUD Act to hand over data to US authorities regardless of where the data are stored. Under Schrems II this reachability is treated as a problematic third-country transfer in the wider sense.

What did Schrems II decide?

In July 2020 the Court of Justice of the European Union invalidated the Privacy Shield (C-311/18). Standard contractual clauses remain valid in principle but must be supplemented by a Transfer Impact Assessment. Controllers must check whether the protection level in the third country is equivalent to the EU level. For US providers reachable under the CLOUD Act this is usually not the case without additional technical measures.

What applies under the 2023 Data Privacy Framework?

In July 2023 the EU Commission adopted the EU-US Data Privacy Framework as an adequacy decision. For US providers certified under the DPF, transfers are again considered adequate. The decision is already subject to a new challenge (informally 'Schrems III'), and the EDPB has expressed reservations about its stability. Cautious controllers treat it as a bridge solution, not a permanent basis.

Which cloud providers are not reachable under the US CLOUD Act?

EU-owned providers without US corporate ties are Hetzner and IONOS (Germany), OVHcloud and Scaleway (France), StackIT (Germany), Open Telekom Cloud (Germany), Exoscale (Switzerland, not an EU member but an adequacy-decision third country). Self-hosting on owned hardware in a German data centre is another option. What matters is the corporate structure, not just server location.