Legal Opinion · CLOUD Act · GDPR

Data Protection Reality: What US Cloud Providers Don’t Tell You

Many companies believe their data is secure – because it sits with Microsoft, Google or AWS in a German data centre. That is an expensive illusion.

„GDPR-Compliant“ Is Not Protection – It’s Marketing

A legal opinion from the University of Cologne, prepared on behalf of the German Federal Ministry of the Interior (March 2025) and published via an IFG request, makes it unmistakably clear:

The physical location of data is legally irrelevant.

What matters is who controls the data.

As long as a US parent company exercises control – regardless of whether the server is in Frankfurt, Amsterdam or Dublin – US law applies. Period.

The Three US Laws That Override Your GDPR

CLOUD Act

Obliges US companies worldwide to hand over data to US authorities – even if that data is stored in Germany. German subsidiaries are expressly included.

Section 702 FISA

Allows US intelligence agencies to surveil non-US persons outside the USA – without a judicial warrant. An annual certification by a secret US court is sufficient.

Executive Order 12.333

Enables intelligence agencies to access data abroad without the cloud provider’s involvement – by exploiting technical vulnerabilities. No right of appeal, no notification.

What Microsoft Itself Confirmed Under Oath

On 10 June 2025, Anton Carniaux, Chief Legal Officer of Microsoft France, stated before the French Senate:

„Non, je ne peux pas le garantir.“

– Anton Carniaux, Chief Legal Officer Microsoft France, before the French Senate, 10 June 2025

He could not guarantee that European users‘ data would not be handed over to US authorities – even when stored exclusively in EU data centres. This applies structurally to all US cloud providers: Microsoft Azure, Google Cloud, Amazon AWS.

What Really Protects – And What Doesn’t

Measure Protection
„Data centre in Germany“❌ No protection – CLOUD Act still applies
Standard Contractual Clauses (SCCs)❌ Insufficient – legally disputed
„Sovereign Cloud“ by Microsoft/Google❌ Still a US parent company
Encryption with provider⚠️ Partial – provider usually holds the key
BYOK (Self-managed keys, EU)✅ Significantly better – but complex
EU provider with no US ties✅ Full protection from CLOUD Act

What This Means for Your Company

If you process personal data of your customers via US cloud services:

  • There is no effective GDPR protection in an emergency – regardless of your contractual arrangements
  • A Data Protection Impact Assessment under Art. 35 GDPR is mandatory – not optional
  • Supervisory authorities can impose fines – even if you acted in good faith
  • Your liability risk is real – especially when voice or health data is involved

Voice Data: The Underestimated Risk Category

Anyone using AI-powered voice systems – for customer service, phone assistance or internal communication – transmits conversation content in real time to US-controlled servers with US providers (OpenAI, Google, Microsoft).

Voice is a biometric category under Art. 9 GDPR. This significantly increases liability risk.

The Solution: European Infrastructure – From Day One

At gofonia.de we consistently rely on infrastructure without US dependence:

  • Voice processing on EU servers with no US parent company
  • No data transfer to US providers during operation
  • Transparent architecture – you always know where your data is and who has access
  • GDPR-compliant not as a marketing promise, but as a technical fact

Sources & Further Information

  • Legal opinion of the University of Cologne (March 2025), published via FragDenStaat
  • Hearing of Microsoft Chief Legal Officer before the French Senate, June 2025
  • CJEU rulings on Safe Harbor (2015) and Privacy Shield (2020)

Do you have questions about your current cloud strategy and the risks for your company?

Contact us – we analyse your situation and show you concrete alternatives.

Get in touch →