Charting cross-Atlantic dynamics: Shaping the future of EU-U.S. cloud sovereignty and data privacy

Disclaimer: The views and opinions expressed in this article are solely my own and do not necessarily represent the views, policies, or positions of my employer or any affiliated organizations. Any analysis or commentary provided here reflects my personal perspective and should not be construed as official advice or guidance from my company.

We live in uncertain times. Europe faces an increasingly complex global landscape. Its relationship with the United States, particularly in technology, cloud services, and data privacy, remains pivotal. The return of Donald Trump to the U.S. presidency could significantly reshape how Europe approaches its digital autonomy, cloud infrastructure, and data governance. 

Navigating a shifted landscape of cloud computing and cybersecurity

During Trump’s previous administration, there was a strong emphasis on enhancing U.S. cybersecurity defences, particularly through policies designed to restrict foreign adversaries’ use of U.S.-based cloud services. One such policy involved introducing "know your customer" (KYC) requirements for cloud providers, aimed at strengthening customer identity verification to better secure digital infrastructure.

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) further bolstered these defences by mandating that U.S. tech companies comply with court orders to provide user data to U.S. authorities, even if the data is stored internationally in a foreign jurisdiction.

While these measures primarily support U.S. law enforcement’s access to data and improve customer identity verification, their effects have reverberated globally, influencing non-U.S. entities that depend on American cloud infrastructure.

US government access powers could see stricter enforcement or even expansion. For European Union (EU) entities, such changes could complicate compliance efforts and add layers of operational and regulatory complexity, making the use of U.S.-based cloud providers potentially even more cumbersome than it is today. There is already considerable doubt that American hyperscale providers can manage EU personal data in a manner that is truly secure and can prevent unauthorised U.S. government access, since they are subject to U.S. jurisdiction. As a result, their services are not sovereign for EU customers. EU organizations may feel pressured to seek alternatives to retain compliance. Although switching cloud providers can be difficult, new regulation such as the Data Act seeks to improve choice and flexibility for cloud customers. This might lead to a shift in the cloud computing market landscape and potentially accelerate Europe’s drive toward self-sufficiency in cloud infrastructure.

Data privacy and the ongoing GDPR tensions

Europe’s General Data Protection Regulation (GDPR) has set a high standard for data privacy globally, placing individual privacy rights at the forefront. However, during his prior administration, Trump’s stance on GDPR was largely critical, with U.S. officials arguing that the stringent regulations sometimes obstructed public health and national security efforts. This tension reflects the broader differences in approach to data privacy between the U.S. and the EU, with the U.S. prioritizing data access for security, and the EU emphasizing individual privacy. Even today, there are challenges with GDRP and uncertainty about the real volume if US data requests made upon EU data, when such requests originate from FISA Section 702. Cloud providers must comply with FISA orders in a manner that protects “the secrecy of the acquisition”, which prohibits cloud providers from publishing detailed information about FISA requests. The extent and frequency of those requests are not for external consumption, as Edward Snowden discovered in 2013.

Under a Trump administration, the U.S. law enforcement and intelligence agencies might feel emboldened to press for more data access. Further, President Biden issued EO 14086 in October 2022, setting out safeguards for US intelligence activities. The order aimed, in part, to allay EU concerns over access to European personal data and paved the way for the new Data Privacy Framework (DPF) for international data transfers. It is unclear whether a second Trump administration will continue this cooperative approach. Further, under Biden’s order, US intelligence activities must pursue one of the listed “legitimate objectives”, such as to protect US national security. The US President can update the list of priorities secretly. This power will soon fall to President Trump. That said, Trump’s relationship with the U.S. intelligence agencies has been complicated at times, so it is uncertain whether he will support, or try to rein in, their powers.

These developments increase uncertainty regarding GDPR requirements, creating a challenging environment for transatlantic businesses handling sensitive data. In this context, EU authorities may be prompted to further scrutinize data transfers to the U.S. and potentially heighten barriers, if they perceive U.S. policies as undermining European data protection. Consequently, U.S.-EU data sharing and cloud service collaborations could face intensified friction, driving Europe to bolster its data privacy protections independently of the U.S. and develop an independent EU Sovereign Cloud strategy. A lot will depend on whether the Court of Justice of the E.U. (CJEU) upholds the Data Privacy Framework or strikes it down like its predecessor agreements. So, European customers might ask themselves: does a second Trump administration make a Schrems III ruling more likely?

Strategic autonomy and Europe’s push for digital sovereignty

Given the potential for increased strain on U.S.-EU digital collaboration, Europe may see a Trump presidency as a catalyst to accelerate its pursuit of digital sovereignty. European leaders are already increasingly advocating for reduced dependency on foreign technology providers, particularly in critical digital infrastructure such as cloud services, AI, and cybersecurity with regulation like the Data Act, AI Act and national security qualifications like SecNumCloud in France. Interestingly however, the EU has not chosen to include sovereign requirements in the EU Cloud Certification Scheme (EUCS), although there is considerable evidence that customers and vertical industries in the EU are concerned about jurisdictional control of secret and national data. To this end, the EU has been investing in initiatives like GAIA-X, a project aimed at creating a European cloud ecosystem that offers robust security and compliance with European privacy standards. Although adoption of GAIA-X has been limited, the initiative remains alive with a vision for European data sovereignty.

A Trump presidency may further galvanize these efforts, with European companies and governments motivated to ensure that their digital assets and data remain within a regulatory environment, under jurisdictional control, that aligns with EU and national values and priorities. By advancing sovereign cloud solutions and prioritizing privacy in digital frameworks, Europe can safeguard its data while reducing reliance on U.S. hyperscale technology—a move that is both strategic and increasingly viewed as essential for long-term sovereignty.

Future of U.S.-EU Collaboration in technology and privacy

While a Trump administration might usher in a more protectionist stance on technology and data security, it is essential to recognize the longstanding technological interdependence between the U.S. and the EU. The transatlantic partnership is foundational to innovation, cybersecurity, and economic growth on both sides of the Atlantic. Nevertheless, a Trump presidency may see this partnership redefined, with Europe prioritizing resilience, independence, and compliance with GDPR, even if that means diverging from U.S.-centric approaches.

For U.S. owned cloud data-based businesses operating in Europe, adapting to an evolving European regulatory environment will be crucial. Meanwhile, European companies will need to weigh the benefits of U.S.-based hyperscale cloud services against the regulatory challenges and potential risks posed by shifts in U.S. policies on data security and privacy.

The potential move towards a more autonomous digital Europe?

Trump’s return to the White House should highlight the need for Europe to solidify its digital sovereignty strategy. If not now, when? By fostering an autonomous cloud ecosystem and reinforcing its data privacy commitments, Europe can navigate potential challenges in U.S.-EU technology relations. A stronger, more self-reliant European digital infrastructure not only strengthens data privacy protections but also provides a stable foundation for European innovation.

As Europe continues to assert its digital autonomy, its choices will shape the future of global cloud services and data privacy standards. The developments in this domain will likely be instrumental in defining the next chapter of U.S.-EU relations—and perhaps a turning point toward a more sovereign European digital landscape.