Lately, privacy experts have been calling out the risk to European businesses inherent in their dependency on US-based cloud services more loudly. Especially since the new US government has taken office, more and more website owners and web agencies are switching to EU-based web hosting providers to avoid legal issues.

Quickly after the new US administration took office, its actions started impacting established agreements between the United States of America and EU states. It’s becoming more clear every day that President Trump’s decisions on international political and economic matters will have significant impact on both bilateral and multilateral agreements. One of them is the EU-US Data Transfer Agreement, and it’s at a substantial risk of breaking down.

In March 2025, the German trade newspaper Handelsblatt reported a warning issued by the German Industry Association (BDI). The BDI raised concerns that if U.S. President Donald Trump cancels the Transatlantic Data Privacy Framework, it could harm businesses and create legal uncertainty. The chief counsel of the German Industry and Trade Chamber (DIHK) shares these concerns, stating that a failure of the Privacy Framework would have “grave consequences”.

The EU-US Data Transfer Agreement

The EU-US Data Transfer Agreement is a framework which, according to the European Commission’s Q&A document, “provides EU individuals whose data would be transferred to participating companies in the US with several new rights (e.g. to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data). In addition, it offers different redress avenues in case their data is wrongly handled, including before free of charge independent dispute resolution mechanisms and an arbitration panel.”

Since 1995, EU law restricts the export of personal data outside the EU to ensure that personal information owned by EU citizens is not exposed to lax privacy standards in other jurisdictions. The law makes exemptions when the country to which personal information is exported offers a level of data protection that is “essentially equivalent” to that of the EU. In 2018, the General Data Protection Regulation (GDPR) strengthened EU privacy law and human rights law even further.

Meanwhile, the legal regime of the United States is substantially different, with national security and surveillance laws such as the Foreign Intelligence Surveillance Act Section 702 (FISA702) and Executive Order 12.333 which allow the government and its agencies extensive access to data stored by US tech firms like Amazon, Microsoft, and Google.

This fundamental difference in privacy standards has been causing tensions and legal conflicts to this day, including the annulment of two previous EU-US data transfer agreements by the EU Court of Justice in its Schrems I and Schrems II rulings.

To restore legal grounds for transatlantic data transfers, the EU Commission in 2023 introduced the Transatlantic Data Privacy Framework (TADPF). It was subsequently formally adopted in the Commission’s Implementing Decision (EU) 2023/1795. This decision, which allows EU businesses to transfer data freely to US providers, relies solely on Executive Orders and assurances from the US government. A key role in this rationale lies with the Privacy and Civil Liberties Oversight Board (PCLOB), whose responsibility it is to monitor the US government’s compliance with surveillance restrictions and privacy commitments.

The new framework has been heavily criticized by data protection and civil liberties experts. One of the main points these experts highlight is the lack of a strong codification of the safeguards underpinning the TADPF in US statutes. As there was no congressional majority to pass such legislation, it is only based on an Executive Order of former president Joe Biden. This shaky legal foundation leaves the TADPF at risk of being dismantled by a simple Executive Order of US President Trump.

Crumbling foundations

This risk is not just theoretical. The US government decided on January 20th that all Executive Orders of the previous administration are to be reviewed within 45 days and potentially nullified. This includes Executive Order 14086, on which the EU’s adequacy decision is based.

At the end of January 2025, President Trump dismissed three Democratic members of the PCLOB, the primary oversight body that ensures compliance with privacy commitments under the Transatlantic Data Privacy Framework. With these three members removed, there are now valid concerns about the board’s independence and effectiveness. In consequence, as privacy advocates are pointing out, this may jeopardize the legality of transatlantic data flows. If a reassessment of the adequacy of the Data Privacy Framework by European regulators leads to its suspension, it can cause substantial disruptions to thousands of businesses whose transatlantic data transfers rely on this very framework.

It’s time to choose domestic alternatives

According to analytics firm Synergy, the market share of US-based cloud services in Europe is about 70%. Meanwhile, none of their European competitors has been able to surpass the 2% mark. The easiest way for European website owners and web agencies to regain a solid legal foundation for their data processing is to shift this imbalance.

Choosing a European data centre location alone isn’t sufficient. As long as the business entity operating the data centre is under US jurisdiction, it must obey surveillance laws like FISA, regardless of where in the world the data in question is stored. There is a clear legal advantage in choosing an EU-based hosting and infrastructure provider. (And given the latest introduction of tariffs by the US administration, probably an economic one, too.)

With freistilbox, we offer an alternative to US-based cloud services and hosting platforms. It ticks all the boxes not only in terms of performance and reliability, but also when it comes to data protection. We are an EU business registered and headquartered in Ireland. Since we started our business in 2010, we’ve been running our whole hosting infrastructure in data centres that are not only located in EU countries, but also in turn owned and operated by EU businesses.

Our customers can enjoy peace of mind, knowing that their data processing is in full compliance with GDPR regulations, without any risk of its legal foundation being shattered on a whim.

To learn more about what freistilbox can do for your hosting peace of mind, get in touch!