Does your organisation rely on American cloud services such as Amazon Web Services or Google Cloud? Then you’ve probably already asked yourself: “Can we really trust the American cloud?”
That question has never been more relevant than since Trump took office in January.
And the experts agree: No, you can’t trust them. American cloud services could become illegal overnight within the EU.
– An exit strategy is the bare minimum – but truthfully, American cloud services should never have been chosen in the first place. The fact that US authorities have access to the data has been known for years, says Mikael Setterberg, cloud expert at Bahnhof.
So what’s actually going on? Let’s start from the beginning.
The United States has a law, the CLOUD Act, that gives US authorities the right to demand access to personal data from American companies – regardless of where in the world that data is stored.
“A provider shall […] disclose the contents of a wire or electronic communication […] regardless of whether such communication, record, or other information is located within or outside of the United States.”
To enable the use of American cloud services within the EU without violating GDPR, an agreement exists: the Data Privacy Framework (DPF). It functions as a firewall between US surveillance and European data protection, based on the principle that American companies commit to handling personal data in accordance with GDPR.
To oversee DPF compliance, the US has an oversight body: the Privacy and Civil Liberties Oversight Board (PCLOB). However, since President Trump removed all three Democratic members in January 2025, the board has been left powerless. Only one member remains, rendering the organisation effectively paralysed.
Carl Heath, an expert on digital sovereignty at the Swedish research institute RISE, warns in an interview with Svenska Dagbladet that American cloud services could suddenly become illegal. This could happen either through the European Commission revoking the US’s DPF adequacy decision, or through a presidential order from Trump invalidating the agreement entirely.
Many Swedish companies turn a blind eye to the risks. Mikael Setterberg encounters them regularly:
– They bury their heads in the sand and hope someone else will fix it, he says.
A major part of the problem is the feeling of being locked into American cloud infrastructure. Changing providers seems complicated and expensive. But it doesn’t have to be.
It’s easier than you think – and you don’t have to do it alone.
Here’s how to start:
1. Map out which American services you and your organisation use.
2. Evaluate European alternatives.
3. Start by moving the simplest systems first.
Wondering how your organisation should deal with its dependency on American cloud services?
Get in touch with us to explore how we can help you find a secure exit from the American cloud.
