Data across borders¶
Data does not stay in the jurisdiction that collected it. Two sets of instruments move it, and the strictest domestic protection may not survive the crossing.
Cooperation instruments¶
Mutual Legal Assistance Treaties and EU frameworks for police and judicial cooperation let a member state request data or evidence held by another state’s authorities, or by companies operating there. These are legitimate tools. They are also a route by which data gathered under one jurisdiction’s rules becomes reachable under another’s. The speed and transparency of these processes vary, and their existence means the tightest national safeguards do not fully contain data once it has moved.
The transatlantic transfer problem¶
The larger, unresolved crossing is the one to the United States. Most EU internet traffic, cloud storage and platform services pass through or are processed by systems under US jurisdiction, and so are exposed to US legal process regardless of where the data or the person sits. The EU has tried three times to bridge the gap between its data-protection standards and US surveillance law. Safe Harbor was struck down by the Court of Justice in 2015 (Schrems I). Its successor, Privacy Shield, was struck down in 2020 (Schrems II). The current arrangement, the EU-US Data Privacy Framework, took effect in July 2023 and is already under challenge: the General Court upheld it in September 2025 in Latombe v Commission, a ruling now appealed to the Court of Justice, and noyb has signalled a broader “Schrems III” challenge, arguing that changes to the independence of US oversight bodies have undermined one of the framework’s pillars.
Running underneath all of this is the US CLOUD Act, which lets US authorities compel US-based providers to hand over data they control wherever in the world it is stored. For a European organisation on a US cloud, that is a standing exposure that no choice of data-centre location fully removes.
Last reviewed: 2026-07-08.