In my work with business owners and individuals sourcing web hosting, one of the questions I never seem to get is “Where are your servers located?”

Call it trust or naivety, but I have found that far too many people trust that slapping GDPR on a website is enough to prove that data is safe and secure.

But look a bit deeper into the news and legal precedent, and you will start to see a growing problem with data sovereignty when it comes to foreign jurisdictions requesting data on servers not located in your country.

You may not think it matters where your web hosting company is located right now, but something as simple as geography can have a massive impact on whether or not your data is as secure as you think.

Myth Busted: “It Doesn’t Matter Where the Server Is”

It is helpful to think through this in a practical scenario. Imagine that you sign up with a major cloud provider with servers in Frankfurt, Germany. You are a German company, your customers are European, and everything looks good from a GDPR standpoint. Why? Because your data is in Europe.

But here is the problem you may never notice until a problem arises: your hosting company is based in the USA.

It seems like a minor point, but it can lead to big issues. Under the US CLOUD Act (passed in 2018), American companies can be compelled by US law enforcement to hand over any data stored on servers anywhere in the world.

The data could be in Singapore. Or on your new cloud provider’s server in Frankfurt. The law extends US jurisdiction to data wherever it currently lives, as long as a US company controls it.

The US CLOUD Act has been a decade in the making. In 2013, the FBI issued a warrant demanding the seizure of emails from a specific Microsoft account. The emails were stored on Microsoft’s servers in Dublin, Ireland, and Microsoft fought the warrant.

That fight went all the way to the US Supreme Court, and Congress resolved the issue with the CLOUD Act. But rather than protecting the data, the CLOUD Act instead codified the government’s ability to seize data anywhere in the world, essentially making it easier for the FBI and other US law enforcement to access data they deem necessary for any number of reasons.

Google faced a similar situation when a federal magistrate ruled that Google must comply with a government warrant to turn over data on foreign servers, without a mutual assistance treaty or larger international process.

And in 2025, Microsoft’s legal counsel confirmed to the French Senate that it could not guarantee data sovereignty for EU customers if they faced a US government request.

Why Can’t GDPR Solve the Issue?

GDPR compliance has become the standard for European web hosting, so many assume that meeting the expectations of GDPR means they are covered. But GDPR’s protections only apply to how data is processed and transferred, not what happens if a foreign government serves a warrant.

And though you may never intend for this to happen, you cannot always control what data may pass through your web host’s servers.

Article 48 of the GDPR does note that data should not be transferred to foreign authorities except through legal methods like mutual assistance treaties. But did you know that a CLOUD Act order can bypass that structure entirely?

The order goes straight to the US company, and they are legally required to comply, often under a gag order that prevents their clients or customers from knowing it has happened.

That is not to say the European authorities are not aware of this. The Schrems II decision in 2020 invalidated the EU-US Privacy Shield framework because of US surveillance laws like the CLOUD Act.

But at the end of the day, you still need to know the reality of the current situation. Your web hosting company being GDPR compliant is a great foundation. But if there is a US company in the mix, your data could still be reached by a US warrant.

Two Countries Doing Something About It

There are some countries that are taking steps, or acting on past legal precedent, to protect data, which could create a framework for other countries moving forward.

Switzerland, which is not an EU member, operates under its own framework. The Federal Act on Data Protection (FADP) provides strong privacy protections that are independent of the US and the EU. In short, a US CLOUD Act order has no direct authority over a Swiss company running Swiss infrastructure.

Finland is another example. Unlike Switzerland, Finland is an EU member, which means GDPR applies alongside Finland’s own constitutional protections. This combination of country-specific and EU-aligned legal processes creates stronger judicial oversight over any data requests.

Reporters Without Borders ranks Finland among the top three countries in the world for its commitment to digital rights and free expression. For anyone weighing the two, it is worth understanding how Finland and Switzerland compare as hosting jurisdictions in practice.

What does this mean for you? While no country is impenetrable, there are clear examples of legal frameworks at play that are not subject to American override.

Suddenly, Data Sovereignty Is Everyone’s Problem

There was a time when “data sovereignty” was a niche term that only activists or journalists had to think about. But in a globalized world full of personal data, sovereignty has become a much more serious issue for every business owner.

“But I’m just trying to get a website hosted. What does this have to do with me?”

More than you might think. Rise above the surface, and you will see that data is everywhere. Lawyers are dealing with privileged communications. Healthcare providers are managing and sharing patient records. Fintech companies are trying to build their businesses while managing data across different regulatory realities.

That is why your web host’s country matters. It is not just choosing a host country that protects you from potential data access via legislation like the CLOUD Act; it starts the conversation about digital privacy and data sovereignty as a whole.

What may seem like a simple choice in the transaction process could play a massive role in how your data is, or is not, protected. And depending on your industry or your clients or customers, you could be putting your reputation on the line.

What Should You Look For in a Web Hosting Company?

Adding this new layer of data protection via location means you need to get a bit more granular in your choice of web hosting. It is time to start asking about any potential provider’s privacy credentials:

• Where is the company incorporated?
• Where are their servers physically located?
• Does the company accept payment methods that may limit financial data exposure?
• Do they have a published policy on how they will respond to government requests for data on their servers?

Do not take statements like “We take data seriously” as a guarantee. It is time to educate yourself on jurisdictions and legal frameworks, and bring that knowledge to every conversation you have.

If you are making a hosting decision, the country where the data center lives deserves much more than a footnote in the paperwork. Jurisdiction is no longer a technical detail buried in the fine print. It is one of the first questions worth asking, both for businesses and for the people they serve.