In committee meetings, the same line of reasoning comes up time and again. “We’re GDPR-compliant, so we’re in control.” The statement is reassuring—and it’s false. The GDPR protects individuals against the misuse of their data. It says nothing about your dependence on a provider, nothing about the origin of your infrastructure, and nothing about foreign law that may take precedence over it. These are two distinct issues. We confuse them because they share one word—“data”—and because the word “sovereignty” has come to serve as a buzzword for everything related to European digital affairs.
Let’s examine the two issues side by side, without using one to justify the other.
What the GDPR Does, Exactly
Regulation (EU) 2016/679, which took effect in May 2018, has a specific purpose: to protect natural persons with regard to the processing of their personal data. It is neither an infrastructure bill nor an industrial policy. It is a right for individuals, coupled with obligations for those who process their data.
For individuals, it establishes enforceable rights: access, rectification, erasure, portability, objection, and restriction. You can demand to know what information is held about you, have it corrected, have it erased, or have it returned to you in a reusable format. For organizations, it imposes obligations on the data controller—the entity that determines the purposes of processing—and on the data processor—the entity that processes data on behalf of the controller. All processing must be based on one of six legal grounds: consent, the performance of a contract, a legal obligation, the protection of vital interests, a task carried out in the public interest, or a legitimate interest. Outside of these six categories, processing is unlawful.
Two principles structure the rest. Data minimization: only data necessary for the stated purpose is collected—and no more, just in case. Purpose limitation: data collected for one purpose cannot be freely used for another. Added to this are the security requirement, the obligation to report breaches within seventy-two hours, and the impact assessment for high-risk processing operations. That is the scope. It is consistent, rigorous, and entirely focused on protecting the individual.
What It Does Not Do
Nothing within this scope affects industrial or technological sovereignty. The GDPR does not prohibit AWS, Azure, or Google Cloud. It regulates how personal data is processed on these platforms and requires safeguards, but it does not dictate from whom to purchase infrastructure. A company can host all of its systems with a U.S. hyperscaler and remain fully compliant, provided it adheres to the legal bases, data minimization, and security obligations.
The regulation does not create any local offerings. It does not fund data centers, does not foster the emergence of European providers, and does nothing to reduce the continent’s dependence on a handful of foreign players. That is not its role, and to attribute such an intention to it is to misinterpret the text.
Nor does it prohibit data transfers outside the Union. It regulates them. A transfer to a third country is lawful if it is based on an adequacy decision, standard contractual clauses, or binding corporate rules. Regulating is not the same as preventing. European data flows, legally, to jurisdictions where local law differs from ours.
And it does not resolve the issue of the CLOUD Act. This 2018 U.S. law authorizes U.S. authorities to demand data held by a company subject to their jurisdiction, regardless of where it is stored. The GDPR sets forth its own requirements in response to such a request, but it does not override the operator’s legal affiliation. The conflict of laws remains intact. Compliance with the regulation does not eliminate the application of foreign law to your provider.
Where Does the Confusion Come From, and Why Does It Persist?
The confusion has a logical origin. The GDPR is the best-known European digital law, the most widely publicized, and the only one that executives can cite off the top of their heads. When looking for a symbol of the continent’s digital autonomy, it is the GDPR that comes to mind, for lack of any other equally visible reference point. Europe legislated where others were content with general terms and conditions: this regulatory lead was mistaken for a lead in power.
This shift was fueled by the language used. By repeatedly referring to control over data processing as “data sovereignty,” we implied that protecting data meant shielding it from any foreign influence. Marketing did the rest. Demonstrating GDPR compliance has become a reassuring selling point, and that reassurance has morphed into an implicit promise of independence. The confusion persists because it serves a purpose: it allows one to check a “sovereignty” box without changing anything about one’s infrastructure.
The Two Issues That Must Be Kept Separate
We must keep two distinct threads separate and accept that they do not overlap. GDPR compliance is a matter of protecting individuals: Are we processing their data lawfully, fairly, with the proper legal bases and safeguards? Dependence on infrastructure is a matter of industrial sovereignty: on whom do we depend to run our systems, under which jurisdiction does that provider fall, and can we switch providers without having to rewrite everything?
These two axes are orthogonal, and all four combinations exist in reality. One can be compliant and dependent: an SME that is fully compliant, with all its systems hosted by a hyperscaler subject to the CLOUD Act. One can be non-compliant and sovereign: a government agency that hosts its systems on SecNumCloud-certified infrastructure but collects data without a legal basis and disregards individuals’ rights. One can be both, or neither. The only impossible scenario is the one that prevailing discourse takes for granted: that compliance automatically leads to sovereignty. It does not.
The Schrems II case demonstrated this unequivocally. In 2020, the Court of Justice of the European Union invalidated the Privacy Shield—the agreement governing data transfers to the United States—on the grounds that U.S. surveillance law did not guarantee equivalent protection. Formal compliance was no longer sufficient, because foreign law still governed the data despite all the contractual safeguards. The problem brought to light was not a flaw in data processing: it was a matter of jurisdiction and dependence. The GDPR served to reveal the sovereignty issue. It was never the tool capable of resolving it.
For business leaders, the conclusion is clear. GDPR compliance is necessary, and it is non-negotiable. But simply checking that box says nothing about your dependence on the infrastructure, nor about the law that may apply to your provider. These are two separate projects, two budgets, two decisions. To confuse them is to believe that one issue is resolved by addressing only the other.
Sources
- Regulation (EU) 2016/679 (GDPR), official text
- CNIL, fact sheets on legal bases, data minimization, and transfers outside the EU, cnil.fr
- CJEU, Schrems II judgment, Case C-311/18, July 16, 2020
- CLOUD Act (United States, 2018)
- European Data Protection Board (EDPB), recommendations on international data transfers