Dieser Beitrag ist nur auf Englisch verfügbar.

The Data Privacy Framework holds. That is not the same as safe.

Melious

In February 2025, a US executive order sanctioned Karim Khan, the chief prosecutor of the International Criminal Court. In the months that followed, Khan lost access to his Microsoft email and moved to Proton Mail, a Swiss provider. Microsoft's president, Brad Smith, says the company never ceased or suspended its services to the ICC, and its account of what happened to Khan's access differs from the press reports. The exact mechanics are still contested. What is not contested is the reaction: the case set off a wave of European debate about reliance on US technology, and in October 2025 the ICC confirmed it was moving from Microsoft Office to the open-source suite OpenDesk, a shift it says is still under way.

The politics of that case are not the subject here, and we are not taking a side on them. Strip them away and one fact remains. A US company, under pressure from US law, stopped being a neutral utility for a European institution. Whether Microsoft pushed the button or the customer did, the dependency was the story.

That is the loud version of a problem most teams carry quietly. The Khan case was visible because a service disappeared. The Cloud Act works the other way around. Nothing disappears. Data becomes reachable, and you are not told. For anyone running an LLM stack on a US provider, that quieter version is the one worth understanding, because it touches every prompt you send.

What the Cloud Act actually does

The 2018 Cloud Act lets US authorities compel any US provider to hand over data in its possession, custody, or control, regardless of where that data physically sits. The deciding factor is who controls the data, not where it lives. A server in Frankfurt run by a US company is still reachable. Your European data center address changes the geography, not the jurisdiction.

There is a release valve, and it is worth being precise about how small it is. A provider can file a motion to quash an order, but only under narrow conditions, mainly when the customer is not a US person and disclosure would breach the law of a qualifying foreign government. Europe's data protection authorities have stated plainly that a provider subject to EU law cannot base a disclosure on a Cloud Act request alone. In practice, providers facing a valid order tend to comply. It is a narrow exception, not a shield.

This is also where the Cloud Act collides with European law directly. Under GDPR Article 48, a court order from a third country is only a valid basis for disclosure if it rests on an international agreement such as a mutual legal assistance treaty. A Cloud Act order, on its own, is not that. So a US provider serving an EU customer can be placed in a position where one legal system compels disclosure and the other prohibits it. The provider picks which law to break.

Why the Data Privacy Framework does not solve this

Here is the part most coverage gets wrong, and where you can earn the DPO's trust by being accurate. The EU-US Data Privacy Framework is in force. In September 2025, the EU General Court dismissed the Latombe challenge and confirmed the framework's validity. Anyone telling you that US providers are simply illegal under GDPR is overstating it. One detail matters, though. The court assessed the framework only as it stood when the Commission adopted it in 2023, and expressly declined to rule on anything that has changed since. It confirmed the framework as of 2023, not as of today.

But the framework governs commercial data transfers. It does not change US lawful-access rules. The Cloud Act applies whether or not a provider self-certifies under the framework. The two instruments answer different questions: one is about whether you may move data to the US, the other is about whether the US can reach into it once a US company controls it.

And the framework is the third attempt, not a settled state. Safe Harbor was struck down in 2015. Privacy Shield was struck down in 2020, both over the same issue: US surveillance law and the lack of meaningful redress for EU citizens. Latombe has already appealed the 2025 decision to the Court of Justice (case C-703/25 P, filed October 2025), and as of mid-2026 no hearing date had been set. If the higher court rules against the framework, it would be the third consecutive invalidation. You are not building on bedrock. You are building on the third version of a structure whose first two versions collapsed for a reason that has not gone away.

What this means for an LLM stack specifically

Inference is a data flow. Every prompt you send to a model provider is content leaving your control: customer records in a support workflow, source code in a coding assistant, internal documents in a RAG pipeline. If that provider is subject to US law, that flow is exactly what the Cloud Act reaches.

This is the gap a DPO sees that an engineer often does not. The model quality conversation and the jurisdiction conversation are separate. You can pick the best model on the benchmark and still have placed your most sensitive data inside a legal system you do not control. The EU data center in the vendor's pricing page does not close that gap, because, again, jurisdiction follows control, not location.

The honest part

Two things, because the case for sovereignty is weaker when it oversells.

First, US providers are not illegal to use. Data sovereignty is not, by default, incompatible with engaging a provider outside the EU. For plenty of workloads with no personal or sensitive data, the Cloud Act exposure is a risk you can rationally accept. The right move is to assess it, not to panic about it.

Second, and this is the trade-off we will not hide: a sovereign, EU-hosted, open-weight stack does not give you frontier reasoning. If your use case genuinely needs the top of GPT-5 or Claude on the hardest reasoning tasks, an open-weight European stack is a real compromise, not a free upgrade. For most production work you will not feel that gap. For some, you will. Be honest with yourself about which one you are.

What actually changes the jurisdiction

There is one architecture that does not relocate the problem. A provider that is not subject to US law in the first place: an EU legal entity, EU hosting, and models whose weights you are not renting from a company a US court can compel. That is the difference between moving your data somewhere you can see less and moving it somewhere a foreign government cannot reach by default.

This is where Melious fits, stated once and without a pitch. Melious is built exactly that way: a German company serving 60+ open-weight models on European infrastructure, OpenAI- and Anthropic-compatible, with no US or APAC fallback in the request path. The legal entity is in the EU, the hosting is in the EU, and the models are open weight, so no US company controls the inference and none can be compelled to hand it over.

The third time

The Data Privacy Framework is valid today. That is worth saying plainly, because the honest position is not that US providers are illegal. The honest position is narrower and harder to dismiss. The framework is the third version of a structure whose first two versions were struck down over US surveillance law, the one thing that has not changed. A challenge is already pending before the Court of Justice.

So the question is not whether the framework holds this year. The question is what you want your stack standing on when the court rules for the third time. You can answer that after the fact, on a migration deadline someone else sets. Or you can answer it now, while it is still your call.

Sources