·5 min read

Hosted in the EU isn’t enough: Schrems II, the US CLOUD Act, and where whistleblower data lives

“We host in the EU” has become the default reassurance from cloud vendors. For ordinary business data, it is often enough. For a whistleblowing channel — which holds reporter identities, allegations, and the names of accused colleagues — it is only half the answer. The other half is who can be legally compelled to hand that data over.

The Schrems II problem

In July 2020 the Court of Justice of the EU struck down the EU–US Privacy Shield in what became known as Schrems II. Personal data transfers to the United States are no longer automatically adequate. If a US provider appears anywhere in your processing chain, the legal burden of assessing and safeguarding that transfer falls on you. For data as sensitive as a whistleblower’s identity, that is a burden most organisations should not be carrying.

The CLOUD Act reaches across borders

Physical location is not the same as legal jurisdiction. The US CLOUD Act (2018) allows US authorities to compel any US-based provider to produce data it controls — regardless of where in the world that data is stored. FISA Section 702 surveillance is a separate but parallel exposure. A US cloud provider’s EU region still sits within reach of US law, even if the servers are in Europe.

What genuine EU data residency looks like

  • The provider is incorporated in the EU — not just renting an EU region from a US cloud
  • Data centres are located in the EU
  • No US sub-processors anywhere in the processing chain
  • The result: no CLOUD Act or FISA exposure, and no need for Standard Contractual Clauses — because the data never leaves the EU/EEA

How Whistlechannel is set up

Whistlechannel is EU-incorporated and hosts exclusively in Stockholm, with no US sub-processors. Reporter data stays inside the EU end to end. Add no IP logging and AES-256 encryption, and the most sensitive part of your compliance programme stays out of foreign legal reach. If a vendor cannot tell you exactly where its data centres are and the jurisdiction of the company that controls them, treat that as a red flag.

Ready to comply with EU Directive 2019/1937?

Get started in minutes. No installation, no commitment, no credit card required for trial.