·
2 min read

Your AI might be breaking EU law. And nobody told you.

I recently built a matchmaking agent for a client that connects industry needs with academic research areas. At some point a simple question came up: is this actually GDPR-compliant?

It opened a rabbit hole I didn't expect.

The assumption most companies make

The instinct is to point at the EU data center on your AI provider's marketing page. Frankfurt. Amsterdam. Dublin. Problem solved.

Except it isn't.

There's a US law called the CLOUD Act that most people building with AI have never heard of. It gives American authorities the legal right to demand data from any US-incorporated company, regardless of where the servers physically sit. OpenAI, Anthropic, Google, Microsoft: all US companies. All subject to this law. The EU data center on their website doesn't change that.

EU servers. US law. Your contract doesn't fix it.

This isn't a niche legal technicality. It's the question your data protection officer will eventually ask, and the answer most companies aren't prepared for.

What actually exists on the other side

Fully EU-sovereign providers do exist. The honest tradeoff is capability. You won't get the frontier US models from a provider that sits cleanly outside US jurisdiction. But for most business use cases, summarization, document analysis, customer support, knowledge management, the gap is smaller than you think.

And it's closing. Last week Aleph Alpha and Cohere announced a merger, explicitly positioning themselves as the first serious EU-side attempt to bridge it. Not frontier-class yet. But the direction is clear.

The practical question for any company building with AI right now isn't "which model is best?" It's "which model is best for this specific data, and who can legally access it?" Most teams are only asking the first one.

What to do about it

I mapped the full landscape in EU AI Providers and GDPR: What's Actually Compliant, including which providers actually hold up under strict review, what a proper data processing contract needs to say, and a simple framework for matching your data sensitivity to the right provider before someone else does it for you.

If you've been pointing at the EU data center on your provider's marketing page, it's worth fifteen minutes to understand what that actually does and doesn't protect.

P.S.: If this newsletter has been useful to you, I'd love a short testimonial. It helps more than you'd think. Takes 30 seconds.