What Recent GDPR Rulings Signal for Your Cloud Procurement

Most leaders treat the question "is our US cloud setup GDPR-compliant?" as something the legal team answered once, filed away, and need not revisit. The rulings of the last twelve months suggest that is the wrong way to hold the question. Compliance here is not a fixed yes or no. It is a conditional answer that depends on a legal framework currently being tested in court, on how a specific service is configured, and on facts that keep moving.

That matters for procurement, not just for lawyers. If your data sits with a US provider by default, the basis for that arrangement is something a board, an auditor, or a major customer can reasonably ask you to defend. This article walks through what recent enforcement and court decisions actually signal, and turns them into a short set of questions worth asking before your next contract renewal.

The legal basis for US cloud is conditional, not permanent

Most European companies that run on AWS, Azure, or Google rely, often without naming it, on the EU-US Data Privacy Framework. It is the mechanism that makes routine transfers of personal data to US providers lawful. In September 2025 it survived its first serious court challenge, when the General Court dismissed a case brought by French politician Philippe Latombe and upheld the framework's validity.

The detail in that ruling is the part worth noting. The court confirmed the framework was adequate based on the facts and the law at the time of the European Commission's 2023 adequacy decision. It did not declare the matter closed for all time, and a further challenge to the framework is widely expected to follow.

This is the third transatlantic data transfer arrangement of the past decade. The two before it, Safe Harbour and Privacy Shield, were both struck down by Europe's top court. None of this means the current framework will fall. It does mean that treating it as a permanent fixture, the way you might treat a paid-up software licence, is a misreading of the situation. A credible plan accounts for the possibility that the ground shifts.

What the big fines actually signal

The headline GDPR penalties are easy to dismiss as someone else's problem. Meta was fined €1.2 billion in 2023 for transferring European user data to the United States without adequate safeguards. In 2025, TikTok was fined €530 million for sending European users' data to China. These are very large companies with very large data flows, and a mid-market firm in Munich or Stockholm is not Meta.

The size of the fine is the distraction. The fault underneath it is narrow, repeatable, and entirely ordinary: personal data moved outside the European Economic Area without a valid mechanism to make that transfer lawful, and without a proper assessment of the risk. That is not an exotic edge case. It is the same exposure a regulated company carries whenever data sits with a US provider because that was the default option at the time.

The TikTok case involved China rather than the United States, which is the point. Regulators are not enforcing against one country. They are enforcing against the absence of a documented, defensible basis for moving data abroad at all. The lesson for a board is not "we might be fined a billion euros." It is "we should be able to show, on paper, why our transfers are lawful."

"GDPR-compliant" is now a per-deployment verdict

It is tempting to settle the question by asking the vendor. The vendor will say it is compliant. Recent decisions show why that answer is the beginning of due diligence rather than the end of it.

In November 2025, the data protection authority for the German state of Hesse concluded that Microsoft 365 can be used in a GDPR-compliant way. That sounds like a clean result until you read the conditions. The conclusion came after a 137-page review, it binds only Hesse and not Germany's other fifteen states, it rests on contractual analysis rather than a technical guarantee, and it explicitly leaves each organisation responsible for its own configuration. In other words, compliant use is possible; it is not automatic, and the brand name on the contract does not confer it.

The same period offered a sharper example. The European Commission itself was found by the EU's own supervisor to have breached data protection rules in how it used Microsoft 365, including on transfers outside the EEA. The supervisor ordered it to suspend the relevant data flows. The Commission spent the following months reworking the arrangement and was only cleared in July 2025 once the problems were remedied. If the institution that drafts European law had to rebuild its cloud arrangement to satisfy the regulator, "it is a well-known product, it must be fine" is not a position a private company should rely on either.

The questions that belong in vendor selection and renewal

These rulings are easier to act on than to read. They translate into a short list of questions that a board can hand to whoever manages procurement, and that a serious provider should be able to answer without hesitation.

There are four worth asking. What is the legal basis for any transfer of our data outside the EEA, and is it written down? Who can access the data, and under which country's jurisdiction do they sit? What happens to that legal basis if the current framework is struck down, and how exposed are we in that scenario? And how quickly, and at what effort, could we move this data to another provider if we needed to?

The natural moment to ask is a contract renewal. A renewal is already a budget conversation and a review of whether the arrangement still serves the business, as several advisers reviewing cloud GDPR risk have noted. Adding these questions does not require a special project or an alarmed memo to the board. It requires asking them before signing, rather than after an auditor does.

Treat exposure as a standing board item, not a one-time answer

The calm way to hold all of this is as ordinary risk management. A board already tracks supplier concentration, currency exposure, and regulatory change in the markets it operates in. Where your data lives, and on what legal footing, belongs in the same category. It is not a crisis, and it does not call for ripping out working systems on principle.

What it calls for is knowing your exposure, documenting the basis for it, and having a realistic path to move if the legal ground shifts. For some organisations the honest conclusion after that review is "stay where we are, but write down why we are compliant and keep it current." For others it is "begin planning a move while there is time to do it without pressure." Both are defensible. What is hard to defend is not having looked.

The rulings of the past year are not a verdict against US cloud. They are a reminder that the answer is conditional, that it can change, and that the organisations in the strongest position are the ones who treated the question as live rather than closed.

Thinking about migration? Book a free consultation to discuss your situation.