Schrems II and why a region label
isn’t a legal jurisdiction.

The Schrems II ruling (Case C-311/18) invalidated the EU-US Privacy Shield framework over a structural distinction: where the servers physically sit is not the same property as which legal regime can compel access to the data on those servers. The Court was specific about its reasoning:

“Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes.”

The CJEU was applying European data-protection law to a specific cross-border arrangement. The structural point generalizes: the legal jurisdiction of the entity controlling the infrastructure is a distinct property from the geographic region where the data is stored. Counsel anywhere can run the same analysis against any jurisdiction pairing. Canadian privacy counsel raises a parallel question about the US CLOUD Act of 2018, which extends US legal process to data held by US-headquartered entities “regardless of whether such communication, record, or other information is located within or outside of the United States” (18 U.S.C. §2713). The point isn’t that any particular country’s law is good or bad; the point is that the law applying to the vendor and the law applying to the data location can be different, and counsel needs to evaluate which is which.

France’s national cybersecurity agency, ANSSI, codified the same distinction in its SecNumCloud qualification framework: a qualified sovereign cloud provider must be operationally and contractually independent of legal regimes outside the EU (« immunisée aux droits extra-européens »). The intent is the same wherever counsel sits: the jurisdiction applying to the vendor should be a deliberate, knowable choice — not an artifact of which region label appears on the bill.