Where You Store Your Data Still Matters
It's more than just the U.S. Cloud Act
The ongoing debate in Europe about derisking from U.S. hyperscalers and service providers tends to coalesce around the impact of the U.S. CLOUD and FISA Acts on access to European citizen data and potential legal conflicts between the EU GDPR and U.S. legislation. But what is the relevance of this debate to Caribbean States?
In Europe, the debate on de-risking from U.S. hyperscalers and cloud service providers hascentred on the implications of the U.S. CLOUD Act and FISA for access to citizens’ data, and the resulting legal tensions between EU GDPR requirements and U.S. law. For Caribbean states, many of which have significant reliance on extra-regional digital infrastructure and service providers, primarily from the U.S., this debate is not abstract or distant. It raises immediate and material questions about data sovereignty, regulatory compliance, national resilience, and the extent to which Caribbean governments retain effective control over sensitive public-sector and citizen data.
Firstly, Caribbean States are increasingly adopting data privacy legislation based onthe EU GDPR model. Secondly, the debates currently taking place in Europe concerning the impact of U.S. legislation on EU citizen data will soon become debates inthe Caribbean. Particularly if the Caribbean does not learn from the Europeanexperience.
Major efforts by the European Commission, U.S. authorities, and U.S. cloud service providers have been made to reconcile the conflicting legal requirements of the EU GDPR and U.S. CLOUD and FISA Acts. U.S. hyperscalers such as Amazon, Google, and Microsoft Azure haveaddressed these competing legal requirements by implementing measures primarilyaround data and operational localisation, whereby EU citizen data is hosted inEurope, operating under European subsidiaries or dedicated European operations in an attempt to pacify and reassure major European clients (many of whom aregovernments) that their data is “safe” from U.S. prying eyes. The problem with all of these efforts to find legal and technical solutions is simply that thereis no getting away from the fact that U.S. service providers are ultimatelysubject to U.S. legislation, and in this regard, the CLOUD Act contains thefollowing explicit provision:
This extra-territorial reach and the impact of data stored outside the U.S., by U.S.service providers, is borne out in an initial legal assessment by the EuropeanData Protection Board, which concluded that:
"By choosing to create a legal avenue under U.S. lawfor U.S. law enforcement authorities to require disclosure of personal data directly from service providers who fall under U.S. jurisdiction, irrespectiveof where the data is stored….”
This conclusion is backed up by an expert opinion, prepared by legal scholars at the University of Cologne, for the German Federal Ministry of the Interior, which states that:
These conclusions should provide pause for thought for Caribbean entities, whether government or commercial, that operate under GDPR-type legislation. Particularly, those legislations that require data controllers (those who collect personal information for specific business reasons) to ensure that data stored in other jurisdictions is adequately protected at the level of the GDPR under which the entity operates. Clearly, based on the European experience, for data hosted by U.S. service providers, regardless of where the data is hosted, the conclusion must be that adequateprotection is not available!
However, the impact of the CLOUD Act is just one facet of the significant risk posed by deploying critical applications and data in U.S. service providers.
Some may recall the June 2020 Presidential Executive Order (EO) that used the U.S.’s International Emergency Economic Powers (IEEPA) and National Emergencies Acts to sanction individuals at the International Criminal Court (ICC). That EO stated:
Once this order was officially issued, U.S.-based service providers were required to terminate these individuals’ access to their services, apparently without notice to those affected! At one point, there was significant concern that the ICC, as an organisation, might be sanctioned. This required the organisation to rapidly derisk its reliance on U.S. service providers to ensure business continuity. There are other examples, such as the Bank of Amsterdam, where U.S. imposed sanctions caused the company to fail. These cases underscore the sovereignty and business-continuity risks of relying on U.S. providers.
In December 2025, the U.S. State Department sanctioned several individuals who head up non-governmental organisations (NGOs) involved in anti-hate speech, disinformation, and the promotion of the EU Digital Services Act. These sanctions, while mainly focused on visa restrictions and banning entry to the U.S., were justified by the U.S. State Department as
“...decisive action against five individuals who have led organized efforts to coerce American platforms to censor, demonetize, and suppress American viewpoints they oppose. These radical activists and weaponized NGOs have advanced censorship crackdowns by foreign states—in each case targeting American speakers and American companies. As such, I have determined that their entry, presence, or activities in the United States have potentially serious adverse foreign policy consequences for theUnited States….”
While these sanctions are not directly impacting the use of digital services, the visa bans and official U.S. designations can have wider reputational and financial effects on NGOs and their leaders because banks and service providers may treat such designations as high-risk. In addition, these sanctions can be seen as the opening salvo by the U.S. administration.
But what has this got to do with the Caribbean?
With geopolitical tensions rising in the Caribbean, particularly involving the U.S. and Venezuela, Caribbean governments hosting critical systems and data with U.S. cloud service providers could face exposure to potential sanctions depending on their political stance. It is critical to understand that it will not matter where the services are located, in Canada, Europe, etc. If a country or organization is sanctioned by the U.S. government, then U.S.-based service providers, such as Amazon, Microsoft, and Google, will have to comply and potentially terminate access to services.
This poses a significant risk to governments in the region, perhaps an even greater risk than the impacts of natural disasters, such as hurricanes, earthquakes, and volcanic eruptions.
Beyond sovereignty and resilience, there is a broader issue of regional capacity building in ICT services, which is very much on the political agenda. While U.S. hyperscalers reinvest nothing locally, Caribbean entities such as commercial enterprise members of the Caribbean Data Centre Association, the Caribbean Association of National Telecommunication Organizations (CANTO), and the Caribbean Telecommunications Union (CTU) continuously invest in people and infrastructure across the Caribbean, creating skilled jobs and strengthening local ICT ecosystems. U.S. hyperscalers are a drain on foreign currency reserves!
Sovereignty and Resiliance are not a zero-sum game. In the Carribbean both can be achieved; it's already happening!