top of page
MIQ Logo PNG 1-8 glow.png

Why EU Businesses Are Reconsidering Data Localization Amid U.S. Data Sharing Fears

  • Marc Shull
  • Jul 24
  • 6 min read
grayscale map of western Europe

As data privacy becomes a central pillar of business strategy in the digital age, companies operating across borders are facing increasingly complex choices about where and how to store and process personal data.  For businesses in the European Union, the stakes have never been higher.  Mounting concerns over the handling of personal data by U.S. authorities — exacerbated by specific actions under former President Donald Trump’s administrations — are accelerating a trend toward data localization.  In this article, we explore the reasons why interest in data localization among EU businesses is growing, how U.S. government practices have undermined trust, and whether these practices align with U.S. law and international expectations for data privacy.


What Is Data Localization?


Data localization refers to the requirement that personal data be stored and processed within the borders of a specific country or region, rather than being transferred or accessed abroad.  For EU-based companies, this often means avoiding storage of data in the in countries without adequate data protections, even with cloud providers who promise compliance with the EU’s General Data Protection Regulation (“GDPR”).


The EU’s GDPR authorities put a premium on ensuring that personal data of EU residents is handled with stringent safeguards, especially when transferred outside the EU.  Any non-EU country receiving EU personal data must offer an "adequate" level of protection.  At a federal level, the United States has struggled to meet that threshold in the eyes of the Court of Justice of the European Union, which invalidated both Safe Harbor and later Privacy Shield agreements.  While the current Data Privacy Framework (“DPF”) is already under heavy scrutiny and is likely to be invalidated for largely similar reasons as Safe Harbor and Privacy Shield, recent actions by the Trump administration have added to the concerns about the DPF’s survivability.


Data Sharing Under Trump: A Foreseeable Breach of Trust?


Several controversial U.S. government actions under the two Trump administrations have elevated European concerns over U.S. surveillance and data misuse.  Perhaps the most emblematic are the Executive Orders and practices around providing access to personal data, including legally protected medical and taxpayer data, by Immigration and Customs Enforcement (“ICE”).  Coupled with IRS data sharing with ICE, sensitive data sharing with DOGE, multiple Executive Orders that remove protections for EU residents, and an attempted purge of the US Privacy Board, these form part of a broader data-sharing strategy that are deeply concerning to businesses and governments obligated to protect the personal data they possess.


Medicaid Data Shared with ICE


One of the most unsettling revelations was the announcement of the sharing of Medicaid personal data with ICE on July 17th, 2025.  The data sharing covers all 79 million Medicaid recipients including all U.S. citizens, not just those thought to be illegal immigrants.  Providing access to all recipients, demonstrates processing far beyond what is necessary to achieve their objective, a violation of data privacy law basics.  It also demonstrates a willingness to compromise the privacy of its own citizens which could logically lead other countries to conclude that if a country does not respect the privacy laws that protect its own citizens, there is no credible reason to conclude they will protect the personal data of non-citizens.


From a European perspective, this is highly problematic.  Health data is classified as special category data under the GDPR and is subject to even stricter protection.  The idea that such data could be accessed and used by a law enforcement agency without judicial oversight raises serious concerns not just from an ethical standpoint but also in terms of legal adequacy for personal data transfers.  In other words it begs the question, what will corporations do when the White House orders them to turn over customer data?


Moving the data out of U.S. jurisdiction may not completely solve the issue, but it provides a barrier that better protects consumers and corporations.


Internal Revenue Service Data Shared with Immigrations and Customs Enforcement


On April 7, 2025 IRS and ICE formalized a data agreement to share sensitive taxpayer in support of deportation efforts.  This was a notable shift from the IRS’s long standing commitment to data privacy which “IRS attorneys warned likely violated privacy laws”.  This breach of long standing policy was shortly followed by resignations from Trump’s own IRS Commissioner appointee, along with the IRS’s Chief Privacy Officer, Chief Financial Officer, and Chief Risk Officer.


Executive Orders and the Expansion of U.S. Surveillance Powers


During the previous Trump administration, two Executive Orders were signed that directly conflicted with the protections provided to their residents under the GDPR.

  • Executive Order 13768: (“Enhancing Public Safety in the Interior of the United States”) signed in January 2017.  “Sec. 14. Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”.  This Executive Order was found to be unconstitutional later that year, and was formally rescinded in 2021 on Biden’s first day in office but made it clear that the Trump administration did not intend to respect the data privacy of foreign individuals.

  • Executive Order 13873: ("Securing the Information and Communications Technology and Services Supply Chain") signed in May 2019.  While aimed at securing infrastructure, this Executive Order broadly empowered the U.S. government to block or monitor foreign communications and technology, potentially putting EU data processed in the U.S. under greater surveillance.  This Executive Order is still in place.


Similarly, Executive Order 12333, originally signed by President Reagan but still in effect, allows U.S. intelligence agencies to collect data from non-U.S. persons without a warrant.  This Executive Order has long been a sore point for EU regulators, especially because it lacks the transparency, redress mechanisms, and judicial oversight required under EU law.


Are These Practices Legal Under U.S. Law?


Surprisingly to many Europeans, many of these data-sharing practices do not violate U.S. law, and some are under debate.

  • Health Insurance Portability and Accountability Act (“HIPAA”) allows for data disclosures without patient consent for law enforcement purposes.  While HIPAA restricts unauthorized disclosure of health data, it carves out exceptions for public safety, legal proceedings, and government functions.

  • There is no federal constitutional right to informational privacy in the U.S. equivalent to the protections in the EU Charter of Fundamental Rights.  Data privacy rights do exist in some U.S. states, but they are a patchwork effort that are inconsistent in their protections and have exceptions similar to HIPAA.

  • Executive actions, such as the use of Executive Order 12333 or Executive Order 13873, are largely unchecked by courts unless challenged on constitutional grounds—a process that can take years.


This legal gap between the U.S. and EU systems explains why EU regulators have repeatedly struck down U.S.-EU data transfer frameworks such as Privacy Shield.


Are U.S. Personal Data Protections Business Friendly?


The answer is increasingly “no”, particularly for companies with transatlantic operations. Recent sweeping, yet inexplicably clumsy, changes to how the U.S. government treats personal data has created an increasingly unfriendly business environment that is already hurting U.S. businesses.


Newly expanded and sweeping personal data-sharing practices with law enforcement agencies and questionably legal pseudo-agencies such as DOGE, and Executive Orders directly conflicting with data privacy laws have:

  • Undermined trust in U.S.-based personal data storage

  • Triggered legal uncertainty for EU companies relying on standard contractual clauses (“SCCs”) to transfer data to the U.S.

  • Led to increased operational costs, as companies invest in additional data centers within the EU to comply with evolving interpretations of GDPR

  • Created compliance headaches for global businesses navigating both U.S. and EU legal systems


Localization Is Now at the Forefront of Data Management


Despite a growing number of state-level data privacy laws, at the federal level, the United States has taken a series of unprecedented actions that clearly demonstrate a growing gap between U.S. and EU data privacy.  The long term impact of the Trump administration’s aggressive use of personal data, particularly in immigration and surveillance contexts, has made lasting impressions on European regulators and businesses alike.


In response to these challenges, EU companies are increasingly embracing data localization as part of their data management strategy to maintain control over customer data, reduce the risk of data being accessed by foreign governments, reduce the risk of regulatory fines, and reassure privacy-conscious consumers.  To support this shift, major cloud providers are offering "sovereign cloud" or "EU data boundary" solutions to specifically address these concerns.  In the current environment, the safest route for EU businesses handling personal data is clear: keep it local, keep it compliant, and keep it under control.



This is not legal advice.

Consult with your legal team if you have questions about data localization.


If you need help with your data strategy, we can help

Read more about our Data Strategy Services (click here) or email us at info@mkt-iq.com.


Photo Credit: Krzysztof Hepner on Unsplash

bottom of page