Data protection in the European Union is governed by one of the world’s strictest regulatory frameworks: the General Data Protection Regulation (GDPR). For organisations operating in Europe, compliance is not optional. It is a legal obligation.
As remote collaboration has become standard across businesses, many EU organisations rely on video conferencing and cloud-based communication platforms provided by large US technology companies. While these services are widely used, questions continue to arise around data transfers, jurisdiction, and long-term compliance risks.
Understanding these issues is essential before choosing a provider.
Under GDPR, personal data transferred outside the European Union must be protected by appropriate safeguards.
This became particularly complex following the Schrems II ruling of the Court of Justice of the European Union (CJEU), which invalidated the EU–US Privacy Shield framework. The ruling emphasised that US surveillance laws may conflict with EU data protection standards, especially regarding access by intelligence authorities.
Although alternative transfer mechanisms such as Standard Contractual Clauses (SCCs) are available, organisations must still conduct Transfer Impact Assessments to evaluate whether foreign legal frameworks undermine EU data protection rights.
The key concern is not whether a platform can operate in the EU — many do — but whether its legal structure exposes EU customer data to access requests under non-EU legislation.
One of the most discussed legal instruments in this debate is the US CLOUD Act.
The CLOUD Act allows US authorities to request access to data held by US-based companies, even if that data is stored on servers located outside the United States. In practice, this means that EU-hosted infrastructure operated by a US parent company may still fall under US jurisdiction.
For organisations in regulated industries — such as healthcare, education, financial services, or public administration — this raises important compliance questions.
Even if data is stored in European data centres, legal control may not reside entirely within the EU.
Several European data protection authorities have issued opinions and guidance regarding the use of certain cloud services, particularly in public sector contexts. These discussions focus on:
It is important to note that these rulings often apply to specific configurations or public-sector use cases, rather than representing blanket bans.
However, they demonstrate that legal certainty in this area remains complex.
When selecting a video conferencing or collaboration provider, organisations should consider:
Compliance is not just about data centre location. It is also about legal control and enforceability.
For organisations seeking maximum legal certainty, one approach is to work with providers that are:
This model reduces complexity around international data transfers and minimises exposure to conflicting legal frameworks.
For many enterprises and public institutions, this is not about distrust — it is about risk management and regulatory clarity.
Digital Samba is a European video conferencing provider developed and hosted entirely within the EU. Our infrastructure is fully data-agnostic and designed to comply with GDPR requirements without reliance on transatlantic transfer mechanisms.
Because we operate exclusively under European jurisdiction, we are not subject to US extraterritorial access laws such as the CLOUD Act.
For organisations embedding video functionality into their products or platforms, Digital Samba offers a secure API and SDK solution tailored for European compliance requirements.
US-based video conferencing platforms are widely used and can be configured to align with GDPR in many contexts. However, the legal landscape surrounding international data transfers and jurisdiction remains complex.
For organisations that prioritise legal certainty, data sovereignty, and regulatory simplicity, evaluating the jurisdictional structure of their technology providers is a critical step.
Choosing a platform is not only a technical decision. It is also a legal and strategic one. Interested in discovering why opting for GDPR-compliant video conferencing is crucial? Just shoot us a message, and we'll gladly share more information with you.