Data sovereignty: why non-US regulators treat US-held Dropbox data as exposed

When the EU's top court struck down the Privacy Shield framework in its 2020 Schrems II ruling, its core objection was not about any one company but about US surveillance law. FISA Section 702 authorizes US intelligence agencies to collect the communications of non-US persons held by US providers without individualized warrants, and Executive Order 12333 permits broad signals collection; the court held that European data subjects had no adequate remedy against this. The CLOUD Act compounds the exposure by letting US authorities demand data from US-based providers no matter where it is stored.

The consequence, regulators and legal analysts have stressed, is that contractual fixes such as Standard Contractual Clauses cannot cure a statutory surveillance problem: a US provider's legal obligations under FISA and the CLOUD Act override its contractual promises to customers. As a US-headquartered company, Dropbox falls squarely inside this category — the concern is about the jurisdiction it answers to, not about any alleged wrongdoing on its part. Even providers running EU 'data boundary' programs have conceded they cannot guarantee EU data is beyond US government reach.

This is the surveillance-and-government-access dimension of the broader EU data-transfer dispute: for a European, Australian or other non-US Dropbox user, the unavoidable fact is that their files are held by an entity legally compellable by a foreign intelligence and law-enforcement apparatus.