Blog | 03 December 2025
Max Schrems: Why US clouds are still a risk for the public sector
When Max Schrems took to the stage at eGovernment Days, it quickly became clear why he remains one of Europe's most influential voices on privacy. As the lawyer behind Schrems I and II, the cases that brought down Safe Harbour and Privacy Shield, he has fundamentally changed the rules of the game for how the EU views international data flows and the cloud solutions on which we build our digital lives.
His keynote speech "Schrems III or Trump I? What's next?" put into words what many in the public sector had already sensed: Regulation, geopolitics and the cloud have become intertwined. And this reality affects all organisations that handle sensitive data.
The server matters less than many think
One of Schrems' clearest points was the difference between location and jurisdiction. The GDPR protects individuals in the EU, but US laws, such as FISA 702, can still give US authorities access to data held by companies with links to the US. This applies regardless of where the servers are located.
This means that storage "in the EU" is not a guarantee in itself, if the provider is also subject to US law.
Max Schrems calls it sovereignty laundering
Schrems was particularly critical of the way some global cloud providers market "sovereign" or "EU-regional" solutions. Such offerings may create a sense of security, but if the company is American, the same legal risks remain. He calls the phenomenon "sovereignty washing". It's a bit like greenwashing or pinkwashing, when promises of sovereignty sound good in marketing but don't hold up legally.
This underlines something crucial: Decisions made in Washington can, in practice, affect services used by the public sector here at home, without either Sweden or the EU having been part of the process. When a global supplier is subject to US law, both national data and critical functionality can be affected, completely outside our own regulations.
Continued risk in third countries
Another important part of the talk was about GDPR and the mechanisms that are often mentioned as the solution to third country transfers, such as SCC and BCR. Schrems was clear here. As long as the provider is American, FISA 702 takes precedence, regardless of contracts, encryption or European border solutions.
This means that even the new frameworks do not change the fundamental risk.
At the same time, his organisation is already working on the basis for a possible Schrems III. The timetable is affected by other court cases, but Schrems believes that large parts of the current transfers between the EU and the US may be reconsidered.
In other words, the uncertainty will persist for a long time to come.
Schrems reminds us that digital sovereignty is about more than technology. It's about being able to guarantee stability, trust and predictability in everyday life. This is where the choice of a Swedish cloud service becomes an important part of the whole.