Weighing Up Data Residency: U.S. Versus EU Software Providers

Today the landscape of data residency, privacy and security is a complex feature in technology environments as organisations grapple with legitimate concerns about data security. Organisations from both the private and public sector need to understand how data residency can create a number of issues and increase data security risks, including third party access to data. Businesses who are concerned about the protection of their data need clear cut knowledge that their data is safe from both cyber-attacks and international law enforcement agencies, especially when there are discrepancies between data storage in Europe and in the U.S.

Weighing Up Data Residency: U.S. Versus EU Software Providers


For clients who are shopping for a software solutions provider in Europe or in the U.S., the main difference is that the U.S. does not have one single federal data privacy and security law, which will guarantee the security of their data.

 However, the EU does, in the form of the GDPR legislation (General Data Protection Regulation) which was enacted in May 2018. The European Commission sought with GDPR to make ‘Europe fit for the digital age’ while also strengthening ‘individuals fundamental rights in the digital age’ and ‘facilitating businesses by clarifying rules for companies and public bodies in the digital single market’. 510 million EU residents benefit from stringent GDPR legislation. For businesses who wish to entrust their data to a European server, they can rest assured that the legislations stringent policies apply to their data including increased obligations of transparency, greater record keeping, stricter rules around obtaining consent for data processing and specific data breach notification obligations to name a few changes . For businesses who trade and serve EU customers, they must adhere to the GDPR or face a huge fine, (4% of annual global income or 20 million euros; whichever amount is higher).


Americans have long felt the tension between security needs and personal privacy, with an intensive post 9/11 focus on government surveillance to prevent similar attacks. A 2014 pew research study found that ‘91% of Americans “agree” or “strongly agree” that people have lost control over how personal information is collected and used by different entities’. Another recent Ovum report found that for businesses, ‘the U.S. is the least trusted country for respecting privacy rights, behind China and Russia’.

 For businesses of all shapes and sizes, two major legislative acts are critical to understanding data privacy and security: 


The USA Freedom Act is short for the “Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-Collection and Online Monitoring Act “in full, is legislation designed to place stricter limits on NSA surveillance. The USA Freedom Act was passed by Congress after many controversial provisions of the controversial USA Patriot Act expired in 2015. However, the act still retains essentially invasive privacy provisions as the Patriot Act, which had been quickly passed in the wake of 9/11. The NSA reported that it collected under the “specific selection term”  more than half a billion records of  metadata in 2017. NSA programmes such as PRISM, the controversial programme which allows U.S. authorities access to private user data both in the U.S. and abroad and Bullrun, designed to undermine encryption standards both nationally and internationally were not reformed.


The Cloud Act is known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act, was passed by Congress in 2018.

Put simply, the legislation states that tech and cloud computing companies must comply with official demands for data regardless of their location. It also allows the president of the U.S. to enter into agreements with other nations for the explicit purpose of exchanging stored data. This law enables U.S. investigators to demand information about foreign nationals (not just U.S. citizens), provided it was held on an overseas server controlled by a US company.


DiliTrust solutions are in full compliance with the GDPR. Our technology is compatible with your privacy. As a French owned company, your private data is stored in France, Canada and the UAE and is not subject to U.S. data legislation .All software from DiliTrust, including the DiliTrust Exec board portal and DiliTrust Governance corporate legal software solution, uses extra security measures to guard against data breaches and cyber-attacks. Your data remains under your control with our secure software solutions.