False sense of security in SMEs: Why data privacy shouldn’t be a side issue

Many SMEs use American cloud providers without hesitation. They are reliable, scalable, and easy to use. But there is a fundamental issue: data stored through these providers falls under U.S. legislation, as laid down in the CLOUD Act (2018). This law grants U.S. authorities the right to access data—even if that data is physically stored outside the U.S. (including in Europe).

This means that Dutch companies placing their data in American clouds do not have full control over their own information. This is at odds with the General Data Protection Regulation (GDPR), which specifically aims to safeguard the privacy of European citizens. The result: legal uncertainty, potential reputational damage, and the risk of sanctions if companies cannot meet their GDPR obligations.

Practical examples and context

Concrete cases of Dutch SMEs publicly sharing their problems are scarce—not surprising, since reputational damage is often severe. Still, reports and studies give a clear picture of the risks.

•  In 2025 Microsoft France's legal director testified before the French Senate about data protection. Where he stated that Microsoft cannot guarantee that French citizens' data would never be transferred to US authorities without explicit authorization. (Source: https://www.linkedin.com/posts/richard-marx_digitalsovereignty-cloudact-dataprotection-activity-7368523152106151936-DYWR/ 

• In 2020, the European Court of Justice ruled in the well-known Schrems II case that the Privacy Shield agreement between the EU and the U.S. was invalid, precisely because U.S. legislation (such as the CLOUD Act) failed to provide adequate protection against access by U.S. authorities. This ruling made clear that transferring personal data to the U.S. without additional safeguards conflicts with the GDPR.
• Dutch regulators, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), have repeatedly reminded companies that they remain responsible for GDPR compliance—even when using American cloud services. See, for example, the warnings surrounding the use of Google Analytics (2022–2023), where the AP stated that data transfers to the U.S. may violate the GDPR.

These examples show that dependence on U.S. providers is not a theoretical problem, but a concrete risk that Dutch/European organizations face.

What the government says 

The importance of data sovereignty is on the Dutch government’s radar. Already in 2022, the Dutch government highlighted the risks of foreign dependency in its Cloud Policy (Rijksbreed Cloudbeleid 2022). It noted that the digitalization of SMEs still lacks sufficient structural support to sustainably reduce reliance on foreign infrastructure—something crucial for the long-term resilience of our economy. Since then, the issue has only grown more urgent.

In the Progress Report on the Digital Economy Strategy (Rijksoverheid, March 7, 2025), the government emphasized that while SME digitalization is increasing, dependence on non-EU countries poses a serious threat to digital resilience and competitiveness. The government even speaks of “undesirable high-risk dependencies” and argues that stimulating European alternatives is necessary for a sustainable and secure digital economy.

The power of European Alternatives 

This is precisely why it is important to consciously choose European alternatives. European providers fall under the GDPR, the strictest privacy legislation in the world. That means your data is not subject to foreign laws such as the CLOUD Act. In Europe, privacy is not an empty marketing slogan but a legally enshrined right.

Moreover, European providers often operate on the principle of privacy by design: encryption, data minimization, and transparent access procedures are built into the service. As an organization, you don’t have to reinvent the wheel; privacy is at the core of the infrastructure.

Another advantage is that European providers often use open standards and flexible contracts. This reduces the risk of vendor lock-in and makes migration or scaling up easier. In contrast, many American Big Tech providers tend to lock customers into a closed ecosystem, whereas European alternatives safeguard choice and flexibility.

Finally, investing in European infrastructure contributes to Europe’s digital sovereignty. This reduces reliance on foreign tech giants and fosters an ecosystem where innovation, transparency, and privacy are leading values.

International initiatives by big players  

Even large tech companies acknowledge the growing demand for privacy protection and local control in Europe:

• Microsoft recently announced that it would expand its cloud and AI infrastructure in Europe to strengthen the “digital resilience” of European countries, despite geopolitical and trade volatility (source: The Official Microsoft Blog).
• Amazon Web Services (AWS) is developing a separate European Sovereign Cloud—a fully independent cloud environment within the EU, managed by EU personnel, with local infrastructure, governance, and certification—scheduled for launch at the end of 2025. This will offer greater control over data residency, operational autonomy, and compliance.

These moves show that even dominant Big Tech players recognize that European customers demand trust, control, and privacy-based infrastructure.

Why Tilaa wrote this article 

Privacy is not a side issue—it is strategic certainty. Don’t be blinded by convenience alone. False security is no substitute for real protection. By choosing European and locally managed solutions, you invest in control, trust, and continuity.

At Tilaa, we believe real security starts with transparency and ownership. We wrote this article because we see that many Dutch companies still too often let themselves be guided by the apparent convenience and reliability of Big Tech solutions.

With its products and solutions, Tilaa consciously chooses a different path: an open, independent, European approach, keeping your data within European borders and fully under GDPR protection. Our mission is clear: to help companies see privacy not as a burden, but as a strategic advantage. For us, one principle stands firm: what happens in Europe, stays in Europe.