GDPR, Schrems II & the CLOUD Act: Why EU Businesses Are Leaving US-Hosted Commerce
Key Takeaways
Last verified: March 2026
Regulation: GDPR requires lawful processing, data subject rights, breach notification within 72 hours, and privacy by design for any platform handling EU customer data. Schrems II adds mandatory supplementary measures for US data transfers.
The SaaS problem: Shopify Plus, BigCommerce, and Salesforce Commerce Cloud operate under US jurisdiction. The CLOUD Act lets US law enforcement compel them to hand over EU customer data, regardless of where it is stored.
The solution: Self-hosted, open source platforms deployed on EU infrastructure eliminate CLOUD Act exposure entirely. You control data location, encryption keys, and legal jurisdiction.
Penalties: GDPR fines reach 4% of global annual revenue or 20 million euros, whichever is higher.
What Does GDPR Mean for eCommerce in 2026?
If your eCommerce platform is US-hosted, your EU customer data is one subpoena away from US law enforcement. That’s not a hypothetical risk. It’s the legal reality of the CLOUD Act, and it’s the reason GDPR compliance now starts with hosting jurisdiction.
The CJEU upheld the EU-US Data Privacy Framework in September 2025, signaling temporary relief for transatlantic data transfers. But the structural tension hasn’t gone away: the US CLOUD Act (18 U.S.C. SS 2713) lets US law enforcement compel US-headquartered companies to hand over customer data stored anywhere in the world. Shopify, BigCommerce, and Salesforce Commerce Cloud all face this legal duty. So does any US-investor-backed SaaS platform. See the European Commission’s GDPR overview for the full regulatory framework.
The enforcement environment has real teeth. In 2025, the Irish Data Protection Commission fined TikTok 530 million euros for failing to protect EEA user data (Irish DPC, September 2025). For a mid-market eCommerce operator generating 10 million euros in revenue, a single GDPR violation could mean a 400,000 euro fine (GDPR Article 83 sets the ceiling at 4% of global annual revenue or 20 million euros).
The question EU businesses are asking has shifted. It’s no longer “Is our SaaS vendor GDPR compliant?” It’s “Do we own our infrastructure and eliminate foreign legal exposure entirely?”
What Does GDPR Require from Your eCommerce Platform?
Eight obligations hit your eCommerce platform the moment it processes a single EU customer order. Lawful processing, data subject rights, breach notification, processor oversight, privacy by design, data retention controls, transfer safeguards, and impact assessments. Miss any one and you’re exposed.
As Article 44 of the GDPR states: “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country… shall take place only if the conditions laid down in this Chapter are complied with” (Regulation (EU) 2016/679, Chapter V).
That makes hosting jurisdiction a compliance requirement, not an operational preference.
| Requirement | What It Means for Commerce | Technical Implementation |
|---|---|---|
| Lawful Basis (Articles 5-6) | You must have a legal reason to collect and process customer data | Implement explicit consent mechanisms; document lawful basis for each data category |
| Data Subject Rights (Articles 15-22) | Customers must access, correct, erase, restrict, port, and object to processing of their data | Build data export, deletion, and access request functionality; respond within 30 days |
| Breach Notification (Articles 33-34) | Notify your Data Protection Authority within 72 hours of discovering a breach | Implement breach detection, incident response plans, and automated alerting |
| Processor Obligations (Articles 28-32) | Every third-party vendor handling customer data must sign a Data Processing Agreement | Maintain processor inventory; audit sub-processor compliance; specify data location controls |
| Privacy by Design (Article 25) | Data protection must be built into platform architecture from day one | Conduct threat modeling; encrypt sensitive data; implement least-privilege access |
| Data Retention (Article 5c) | Keep customer data only as long as necessary for the stated purpose | Document retention schedules; automate deletion of expired data |
| Transfer Mechanisms (Chapters 4-5) | Transfers outside EU/EEA require SCCs, BCRs, or adequacy decisions; Schrems II mandates supplementary measures for US transfers | Vet all third-party vendors; implement encryption with EU-held keys; avoid US-jurisdiction processors |
| Data Protection Impact Assessment (Article 35) | High-risk processing requires risk assessment before launch | Conduct DPIA; document risks and mitigation; maintain records for 3+ years |
Industries Affected by GDPR and Data Sovereignty Requirements
GDPR applies to every industry, but Schrems II and the CLOUD Act hit hardest where data sensitivity and regulatory overlap compound. These are the sectors where US-hosted SaaS creates the most exposure:
- Financial services and banking: PSD2, MiFID II, and GDPR together require that transaction data stays within EU jurisdiction with full audit trails on every access
- Healthcare and pharma: GDPR plus national health data laws, with medical device sellers facing EU MDR obligations layered on top. See the HealthTech eCommerce compliance guide.
- Public sector and municipal procurement: National data sovereignty mandates often require EU-only infrastructure by law
- EU automotive: Connected vehicle data falls under GDPR, the Cyber Resilience Act, and NIS2 simultaneously
- Agricultural technology: Farm data and supply chain records face increasing pressure to avoid US infrastructure entirely
- Professional services (legal, accounting, consulting): Client-privileged data where a CLOUD Act subpoena would destroy client trust
- Luxury goods: Exclusive customer lists where data breaches are existential brand threats
- Education platforms: GDPR plus FERPA-equivalent national student data laws
The pattern is consistent. Any industry where data sensitivity, regulatory overlap, or client trust matters is moving away from US-hosted SaaS.
Why Do SaaS Platforms Fail GDPR and Schrems II Compliance?
The problem isn’t that SaaS vendors haven’t gotten around to GDPR. The problem is architectural. Three structural limitations make US-hosted SaaS incompatible with full Schrems II compliance, and no amount of DPA negotiation fixes them.
The jurisdiction problem. Every US-headquartered SaaS platform operates under CLOUD Act jurisdiction. The law compels US companies to disclose customer data to US law enforcement regardless of where it’s stored. Your DPA with Shopify or BigCommerce clarifies liability allocation. It does not block a CLOUD Act subpoena.
The shared tenancy problem. SaaS platforms run on shared infrastructure. For GDPR requirements like data isolation, controlled access logging, and jurisdiction-specific hosting, shared tenancy is a structural barrier. You rely on your vendor’s security controls, not your own.
The sub-processor chain problem. Cross-border data transfer complaints to EU regulators increased 38% year-over-year, with SaaS platform sub-processor chains cited as a recurring source of compliance gaps (Irish DPC Annual Report 2024). Every SaaS dependency introduces vendors you haven’t vetted, operating under jurisdictions you don’t control.
Your DPA protects you from your vendor. It does not protect you from their government.
| Data Sovereignty Capability | Shopify Plus | BigCommerce | Salesforce Commerce Cloud | commercetools |
|---|---|---|---|---|
| EU Data Residency | Ireland data center, but US parent access | Limited EU availability; US parent access | Frankfurt region available; US parent access | EU-hosted regions; but US-investor-backed |
| CLOUD Act Exposure | Subject to US subpoena via parent company | Direct US company; subject to US subpoena | Direct US company; subject to US subpoena | US-investor-backed; potential US access |
| Source Code Audit | Proprietary, held in US | Proprietary, held in US | Proprietary, held in US | Proprietary, held by US-backed parent |
| Self-Hosting Option | SaaS only | SaaS only | SaaS only | SaaS only |
| Encryption Key Control | Vendor-managed | Vendor-managed | Vendor-managed | Vendor-managed |
| Transfer Impact Control | No user control over supplementary measures | Limited DPA negotiation | DPA available; US parent retains access | DPA available; US investor network limits guarantees |
EU data residency does not equal EU data sovereignty. These vendors offer EU data centers, but as long as the parent company falls under US jurisdiction, the CLOUD Act creates a legal pathway to your customer data that no DPA can block.
How Self-Hosted Open Source Commerce Meets GDPR Requirements
Here’s what changes when you own your infrastructure: every Schrems II supplementary measure becomes a deployment decision instead of a vendor negotiation. Data location, encryption keys, access policies, legal jurisdiction — you control all of it. No third-party dependency gaps.
| GDPR Requirement | How Self-Hosted Commerce Meets It | Spree Enterprise Feature |
|---|---|---|
| Data Sovereignty | Deploy on your own EU infrastructure; control physical location and access logs | Run on AWS Ireland, GCP Frankfurt, Azure Germany, or on-premises servers |
| CLOUD Act Mitigation | No US parent company holds your data or responds to US subpoenas | Spree is open source under BSD 3-Clause license; you own the instance entirely |
| Encryption Control | Manage your own encryption keys in EU jurisdiction | AES-256 at rest, TLS 1.3+ in transit; keys held in your infrastructure |
| Processor Transparency | Choose only EU-based vendors; maintain your own processor inventory | Integrate any payment processor, CDN, or analytics tool you select |
| Data Subject Rights | Build export, deletion, and access request workflows into your platform | Full API access to all customer data; automated retention and deletion |
| Breach Response | Control your own detection, logging, and notification timelines | Admin action logging and API audit trails on your infrastructure |
| Privacy by Design | Architect data protection into your deployment from day one | Separate customer data, payment info, and admin logs at the application level |
| Audit Readiness | Maintain tamper-proof audit trails on infrastructure you control | Integration with ELK Stack, Splunk, or any centralized logging platform |
For organizations that must achieve GDPR and Schrems II compliance while running commerce at scale, a self-hosted open source platform with built-in data sovereignty controls provides the strongest architectural fit. Spree Enterprise delivers these capabilities natively: deploy on any cloud or on-premises, audit every line of code under the BSD 3-Clause license, and integrate any payment processor without vendor lock-in.
When you self-host, you become the Data Controller with full authority over processing conditions. Your infrastructure, your encryption keys, your audit logs, your legal jurisdiction. No US parent company sits between you and your compliance posture.
Architecture and Deployment for GDPR-Compliant Commerce
A production GDPR architecture starts with one question: where does your EU customer data physically live? The answer determines your hosting, your encryption strategy, and your legal exposure.
Hosting and data residency. Deploy on EU-sanctioned cloud providers with explicit data residency commitments:
- AWS: Ireland (eu-west-1) or Frankfurt (eu-central-1)
- GCP: Frankfurt with Assured Workloads
- Azure: Germany or Netherlands
- On-premises: Your own data center for maximum sovereignty
For strictest enforcement, prefer German-based infrastructure where local data protection authorities are most active.
Encryption and key management. AES-256 at rest, TLS 1.3+ in transit. Encryption keys must stay in EU jurisdiction using AWS KMS EU, Azure Key Vault EU, or a local Hardware Security Module. No cloud provider should hold your master keys. Segment data by sensitivity:
- Payment card data (PCI DSS scope): Separate encryption and restricted access
- Customer PII: Role-based access controls with full audit logging
- Product catalog and analytics: Standard controls
Network isolation. VPC segmentation keeps customer data servers in a private subnet, payment processing in a PCI-compliant zone, and analytics in a separate non-production network. All admin access goes through VPN with multi-factor authentication. Deploy intrusion detection and WAF rules against OWASP common vulnerabilities.
Breach response. Document your 72-hour notification procedure with designated DPA contacts and prepared communication templates before you need them.
Spree’s provider-agnostic architecture means you choose any cloud, any region, any payment processor. Switch providers without touching your commerce application.
GDPR Compliance by Industry
For industry-specific compliance guidance on GDPR and data sovereignty, see:
| Industry | Region | Key Commerce Challenge | Deep Dive |
|---|---|---|---|
| EU Automotive Manufacturing | EU | Connected vehicle data under GDPR + Cyber Resilience Act + NIS2 | EU Automotive eCommerce Compliance (coming soon) |
| EU AgriTech | EU | Farm data and supply chain records under GDPR + CAP digital rules | EU AgriTech eCommerce Compliance (coming soon) |
| Luxury Goods | EU/Global | Exclusive customer lists and brand protection under GDPR | Luxury eCommerce Compliance (coming soon) |
| HealthTech | EU/US | Patient data under GDPR + MDR + national health data laws | HealthTech eCommerce Compliance |
Each sector faces a distinct combination of GDPR obligations layered on top of industry-specific regulation. The deep dive guides above cover platform architecture, data residency patterns, and vendor selection criteria tailored to each industry’s compliance stack.
For UK-specific data protection requirements under the Data Protection Act 2018 and the Data (Use and Access) Act 2025, see the UK Data Act eCommerce compliance guide.
Build Data-Sovereign Commerce with Spree
For EU and UK businesses that must guarantee GDPR compliance and eliminate CLOUD Act exposure, a self-hosted open source platform with full data sovereignty controls provides the most direct path to compliance.
Spree Enterprise gives your team full control over infrastructure, data, security, and compliance. Deploy on your own EU infrastructure, audit every line of code under the BSD 3-Clause license, and integrate any payment processor without vendor lock-in. Your data, your jurisdiction, your rules.
Talk to the Spree Team | Explore Spree Enterprise
Frequently Asked Questions
Does the EU-US Data Privacy Framework eliminate CLOUD Act concerns?
No. The CJEU upheld the DPF in September 2025, but the framework only covers companies that self-certify and demonstrate adequate safeguards. The CLOUD Act remains unresolved: it permits US law enforcement to compel US companies to disclose data stored anywhere, regardless of data protection laws. Any US-headquartered SaaS platform (Shopify, BigCommerce, Salesforce) still faces potential US government demands for EU customer data. Self-hosting on EU infrastructure with non-US platforms eliminates this exposure.
Is Shopify GDPR compliant after Schrems II?
Shopify offers a DPA and Ireland data centers, but Shopify Plus operates under US parent company control. US law enforcement can issue CLOUD Act subpoenas to Shopify’s US corporate entity, compelling disclosure of EU customer data regardless of where it is stored. Shopify’s DPA clarifies liability allocation between you and Shopify. It does not shield your customer data from a US subpoena. For full Schrems II compliance, use self-hosted infrastructure where no US entity holds your data.
What is the difference between a DPA and Standard Contractual Clauses?
A Data Processing Agreement (DPA) is a contract between you (the Data Controller) and your vendor (the Data Processor), specifying what data the processor accesses, how they use it, and their security obligations. Standard Contractual Clauses (SCCs) are EU-approved contract templates for international data transfers. Post-Schrems II, SCCs alone are insufficient for US processors. You must add supplementary measures like encryption with EU-held keys, access restrictions, and jurisdictional safeguards.
What happens if I transfer customer data to a US SaaS platform without proper safeguards?
Your Data Protection Authority can investigate, find a Chapter 5 GDPR violation, and issue a fine up to 20 million euros or 4% of global annual revenue. The DPA can also order data transfers to stop immediately, forcing an emergency platform migration. Customers can file complaints and claims for damages. For a 10 million euro revenue company, a single violation could result in a 400,000 euro fine plus the cost of unplanned migration.
What are supplementary measures under Schrems II?
Supplementary measures are technical and organizational safeguards that prevent US authorities from accessing EU customer data even when a CLOUD Act subpoena is issued. Examples include encryption with keys held only in EU jurisdiction, data minimization (sending only necessary data to processors), split storage (sensitive data in EU, non-sensitive elsewhere), and contractual limitations on processor cooperation with foreign government demands. These measures do not prevent subpoenas, but they make the data technically inaccessible.
If I self-host, am I fully exempt from CLOUD Act exposure?
For your core commerce data, yes. When you host on EU infrastructure with a non-US platform vendor like Spree (open source, BSD 3-Clause license), US authorities have no legal standing to compel disclosure. However, if you use US-based integrations for analytics, CDN, or payment processing, those specific vendors may still be subject to subpoenas for data they process. Minimize US vendor dependencies across your entire stack to minimize residual CLOUD Act exposure.
