Cloud capacity routing and the untested GDPR risk

Every enterprise cloud agreement in use today contains a fundamental and largely unremarked mismatch between standard engineering practice and European regulatory requirements.

When shared compute infrastructure reaches capacity within a given jurisdiction, work will automatically be routed to the nearest available location with spare capacity. This is not a flaw, or an oversight, or a cost-cutting measure. This is how large distributed systems are designed, and they should be operated.

However, this standard engineering practice now stands in direct tension with the requirements of European data protection law.

All providers correctly state that data remains encrypted while in transit between regions. On this point, there is no disagreement. The disagreement begins once that data arrives at its destination. For any processing to occur, the data must be decrypted. At exactly this point, legal consensus breaks down entirely. No court has yet issued a definitive ruling on this specific scenario.

Service providers maintain that this arrangement is fully compliant under existing transfer frameworks and standard contractual clauses. The European Data Protection Board has published formal guidance that reaches the exact opposite conclusion.

At this moment, no final judgment exists. No fines have been issued for this specific behavior. At the same time, every national data protection authority across the European Union is currently conducting audits that explicitly include this routing practice.

This creates an unusual and material level of risk for European companies. While the legal position remains entirely unresolved, existing regulations allow for penalties up to 4% of global annual turnover.

Providers will correctly point to contract clauses confirming that data at rest remains within declared regional boundaries. They will reference all applicable transfer frameworks and standard contractual provisions. None of these clauses or frameworks operates at the exact moment that local capacity is exhausted.

It is entirely possible that regulators will ultimately decide against issuing large fines for this behaviour. It is equally possible that legislators will adjust the rules to resolve this conflict. Regardless of the eventual legal outcome, organisations operating regulated workloads will need to take a position on this risk in the near term.

At this point, organizations have only two operational options. They may disable cross-region failover entirely and accept reduced performance and periodic unavailability during peak load periods. Or they may move regulated workloads to sovereign dedicated infrastructure operated within the European Union, designed from the outset not to implement cross-border routing. These are the only available paths forward today.

rinf.tech’s Databricks Partnership for Data & AI Platform Engineering in Regulated Enterprise