AI PrivacyMarch 21, 2026· 12 min read

EU vs US data processing for AI: how to decide

EU vs US is a per-workload decision, not a per-company flag. The four sorting questions, the political backdrop that keeps shifting the answer, and the portfolio shape most teams actually end up with.

TLDR

EU vs US is a per-workload decision, not a per-company flag. The same team usually has workloads that should run in the EU and workloads where US processing is fine, and the right answer is a portfolio. The mistake is picking one side for everything.
Four questions sort almost every workload: does sectoral law force the answer (BSI C5 healthcare, SecNumCloud, DORA, EHDS), does the workload trigger GDPR Article 22 or AI Act Annex III, how exposed are you to a DPF political event, and where are the users. Walking the four questions takes about 30 minutes per workload and gets you a defensible answer.
The political backdrop keeps shifting the answer. The General Court dismissed Latombe T-553/23 on 3 September 2025 (DPF survives), Section 702 sunsets on 20 April 2026 unless Congress reauthorises (a CJEU adequacy concern if it lapses or expands), and the EU AI Act high-risk regime takes effect on 2 August 2026. The cheapest insurance against any of those events is to keep the workload portfolio mixed and the migration path documented.
For most teams, "EU by default, US by exception" is the operational rule that works. OpenAI launched in-region GPU inference for Europe on 16 January 2026, Anthropic is reachable through AWS Bedrock in Frankfurt and Paris and Vertex in Frankfurt, Mistral runs EU-only by default. The EU side of the portfolio is wider in 2026 than it was in 2024 and the cost-and-availability gap has closed.

Three dated events in the last seven months have moved the EU-vs-US calculus for AI workloads, and the next one moves it again in nine days. On 3 September 2025 the European General Court dismissed Latombe T-553/23 and upheld the EU-US Data Privacy Framework. On 20 April 2026 Section 702 of FISA sunsets unless Congress reauthorises, and any reauthorisation that expands the surveillance scope is a CJEU adequacy concern under the same logic that took down Privacy Shield in 2020. On 2 August 2026 the EU AI Act high-risk obligations take effect, and the controllership posture for any workload that touches Annex III becomes part of the conformity assessment.

The framing this article uses is that the EU-vs-US decision in 2026 is per-workload, not per-company, and the right answer is a portfolio you can rebalance when the next political event lands. The four questions below sort almost every workload. The decision rule for each is binary in the strict cases and a tradeoff in the others.

For the underlying mechanics on transfer documentation, the article on the 2026 state of EU-US AI transfers is the long form. For the residency layer-by-layer breakdown (where in the stack residency actually applies), the article on data residency and AI walks the seven layers.

Question 1: does sectoral law force the answer?

This is the question that ends most decisions in three minutes when it applies. Several EU sectors have residency or sovereign-cloud requirements that legally remove the choice.

German healthcare. Since 1 July 2025, cloud processing of patient data has required BSI C5 Type 2 certification, with processing in Germany or another EU/EEA member state. This is the BSI Cloud Computing Compliance Criteria Catalogue, not a guideline. The certification is the legal predicate for cloud processing of healthcare data in Germany, and the C5 Type 2 audit covers operational effectiveness over a defined period.

French public sector and critical infrastructure. ANSSI's SecNumCloud certification requires data hosted in France, service administration within the EU, and the company's headquarters within the EU. The third condition is the one that excludes the US hyperscalers as a class. The headquarter test is jurisdictional, not technical, and no amount of in-region datacentre footprint solves it. SecNumCloud-certified providers in 2026 include OVHcloud, 3DS Outscale, Numspot, and the Bleu joint venture between Capgemini and Orange (commercial launch March 2026).

EU financial services under DORA. The Digital Operational Resilience Act, fully applicable since 17 January 2025, requires that critical ICT third-party providers maintain an EU establishment and that contracts specify the data-processing locations upfront. For an AI workload that supports financial services (KYC scoring, credit decisioning, market surveillance), DORA puts the processing-location commitment into the contract and into the supervisory framework.

European Health Data Space. The EHDS allows member states to mandate EU-only processing of secondary-use health data for research and innovation. Several member states have already signalled their intent to use this option, which means a single AI workload that processes EHDS-covered data can hit different residency rules in different countries.

Public-sector procurement broadly. Sovereign-cloud requirements have spread through national procurement frameworks since 2024. France, Germany, Italy, the Netherlands, and Spain have all run procurement processes in 2025-2026 that explicitly required sovereign or EU-headquartered providers for sensitive workloads.

The decision rule for Question 1: if any of the above applies to the specific workload, the answer is EU and the next three questions are about how (sovereign cloud, hyperscaler EU region with appropriate certification, or self-hosted) rather than whether. If none applies, continue to Question 2.

Question 2: does the workload trigger GDPR Article 22 or AI Act Annex III?

If Question 1 didn't end the decision, the next sort is regulatory exposure. The two anchors are GDPR Article 22 (automated decisions with legal or similarly significant effect) and the EU AI Act high-risk regime (Annex III).

GDPR Article 22 has broadened in 2025. The CJEU's 27 February 2025 judgment in C-203/22 Dun & Bradstreet Austria expanded "automated decision-making" to cover scoring activities that "decisively influence" a downstream human decision, even when a human nominally makes the call. For a recommender system or scoring model that informs a credit, employment, insurance, or housing decision, the controllership posture has to be defensible end-to-end. The data path needs to be auditable from the input through the model to the decision and back.

The EU AI Act Annex III high-risk categories include credit scoring (§5(b)), employment and worker management (§4), access to essential public and private services (§5(a)), education (§3), law enforcement (§6), and migration-and-border-control (§7), among others. Article 6 sets the classification rule: an Annex III system is high-risk by default, with a narrow Article 6(3) derogation that does not apply to systems performing profiling of natural persons. The high-risk obligations take effect 2 August 2026.

For an Article 22 or Annex III workload, the EU-vs-US decision tilts toward EU for two operational reasons. First, the technical-documentation and post-market-monitoring obligations under the AI Act are easier to satisfy when the inference path is auditable end-to-end on infrastructure you can directly inspect. Second, the FRIA carry-over under Article 27 requires a fundamental-rights impact assessment that complements any DPIA, and the assessment is operationally cleaner when the data path is shorter and the sub-processor cascade is simpler.

The cross-link to read alongside this question is the article on how AI recommender systems get sorted by stakes, which walks the three regulatory tiers in detail. The short version: if your workload sits in Tier 3 of that article (decisively influences a significant decision), the EU side of this decision is the operationally simpler answer.

The decision rule for Question 2: if the workload triggers Article 22 or Annex III, lean EU (or self-hosted in an EU region). For Tier 1 and Tier 2 workloads from the recommender stakes-tier framing, the answer continues to Question 3.

Question 3: how exposed are you to a DPF political event in 2026?

This is the question that has changed the most in the last six months and will change again in the next two.

The state of the DPF in April 2026 is: the General Court dismissed Latombe T-553/23 on 3 September 2025, holding that the safeguards under Executive Order 14086 (the bulk-collection limits, the Data Protection Review Court, the redress mechanism) ensure adequate protection for personal data transferred from the EU to certified US organisations. The two-month appeal window for Latombe to take the case to the CJEU has closed; an appeal was filed and is pending. NOYB (Max Schrems' organisation) is widely expected to bring a separate challenge. A CJEU ruling is unlikely before 2027.

Section 702 of FISA sunsets on 20 April 2026 unless Congress reauthorises. The 2024 reauthorisation under RISAA expanded the scope of FISA 702 so that, with limited exceptions, any company under US jurisdiction that offers any service and has access to equipment on which communications are stored or transit can be compelled to comply with directives. The CDT analysis at the time argued that this expansion already affects the adequacy assessment, and the European Commission's first periodic review of the DPF flagged the same concern. If Section 702 lapses on 20 April 2026, that defuses the immediate adequacy concern. If it is reauthorised in expanded form, that creates a new adequacy concern that may be folded into a future CJEU challenge. If it is reauthorised in narrowed form (a warrant requirement for US-person queries, which has previously failed by a narrow margin), the adequacy story improves.

The point of walking through the political backdrop is not to predict the outcome (that is genuinely uncertain) but to make clear that the right operational posture is to structure the workload portfolio so that the answer can change without rebuilding. Three exposure tiers:

High exposure. The workload relies on DPF certification as the sole transfer mechanism. No SCCs in place. The team did not run a TIA. If DPF is invalidated or amended, the workload's legal basis disappears overnight. The Privacy Shield invalidation in July 2020 caught a meaningful number of teams in this exact posture; the scramble to retrofit SCCs took months. The fix here is to add SCCs as a parallel transfer mechanism now, not on the day of an invalidation event. Every major US AI provider has SCCs available as part of their DPA — the work is to sign the addendum.

Medium exposure. The workload has SCCs as backup alongside DPF, and the TIA is documented. If DPF is invalidated, the team activates the SCC pathway, updates the TIA with any new supplementary technical measures the EDPB requires, and continues. The cost is real (a sprint of compliance work and possibly a vendor renegotiation) but bounded.

Low exposure. The workload runs in an EU region. DPF status does not affect it. The team's only sensitivity to a DPF event is for adjacent workloads that do depend on it.

The decision rule for Question 3: for workloads where the political-event cost would be material (significant sub-processor chain, customer data, real users dependent on the service), tilt EU. For workloads where the cost would be a sprint of paperwork in the worst case, US is fine provided the SCCs are signed and the TIA is documented now. The mistake is to be in the "high exposure" tier for any workload at all.

Section 702 sunsets on 20 April 2026. As of 11 April 2026, Congress has not voted on reauthorisation. The Brookings analysis of 27 March 2026 noted that the path is unclear, and the Trump administration's reversal in late March (after an earlier "KILL FISA" statement) makes the politics unpredictable. The three live scenarios from a DPF perspective: (a) Section 702 is reauthorised in expanded form, which creates a new CJEU adequacy concern; (b) Section 702 is reauthorised in narrowed form with warrant requirements for US-person queries, which improves the adequacy story; (c) Section 702 lapses on 20 April 2026, which is a defusing event for the immediate adequacy concern but introduces operational uncertainty for US providers' contracts. If your workload runs through a US provider in April 2026, the operational answer is to confirm SCCs are signed and the TIA is current before 20 April. The follow-up review after the vote is the next sprint task, not a "we'll handle it if it happens" item.

Question 4: where are the users and what is the cost-vs-latency math?

The fourth sort is operational rather than legal. For workloads that survive Questions 1-3 without being forced to one side, the answer is whichever side gives the users a better experience and the team a manageable cost line.

Latency. A round trip from an EU user to a US AI inference endpoint adds approximately 80-120 milliseconds compared to EU-region inference. On a 2-3 second LLM API call, that is 3-5% overhead, which is negligible for most use cases. For real-time interactive AI (voice agents, live transcription, latency-sensitive autocomplete), it is measurable and worth solving. EU-region inference is now widely available: OpenAI launched in-region GPU inference for Europe on 16 January 2026, Anthropic is reachable through AWS Bedrock in Frankfurt and Paris and through Google Vertex AI in Frankfurt, Mistral runs EU-only by default, and Google Vertex AI supports several EU regions natively.

Cost. GPU pricing on hyperscalers is broadly comparable across US and EU regions in 2026 — sometimes US regions like N. California are slightly more expensive than EU regions on the same SKUs, and EU spot pricing has dropped significantly (the AWS p5.48xlarge instance fell roughly 88% between 2024 and late 2025). The real EU constraint historically was availability — fewer GPU SKUs in EU regions, longer waits for reserved capacity, fewer availability zones. That gap has narrowed in 2025-2026 as specialist EU providers (Nebius in Finland and Paris, OVHcloud in France, DataCrunch in the Netherlands, Scaleway in France) have added capacity, and as the hyperscalers have expanded their EU footprints in response to the data sovereignty pressure documented in the Gartner late-2025 finding that 61% of Western European CIOs are now prioritising local cloud providers.

Model availability. All major frontier models are now available in EU regions in 2026. The exceptions are narrow (specific Anthropic preview models, certain model variants on Vertex global endpoints with no EU equivalent). For the standard 2026 stack (GPT-5, Claude Opus 4.5, Gemini 3, Llama 4, Mistral Medium 3.1), there is an EU path.

The decision rule for Question 4: for users primarily in the EU and any latency-sensitive use case, EU. For users primarily in the US and a use case where the EU path adds friction without value, US. For mixed user bases, route by user geography at the gateway and run inference in both regions. The cost differential is small enough that "run in both regions" is usually cheaper than "build a single architecture and accept the latency hit on one side".

The portfolio shape most teams converge on

Walking the four questions across a real product surface (not a single workload but the dozen or so AI features a typical 2026 product runs) almost always lands on a mixed portfolio. The pattern that recurs:

Sectoral or Annex III workloads (HR screening, credit scoring, healthcare, financial KYC, anything that touches Article 22) → EU, often on a sovereign cloud or self-hosted in an EU region.
Customer-facing inference for EU users (chat assistants, search, recommendations) → EU region of a major provider, with the in-region GPU path now widely available.
Internal coding assistants and development tools → US is usually fine, with the SCCs signed and the TIA current.
Batch analytics and reporting on non-personal data → US is fine and the cost-availability picture is sometimes better.
Anything that is a research-only workload on synthetic or fully aggregated data → US is fine.

The operational rule "EU by default, US by exception" is the one that works for most teams in 2026. The exceptions are documented per-workload with the four-question answers attached, and the SCCs are signed for every US workload regardless of whether DPF is currently in force. The portfolio is stable across DPF political events because the most sensitive workloads are not exposed to those events at all, and the less sensitive workloads can switch transfer mechanisms without the architecture changing.

The cheapest insurance against a 2026 DPF political event is to sign SCCs now for every US workload, even if you also rely on DPF certification. Every major US AI provider (OpenAI, Anthropic, Google, Microsoft, AWS) offers SCCs as part of the standard DPA. The cost is a contract amendment, not a re-architecture. The benefit is that if Section 702 reauthorisation expands the surveillance scope, or if the CJEU eventually accepts a future adequacy challenge, the workload's legal basis does not vanish overnight. You activate the SCC pathway, update the TIA, and continue. Teams that did this between Schrems II and the DPF in 2020-2023 avoided the worst of the post-Privacy-Shield scramble. Belt-and-suspenders is the cheap insurance.

Before the next architecture review, walk these four questions for every AI workload:

Does sectoral law force the answer? BSI C5 (German healthcare), SecNumCloud (French public sector and critical infrastructure), DORA (EU financial services), EHDS (secondary-use health data). If yes, EU.
Does the workload trigger GDPR Article 22 or AI Act Annex III? If yes, lean EU for the auditability, FRIA carry-over, and shorter sub-processor cascade.
How exposed are you to a 2026 DPF political event? Move out of "high exposure" by signing SCCs for every US workload. Move into "low exposure" for the workloads where the cost of an event would be material.
Where are the users and what is the latency math? Default to EU for EU users; US is fine for non-latency-sensitive non-personal-data workloads with users primarily in the US.

Before the next architecture review

The four questions take about 30 minutes per workload to walk and produce a defensible answer that survives a DPA inquiry. The output is a one-page register: workload name, the four answers, the resulting EU/US/sovereign decision, the transfer mechanism, the date the assessment was last reviewed. That register is the artefact a reviewer asks for first, and it is the document that lets the team rebalance the portfolio in a sprint when the next political event lands.

The 20 April 2026 Section 702 vote is in nine days as of writing. The SCC-signing work is the cheapest insurance against any of the live scenarios, and it is the work that costs nothing to do early and a lot to do late. Whatever happens with the vote, the teams that have signed SCCs and documented their TIAs across every US workload will treat it as a paperwork update. The teams that relied on DPF alone will be the ones rebuilding under deadline. The decision is per-workload, not per-company, but the SCC-signing is universal.

Sources

Continue reading

AI PrivacyMar 20, 2026

Data residency and AI: does it matter where your data is processed?

EU AI data residency in 2026: the seven layers where data lives, the CLOUD Act mechanic, the OpenAI in-region GPU launch, and when sovereignty beats residency.

11 min read

AI PrivacyApr 7, 2026

Sending data to OpenAI, Anthropic, or Google? The 2026 state of EU-US AI transfers

Section 702 sunsets April 20. The April 2026 state of EU-US AI transfers, what the DPF actually rests on, and the contract review you should do this week.

13 min read

AI PrivacyMar 1, 2026

Self-hosted LLM vs cloud API: the privacy tradeoff

A 2026 decision framework for dev teams choosing between self-hosting an open-weight LLM and calling a cloud API. Refreshed with Llama 4, the Latombe DPF challenge, and Azure / Bedrock EU data zones.

9 min read

Free tool · live

AI Data Flow Checker

Map how personal data flows through your AI integrations and spot the privacy risks before they spot you.