The truth about GDPR and global data risks

Why relying on jurisdiction is a mistake and is not enough

Under the GDPR, we often hear that choosing a service provider outside the “Five Eyes” countries (US, UK, Canada, Australia, New Zealand) keeps data safe. A provider inside the EU is also considered secure. But global data flows don’t stop at borders. Infrastructure like undersea cables and interlinked data centers make jurisdiction less relevant. Simply put, choosing your provider based on location is inadequate. It’s like using an umbrella in a hurricane. It won’t shield you from everything. If your provider is not an EU company, they must comply with other laws. These laws include various government and intelligence acts that override GDPR.

Is GDPR safe?

GDPR security relies on organizational measures and technical resilience—strong encryption, pseudonymisation, anonymization and rigorous access controls—regardless of where data resides.

Surveillance doesn’t care about borders or regulations.

Intelligence-sharing isn’t confined to a single alliance. The Five Eyes alliance extends via the Fourteen and Fifteen Eyes agreements. China collaborates with SCO nations. Similar arrangements exist across Asia–Pacific, the Middle East, Africa, and Latin America, and also Europe.

Even countries thought to be safe, like Switzerland, can face pressure to hand over data. This occurs through mutual legal assistance treaties (MLATs). A case in point is ProtonMail and Private Layer in 2019 and 2020.

Under GDPR, this means that relying on “safe countries” isn’t enough. We must ensure data is guarded by design—with techniques like end-to-end encryption, data minimization, and strong pseudonymisation as core practices.

Legal Assistance Treaties vs. GDPR Control

Mutual Legal Assistance Treaties allow countries to demand data from foreign providers. The U.S. CLOUD Act and similar laws can override GDPR protections by asserting control over data, regardless of where it’s stored.

GDPR requires clear accountability—even when responding to foreign government demands. Controllers need to:

  • Notify data subjects of requests, where allowed.
  • Push back or escalate if requests conflict with GDPR.
  • Use contractual and technical measures to limit exposure.

Commercial companies as means for surveillance

Big tech firms play an increasingly central role in government surveillance:

  • Amazon, Microsoft, Palantir and others host data and collaborate with intelligence agencies. Some of them doing it voluntarily to secure big government contracts for cloud, AI or services.
  • Spyware vendors like NSO Group, Candiru, Hacking Team, FinFisher supply tools used by various countries.
  • Telecoms integrate deep surveillance capabilities under both commercial and legal frameworks, plus undisclosed backdoors used for espionage.

From a GDPR standpoint, organizations must carefully vet their third-party vendors for surveillance risk. They should also enforce strict controls in data processing agreements.

The role of Data Brokers & Analytics Firms

Even seemingly innocuous apps sell location, browsing, and personal data to intelligence services. Data brokers like Oracle BlueKai, X‑Mode, Anomaly Six, Clearview AI, Cambridge Analytica, and others collect data from millions of users. They manage billions of endpoints and signals.

GDPR-mandated requirements—lawful bases, transparency, purpose limitation—are often ignored. Controllers must audit third-party data practices, and ensure data subjects’ rights remain enforceable throughout data flows.

Consolidation in the “Privacy” Industry

Many VPNs and privacy tools are owned by large corporations with questionable track records. Kape Technologies, Ziff Davis, and even Chinese-backed firms are acquiring services like ExpressVPN, CyberGhost, and PureVPN. These acquisitions are often made without full transparency. They also sometimes fail to keep the promise of not logging the access or traffic.

GDPR compliance demands:

  • Full due diligence on ownership structures
  • Transparent policies on who has access to data
  • Independent audits proving no shared logging or cross-company access

Taking GDPR-Compliant Action

If jurisdiction isn’t a reliable pillar, what else must GDPR-focused organizations do?

  1. Protect by design and default
    Encrypt data at rest and in transit. Use pseudonymisation and implement least-privilege access controls.
  2. Limit data collection and retention
    GDPR requires only collecting data strictly necessary for the purpose, and retaining it only as long as needed.
  3. Vet third-party risk
    Conduct due diligence on all vendors (cloud, telecom, analytics, app providers, etc.), audit their GDPR practices, and include data processing clauses.
  4. Maintain transparency with data subjects
    Provide clear privacy notices, easy control over rights (access, correction, erasure), and prompt responses to requests or complaints.
  5. Monitor and respond to lawful demands
    Establish protocols for foreign data requests. Notify data subjects or supervisory authorities when required. Push back legally if GDPR rights are threatened.
  6. Independent audit and certification
    Regular audits, certifications (e.g., ISO 27001, GDPR compliance seals), and documentation demonstrate real compliance—not just marketing spin.

Final Word

Budgeting on “jurisdictional privacy” is a myth under GDPR. Global surveillance networks are extensive, secretive, and fast-moving. Rather than betting on country borders, smart organizations focus on technical safeguards, transparency, accountability, and strong data governance.

Under GDPR, this is not optional—it’s mandatory.


Start acting now or your data will end up under unwanted eyes.

The myth of jurisdictional safety is broken!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.