Why Server Location Still Matters
There is a persistent myth in the hosting industry that infrastructure is infrastructure — that a server in Frankfurt is functionally identical to one in Virginia, apart from latency. This was never really true, but it has become dramatically less true over the past decade as digital surveillance law has expanded on both sides of the Atlantic.
Where your server physically sits determines which courts can compel access to it, which data protection authorities supervise the hosting provider, which legal standards govern law enforcement requests, and what rights you have when something goes wrong. These are not abstract considerations. They affect real-world outcomes for businesses, journalists, medical practices, legal firms, and anyone else who processes sensitive personal data on behalf of others.
The argument that "encryption makes location irrelevant" is partly true but dangerously incomplete. Encryption protects data in transit and, if implemented correctly, at rest. But it does not protect against a hosting provider being compelled to install monitoring software, retain metadata, or hand over configuration and access logs. It does not prevent lawful interception orders in jurisdictions with broad surveillance powers. And it provides zero protection if the encryption keys are held by the provider rather than the user.
Server location, combined with the legal entity operating the infrastructure and the jurisdiction in which that entity is incorporated, determines the rules of the game. Understanding those rules is the first step to making a genuinely private hosting decision.
The US CLOUD Act Problem
The Clarifying Lawful Overseas Use of Data Act — the CLOUD Act — was signed into US law in 2018. Its implications are still not widely understood outside of legal and privacy circles, and hosting providers with US corporate parents have little incentive to explain them clearly.
The CLOUD Act allows US federal authorities to compel American companies to produce data stored anywhere in the world — including on servers physically located in the European Union. The key phrase is "under its control." If a US-incorporated company or its US subsidiary controls data on EU servers, that data can be reached by a US court order served on the American entity. The physical location of the server is irrelevant to this analysis.
Concretely: AWS, Google Cloud, and Microsoft Azure are all US companies. Their European regions — AWS Frankfurt, Google Cloud Netherlands, Azure Germany West Central — are operated by US corporate entities or their subsidiaries. A valid US federal court order or national security letter served on the American parent can reach data in those European data centres. The EU customer whose data sits in that Frankfurt rack may never be notified. The German data protection authority has no role in the process.
This is not a hypothetical. US authorities have used CLOUD Act orders to obtain data from EU-located servers operated by US companies. In several documented cases, EU courts subsequently found that EU law had been violated — but the data had already been produced and the harm was irreversible.
The Schrems II ruling by the Court of Justice of the European Union (2020) reinforced this understanding by striking down the EU-US Privacy Shield framework precisely because US surveillance law — including FISA section 702 and Executive Order 12333 — was incompatible with EU fundamental rights. The EU-US Data Privacy Framework adopted in 2023 provides some improvement for commercial data transfers but does not resolve the CLOUD Act problem for sensitive personal data, and legal challenges to the new framework are already underway.
The practical implication is straightforward: if your VPS is operated by a US company, or a subsidiary of a US company, you do not have the legal protections that the GDPR promises — regardless of which physical data centre the server sits in.
The EU Data Protection Framework
Within the European Union, the General Data Protection Regulation provides a comprehensive legal framework that genuinely limits what can be done with personal data — including by law enforcement. Understanding this framework helps clarify what EU VPS hosting actually delivers, and why it matters for privacy.
The GDPR establishes several core principles relevant to hosting. Data minimisation requires that only data necessary for the specified purpose is collected and retained. Storage limitation means data cannot be kept indefinitely without justification. Purpose limitation prevents data collected for one reason from being used for another. And the right to erasure — Article 17 — gives individuals the right to have their data deleted, a right that EU-incorporated hosting providers must respect.
Enforcement of the GDPR is carried out by national Data Protection Authorities in each member state. These authorities have real enforcement powers: the ability to issue binding orders, conduct audits, and impose fines of up to 4% of global annual turnover or EUR 20 million, whichever is higher. Since the GDPR came into force in 2018, DPAs across the EU have issued over EUR 4 billion in fines, demonstrating that enforcement is not merely theoretical.
Alongside the GDPR, several EU member states maintain additional national data protection frameworks. Austria's Datenschutzgesetz (DSG) and Germany's Bundesdatenschutzgesetz (BDSG) both supplement the GDPR with national provisions, in some cases providing stricter protections than the regulation itself. Any hosting provider operating under these national frameworks is subject to this additional layer of oversight.
Law enforcement access to data held by EU-incorporated hosting providers must follow EU and member-state law: judicial authorisation, proportionality requirements, rights of notification where permitted, and meaningful oversight. This is categorically different from the CLOUD Act framework, where national security requests can be issued without judicial authorisation and often include gag orders preventing the provider from notifying anyone.
Germany and Austria as Top Privacy Jurisdictions
Not all EU member states are equal when it comes to data protection in practice. Germany and Austria consistently rank among the strongest privacy jurisdictions in the EU — both in terms of legal framework and enforcement culture.
Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) is one of the most active supervisory authorities in the EU. Germany has a long constitutional tradition of protecting informational self-determination, rooted in a 1983 Federal Constitutional Court ruling that established the right to informational self-determination as a fundamental right. German courts have repeatedly applied this tradition to block data collection and processing practices that would be tolerated in other jurisdictions.
German data protection law also imposes strict requirements on telecommunications providers and hosting companies with respect to law enforcement access. The Telekommunikationsgesetz (TKG) and its successor, the Telekommunikationsmodernisierungsgesetz, regulate lawful interception and data retention with detailed procedural requirements, including independent judicial oversight for most categories of requests.
Austria has a similarly strong tradition. The Österreichische Datenschutzbehörde (DSB) is notable for having originated the Schrems complaints that ultimately led to both the Schrems I and Schrems II judgments invalidating successive EU-US data transfer frameworks. Austrian privacy law, through the Datenschutzgesetz, provides robust protections and the DSB has shown a willingness to pursue enforcement actions against major technology companies.
For businesses and individuals choosing EU VPS hosting, Germany and Austria represent the gold standard: strong constitutional foundations, active supervisory authorities, detailed procedural requirements for law enforcement access, and a judicial culture that takes data protection rights seriously.
What to Look for in EU VPS Hosting
Understanding the legal landscape makes it possible to ask the right questions when evaluating a VPS provider. "EU-based" and "GDPR compliant" are marketing terms that require interrogation. Here are the factors that actually determine whether a VPS is genuinely private under EU law.
Physical data centre location. The servers must be physically located in EU member states. This sounds obvious, but some providers use "EU" loosely to mean traffic is routed through EU points of presence while actual storage occurs elsewhere. Verify the specific data centre locations, not just the region label.
Legal entity and corporate structure. The company that operates the VPS infrastructure — not just the company you pay — must be incorporated in the EU with no US parent company. A US holding company with an EU operating subsidiary creates CLOUD Act exposure. Look for independent European companies with EU-only corporate structures.
Data Processing Agreement. Any hosting provider handling personal data on your behalf must sign a GDPR Article 28 Data Processing Agreement. This document specifies what data is processed, for what purpose, with what security measures, and on what legal basis. A provider that cannot or will not sign a DPA is not a serious option for GDPR-sensitive workloads.
Transparency about law enforcement requests. Serious privacy-oriented providers publish transparency reports or policies explaining how they handle law enforcement requests. The absence of any such policy is a warning sign.
Network and infrastructure independence. Some EU providers use transit providers or CDN services with US connections, which can create metadata exposure even if the origin server is EU-only. Providers with independent European network infrastructure and peering arrangements reduce this surface area.
AMD EPYC VPS in Europe: Privacy Meets Performance
Privacy and performance are sometimes presented as a trade-off. In the current European VPS market, this framing is outdated. AMD's EPYC processor architecture, now widely deployed in European data centres, delivers server-grade performance with hardware-level security features that complement software-level privacy measures.
AMD EPYC processors include Secure Encrypted Virtualisation (SEV), which encrypts the memory of individual virtual machines with unique keys. This means that even the hypervisor — the software layer that manages multiple VMs on shared hardware — cannot read the memory contents of a running VM. For multi-tenant VPS environments, this is a meaningful security improvement over unencrypted shared infrastructure.
EPYC's high core counts and memory bandwidth also make it well-suited for privacy-intensive workloads: running your own email server, self-hosted collaboration tools, encrypted file storage, or any application where you need to process significant data volumes without relying on third-party cloud services. The performance headroom means you can afford to run encryption overhead without compromising user experience.
Providers offering EU-based EPYC VPS infrastructure combine these hardware security features with the legal protections of EU jurisdiction — a combination that addresses both the technical and legal dimensions of data protection. When evaluating European VPS providers, the hardware generation matters: EPYC-based infrastructure represents the current performance and security standard for privacy-conscious deployments.
The combination of NVMe storage, high memory bandwidth, and hardware-level VM isolation available on modern EPYC platforms means that running a fully self-hosted stack — mail, calendar, contacts, file sync, and communication — on a single Evolushost European VPS is not only legally sound but also technically practical. This is the infrastructure model that genuine privacy requires: EU law, EU hardware, EU corporate entity, with performance sufficient to run real workloads.
Conclusion: How enemail and Evolushost Solve This
The problem with privacy in 2025 is not that the solutions are technically difficult. It is that the incentives push toward convenient fictions: cloud providers claiming GDPR compliance while operating under US law, hosting companies advertising "EU servers" while being incorporated in Delaware, email services promising privacy while running on infrastructure reachable by the NSA.
The solution is straightforward once you understand the actual requirements: European infrastructure, European legal entity, no US corporate parent, genuine encryption, and transparent policies. These requirements are achievable. They are simply inconvenient for large US-centric cloud providers, which is why they are rarely the default.
enemail was built on exactly these requirements. Our email infrastructure runs on EU-only servers operated by European companies, with no exposure to US corporate law or CLOUD Act jurisdiction. Zero-knowledge encryption means that even the most legitimate court order produces only ciphertext — the keys exist only on user devices. EU data protection law governs every aspect of how we handle user data, with the BfDI and Austrian DSB as the relevant supervisory authorities.
The underlying infrastructure that makes this possible comes from providers like Evolushost, an Austrian hosting company with EU-only data centres and no US corporate exposure. Their infrastructure is the foundation on which genuinely private European services can be built — because the legal and technical guarantees start at the hardware and infrastructure level and flow upward through every layer of the stack.
For individuals and businesses who take privacy seriously, the checklist is short but non-negotiable: EU data centres, EU legal entity, no US parent, signed DPA, encryption at rest and in transit, transparent law enforcement policies. EU VPS hosting from a provider that meets all of these criteria is not a premium feature — it is the baseline for responsible handling of sensitive personal data in 2025. Everything else is marketing.