American and Chinese internet companies in particular advertise that they use servers in Europe for their online platforms. This is intended to exude seriousness and prevent fears that data could migrate or be read by foreign intelligence services. What does the location of a server technically mean for the ability to access data?
Introduction
The informal data protection agreement between the EU and the US called Privacy Shield was always invalid. Following this, the EU had established the Data Privacy Framework (DPF) with the US. Not much has changed. The rights of affected European citizens in the US are still at a low and GDPR unworthy level. This can already be read from the Presidential Order of the US. By the way, it should be noted that such an order can be revoked at any time, either by the current or by a next US President.
The location of a server can only be (legally) reliably determined by third parties through contractual assurances.
See Google Analytics as an example.
The Intelligence Service Problem is just one topic. Mentally many seem to feel better when data is stored or otherwise (fleetingly) processed in the EU. However, this mental attitude is inappropriate, as will be briefly outlined below.
What is a server?
A server is a computational servant. It provides a service or several services. When using services on the internet, it is necessary for the service server to be publicly accessible. This happens through the assignment of a public network address. The network address in the context of the internet is also called an IP address.
Theoretically, all the software for a service runs on a dedicated server that is physically located in Cologne, for example. In practice, the situation is often different. More on this later.
The location of a server
The location of a server is determined by one fact alone. This fact is the current physical location of a server. It is not the IP address that is assigned to it. The same IP address can be assigned to Server 4711 in Germany and Server 0815 in Texas in the next second. The owner of servers and IP addresses can change this assignment of publicly accessible network addresses to servers at any time as desired.
It is therefore not possible to determine where a server is located from the outside. The server operator must communicate and contractually guarantee the server location. With German or European providers that are small enough, it is often possible to visit the data center to inspect the server. A corresponding backup at software level (perhaps also with a dongle) would then possibly guarantee that the server on site would not be replaced by a server at another location by carrying out a backup and redirecting the network traffic.
When trying to generate an AI image for this post, the following also came out:
The prompt for this image contained a reference to Germany, as this is my nationality and this post is written in the national language. You can see the relabeling of a larger country, towards the positive, you could say.
Data processing on a server
Let's take Google Analytics as an example of a service that is operated on a server in Ireland and offered for your website. You integrate a Google Analytics script into your website. Now the following happens with the standard use of the Google Analytics plugin:
- Someone calls up your website.
- Your website loads the Google Analytics script.
- This script establishes a connection to a Google Analytics server (located in Ireland, for example).
- The Google Analytics server in Ireland sends back the code to your server where your website (also a service!) is hosted, so that your website can track its users (Tracking called).
- The visitor to your website (see 1.) clicks and scrolls on your website and possibly makes entries in a form.
- The program received via 4. now sends tracking events about the visitor to your website to the Google Analytics server, which is located in Ireland. The IP address of the visitor to your website is always automatically transmitted to the Google server. Shortening is not possible here.
- The Google server in Ireland processes these tracking events.
That sounds halfway good, although the legal basis for points 6 and 7 must also be clarified here. As legal basis, only consent (or a contract) remains. The further justification and cookie theme we leave out of consideration here for clarity's sake. There are numerous contributions on Dr. GDPR regarding this.
Detailed view for Google Analytics
It's not as simple as that for Google Analytics and many other services, however. For point 3, for example, you have to determine which server gets to respond to your website via a routing service. Because the plugin address is google-analytics.com. This address can be directed to any server worldwide (or even in the universe) at any given time, and can be redirected anew every second as needed.
Other servers may therefore be involved until the server that provides the Google Analytics services for your website is found. Personal data is also exchanged in the process (such as the IP address or browser fingerprint).
At point 7 mentioned above, the service server processes your website's request. In this example, it is saving a Google Analytics tracking event. Google itself admits, that all analysis data from Google Analytics are always processed in the USA. So further servers, which this time obviously do not stand neither in Ireland nor in Europe, are involved in processing data for your website.
The Google servers in the USA can send the data to any other server further. The data can also be sent to any Google order processors further. These order processors sit for Google Analytics in countries like
- Philippines,
- India,
- Argentina,
- Singapore,
- USA,
- Australian,
- Brazil,
- Kanada,
- Kolumbien,
- United Arab Emirates,
- Israel,
- Kenya
- and other countries.
Data is potentially sent to all of these countries if your website is assigned a Google Analytics server in Ireland as a service provider server. Google does not explain which processor processes which data, how and for how long, or does so very vaguely. The accountability of controllers like you (if you use Google services against others) is therefore unlikely to be fulfilled.
Whether processors and sub-processors receive personal data and process it in accordance with the GDPR must be checked by the controller in each case from a legal perspective and ideally also on site.
On-site inspection at contract processors is an additional safeguard that can increase legal certainty and whose obligation can be derived from Article 28 GDPR.
For each item from the list shown above, a check must be performed as to whether data protection regulations are being met. The same applies to every commissioned processor, regardless of the country in which they operate. This only applies to personal data, but it appears that Google Analytics always contains this type of data. For example, Google can determine who exactly you are (name and address!) using your Gmail address or your Google Maps usage (favourites?) and link these details with your current IP address. Every data value that comes into contact with personal data automatically becomes a personal data value as well. See for example Cookies and IP-Addresses.
If a website operator later wants to view or analyze the stored data (e.g. with Google Analytics), the storage locations of the data are relevant. These are often geographically distributed in technically distributed applications. From an Irish server as a data recipient, suddenly servers all over the world receive data. Whether it is stored or not is irrelevant regarding the concept of data processing (see Art. 4 No. 2 GDPR). Even a fleeting recording of data in the working memory for a very short time can be a problem, as even the previously quite liberal Irish Data Protection Authority found out in the WhatsApp case.
Access to a server
Everyone has known about the concept of working from home since the coronavirus pandemic. Some people also call this form of work remote working. Miraculously, you can dial into a company network via the Internet.
It's exactly like that also on a server possible, as every operator of a website or user of a cloud service knows. For this, just an secured connection must be opened and already is access to a server possible. The server location is here completely irrelevant. Obviously can everyone who has the login data for a server from anywhere in the world log into this server. Also free emailers or paid online mail programs are examples of remote accesses, where the server location is completely irrelevant.
With protocols like FTP and SCP, data can be retrieved from a server or transferred there. Thus services can be modified or their raised data sucked up.
With an SSH access, any commands can be sent to a server depending on permissions. SSH stands for Secure Shell. With an SSH access to a server, the user works in a virtual terminal. Whether the terminal is physically located where the user also is or not, apparently does not matter.
Access to a server is potentially possible from any location in the world. National rights also allow secret services to access servers in Europe.
The legal situation must be examined for each nation.
The only really relevant difference between remote access and the presence of the user at the server location concerns the possibility of changing the server hardware. This is often necessary, for example, when defective or outdated hardware needs to be replaced with new parts.
Conclusion
The location of a server says nothing about the countries in which the data that is sent to the server is actually processed. The server location cannot usually be reliably determined and must be contractually guaranteed. Servers often change constantly as providers of popular services.
Only the service provider, such as Google in the case of Google Analytics, knows where a server sends the data it receives. Similarly, only the service provider knows who the data recipients are.
Due to legislation in third countries, secret services or other national authorities can gain access to any server worldwide. With remote access, any server can be accessed, no matter where it is physically located.
The controller must ensure that all data recipients comply with the GDPR and that all countries of data recipients have a level of protection appropriate to the GDPR.
Key messages
The physical location of a server can't be reliably determined from the outside. You have to trust the server operator's word and contractual guarantees.
Using Google Analytics can lead to your website data being processed in many different countries, including the USA, even if your website is hosted in Europe.
Using Google Analytics can lead to your website data, including personal information, being sent to various countries and processed in ways that may not be transparent or compliant with data protection regulations.
The location of a server doesn't determine where your data is processed.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
