Position Paper • Security & Data Privacy
Claude in Europe:
An Honest Position on
Security and Sovereignty
28 April 2026
Want to talk through your AI deployment?
For the past year, when clients ask us which generative AI tool they should deploy, we have led with Microsoft Copilot. The reasons are practical. Copilot is wrapped inside Microsoft 365, the contracts are already signed, the EU Data Boundary commitments are documented, and the procurement path is short. For most Belgian mid-market firms, that combination is hard to beat.
Recently, more of those same clients have started asking about Claude. Anthropic's models have moved quickly into the same conversations as ChatGPT and Gemini, and the question we hear most often is some version of, "Is it safe to use? Our data leaves the EU, doesn't it?"
We owe our clients a clear answer. So here it is.
The concern is real, and it is specific
Yes, when you use Claude through Anthropic's first-party product, your prompts are processed on infrastructure operated by a US company. That is also true of OpenAI, Google, and Microsoft. None of them are European companies, and the geography of where data sits is only one part of the picture.
The deeper issue is legal sovereignty, and two pieces of US law sit at the centre of the EU debate.
The first is the CLOUD Act of 2018, which clarifies that US-based providers can be compelled to disclose data in their possession or control regardless of where that data is physically stored. Frankfurt, Paris, Dublin: it does not matter. If the entity holding the data is American, US authorities have a legal lever.
The second is Section 702 of the Foreign Intelligence Surveillance Act. It authorises US authorities to conduct surveillance on non-US persons located outside the United States, with the cooperation of American tech and communications providers. This is what makes intelligence overreach a real concern, not a hypothetical one. It is also the reason the Court of Justice of the European Union struck down the previous EU-US data agreement in 2020, in a landmark ruling brought by Austrian lawyer Max Schrems.
The current legal bridge is the EU-US Data Privacy Framework, adopted by the European Commission in July 2023. It restores a legal basis for transfers, but it is already under challenge. Schrems and his team argue that US surveillance law has not changed enough to satisfy the Court. A 'Schrems III' ruling is widely expected within the next two to three years.
That said, the good news is that the EU framework is working as intended. The French Conseil d'État has repeatedly ruled on the Health Data Hub being hosted on Microsoft Azure, most recently in March 2026, accepting EU-region hosting and pseudonymisation as sufficient safeguards. In the Netherlands, the government has been reviewing Microsoft 365 services since 2019, and its verdict on Copilot moved from red in 2024 to orange in 2025 after Microsoft introduced a series of improvements. Regulators raise concerns, vendors adjust, and standards rise.
So when a client says, "I'm not sure I'm comfortable putting our data in a US system," they are right to ask the question. They are reading the legal landscape correctly. And it is precisely that landscape that has shaped our recommendation. Microsoft Copilot has consistently been our default, and we are comfortable continuing to recommend it. Not because the sovereignty question is settled, but because Copilot has been evolving openly under European scrutiny, with documented improvements, and that is more reassurance than most other tools can offer.
But the real risk is different
The honest follow-up is this: what does this actually mean in practice for a Belgian accounting firm with sixty employees, or a mid-sized manufacturer in West Flanders?
In practice, the realistic risks are not the ones that dominate the headlines. The chance that a US intelligence agency is reading prompts about Q3 VAT reconciliation or supplier emails about a delayed shipment is, for almost every SME we work with, vanishingly small. Section 702 is a foreign intelligence tool, not a commercial surveillance regime. It is real, and it should inform decisions at ministries, defence suppliers, and critical infrastructure operators. For most of our client base, it is not the operative threat.
The risks that actually matter, day to day, are far more mundane and far more frequent. A bookkeeper pastes a client's full salary file into a free consumer chatbot. A consultant uploads a confidential M&A memo to a tool with no Data Processing Agreement in place. A team uses a personal account where their inputs may be retained or used to improve future models. There is no audit trail for which prompts contained regulated data. When a client asks, "Has any of our information been used to train these models?", nobody in the organisation can answer with confidence.
These are the breaches that actually happen. None of them require a FISA warrant.
This is where we think the SME conversation has been distorted. The geopolitical question is interesting, and at scale it is genuinely important. But for most firms, treating it as the primary issue lets the everyday governance problems slip through unaddressed.
Where Claude actually stands
Looking at Anthropic's published security posture, a few things are worth knowing before forming a view.
Anthropic holds SOC 2 Type II and ISO 27001 certifications, and publishes a Data Processing Addendum compliant with GDPR Article 28. On the API and on enterprise tiers, inputs and outputs are not used to train models, and zero data retention is available on request for qualifying customers, meaning prompt and completion data is not stored beyond the immediate processing window.
The picture is materially different on the consumer side. In September 2025, Anthropic introduced a new consent flow on the free, Pro, and Max tiers with a pre-toggled setting that opted users into having their conversations used to train future models, with retention extended to up to five years. The interface was widely criticised as a dark pattern under EDPB guidance, and although no EU regulator has taken formal action as of April 2026, the controversy is unresolved. The practical implication for our clients is straightforward: consumer-tier Claude is not a serious option for any business workload involving personal or confidential data, and we treat it accordingly.
Critically for European deployments, Claude is available not only through Anthropic directly but also through Amazon Bedrock and Google Vertex AI. On Bedrock, Claude can be invoked from European regions (Frankfurt, Paris, Ireland), with the request handled within that region's infrastructure. On Vertex AI, Claude is available in europe-west1, which is hosted in Belgium. Neither path eliminates the CLOUD Act question, because AWS and Google are themselves US companies, but both materially change the data residency picture and align the deployment with the same architecture most of our clients already use for the rest of their cloud workloads. We note, in passing, that Anthropic's own first-party platforms (Claude.ai Enterprise and the newer Cowork product) currently route inference through US infrastructure without an EU-region option, which is why for serious EU enterprise work we recommend the hyperscaler route rather than direct.
In our reading, Bedrock-hosted Claude in an EU region is broadly comparable to what Microsoft offers for Copilot through the EU Data Boundary commitment, where customer data is processed and stored within the EU under documented terms. Both are US-headquartered providers offering EU-region processing under contract. Neither makes the underlying sovereignty question disappear.
What this means for our recommendations
We do not see this as a binary choice between Claude and Copilot, and we caution clients against framing it that way. The right starting point is not the tool. It is the data.
A practical model we use with clients distinguishes three tiers.
For public or non-sensitive data such as marketing copy, public RFPs, generic research, and internal brainstorming, the tool choice is largely a productivity question. Claude, Copilot, and equivalents are all defensible. Pick the one that fits the workflow.
For confidential business data such as internal financials, client work product, contracts, and operational data, what matters is contractual and architectural posture. A signed DPA, no training on inputs, audit logging, SSO, retention controls, and a deployment in an EU region. Both Claude (via Bedrock or its enterprise tier) and Copilot meet this bar when configured properly. The decision then becomes practical: existing Microsoft footprint, integration needs, and model performance for the specific tasks.
For regulated or sovereign-grade data such as health records covered by health-data-hosting rules, defence-related material, and certain categories of personal data under sectoral regulation, the calculus changes. Here the CLOUD Act exposure is no longer hypothetical, and the answer is often a EU-sovereign deployment, a EU-headquartered model such as Mistral, or simply not putting that data into a generative AI workflow at all.
The mistake we see most often is applying the third tier's standard to all three tiers. That leads either to paralysis or, more commonly, to the policy being ignored entirely while employees use whatever tool is convenient.
Where we land
We are continuing to recommend Microsoft Copilot as the default starting point for most of our clients, because the procurement, integration, and governance lift is the lowest. That has not changed.
For clients where Claude's model performance, specific capabilities, or workflow fit make a difference, particularly in document analysis, structured reasoning, and certain coding workloads, we are now comfortable recommending Claude through Amazon Bedrock in an EU region, with a signed DPA, zero data retention configured, and the same data-tier discipline we would apply to any other tool.
What we are not comfortable doing, and what we encourage clients to avoid, is using consumer-tier Claude or Copilot accounts for anything beyond Tier 1 work. That is where the real exposure sits, and it has very little to do with US intelligence law.
The honest answer to "Is Claude safe to use in Europe?" is the same answer we would give for any cloud tool. It depends on what you are using it for, how you have configured it, and what you have written down. The legal landscape is real, and we take it seriously. We also think it deserves to be discussed in proportion to the actual risk our clients carry, not in proportion to the headlines.
If you are weighing this decision in your own organisation, we are happy to have the conversation.
Sources and further reading
Court of Justice of the European Union, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II), Case C-311/18, judgment of 16 July 2020.
European Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection of personal data under the EU-US Data Privacy Framework.
Clarifying Lawful Overseas Use of Data Act (CLOUD Act), H.R. 4943, enacted March 2018.
Foreign Intelligence Surveillance Act, Section 702, 50 U.S.C. § 1881a.
European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
Conseil d'État, decision of 20 March 2026 rejecting the recourse against CNIL deliberation 2025-013 (Health Data Hub / DARWIN EU); see also the earlier decision of 19 November 2024 on the EMC2 project.
SLM Rijk and SURF, Data Protection Impact Assessment on Microsoft 365 Copilot (2025), and the prior series of DPIAs on Microsoft Teams, OneDrive, SharePoint, and on-premise Microsoft 365 Dynamics, available via slmmicrosoftrijk.nl and surf.nl.
Belgian Data Protection Authority (GBA / APD), Artificial Intelligence Systems and the GDPR: a Data Protection Perspective (2024).
Anthropic Privacy Center and Data Processing Addendum, available at privacy.claude.com.
Microsoft EU Data Boundary documentation, available at learn.microsoft.com.
noyb European Center for Digital Rights, ongoing complaints regarding the EU-US Data Privacy Framework, noyb.eu.
Disclaimer
This paper reflects Merlin Innovation's general perspective on the deployment of generative AI tools in Europe as of April 2026. It is intended as professional commentary, not as legal, regulatory, or technical advice for any specific organisation or use case. The legal landscape, vendor commitments, and product configurations referenced here are evolving, and the appropriate course of action in any given deployment will depend on the organisation's data, sector, contractual posture, and risk profile. Nothing in this paper creates an advisory or client relationship, and nothing herein constitutes a warranty as to the accuracy or completeness of third-party statements summarised. Microsoft, Copilot, Claude, Anthropic, Amazon Web Services, Google, Mistral, and other names referenced are trademarks of their respective owners; their inclusion does not imply endorsement, partnership, or affiliation. Readers weighing decisions of the kind discussed should seek advice tailored to their own circumstances.