EU legislation such as the GDPR and numerous court rulings on how to apply the laws make several things clear. Firstly, that data considered sensitive, such as personal data, cannot be stored or shared anywhere not considered legally OK, without consent. Secondly, it is not enough for the data to be physically located in an approved country. A company providing data storage must also not be headquartered in a non-approved country or be subject to the legislation of such a country. Thirdly, it needs to be clarified how some laws should be interpreted and applied.