[bitmuncher]

As a CISO from Germany I can tell you the problems we have, if we want to use US-based services. As soon as we want to transfer PII to such services we have to write down a full Data Protection Impact Assessment for our legal regulators. Since the USA isn't a "safe destination country" under EU laws (especially EU GDPR), we have to ensure that the data is transferred and stored encrypted by the services. In addition we need a written(!) Data Processing Agreement, that ensures the services are not transferring any data to third parties including intelligence agencies and that all data is only processed within the limitations of GDPR. This contract also must ensure, that the provider informs us, if any intelligence agency asks for our data. So, it's a lot of paperwork and bureaucracy to handle. And finally we need an entry in our data processing index that defines a security contact at the service provider together with details about the kind of data we transfer to the service. However, it doesn't make any difference if your servers are located in the EU or in the US, at least from the legal perspective. If we transfer data to US-based companies we have to do all that. But it makes European companies feel better if the servers at least can't be seized by U.S. intelligence agencies. ;) But... we'll get a better latency if the servers are located in the EU. And as far as I know GCP also offers data centers in the EU.