Own Your Own Data — Why We Build Without Big Tech in the Foundation
Some of you may remember Brittany Kaiser — the whistleblower from Cambridge Analytica. She watched elections in the US and other countries get decided using private citizens' data, misused without their knowledge. It ended in major lawsuits and a Netflix documentary, The Great Hack, still worth watching if you want to understand what's actually at stake.
The story is over seven years old now. But the underlying point has only grown more important, not less: who owns your data, and where does it actually live while it's being used?
The rule on paper vs. the reality in the infrastructure
Most people know by now that personal data has to be hosted in the EU. It's in GDPR, and most vendors will happily show off a nice "EU region" badge on their server footprint.
The problem is that a server physically located in Frankfurt or Dublin doesn't automatically mean the data is beyond the reach of US authorities. The US CLOUD Act gives US authorities the right to demand data from US companies — regardless of where on the planet they've physically stored it. An "EU region" hosted by an American cloud giant is still governed by US law, because the law reaches the company, not the server.
That's exactly the conflict that led the EU Court of Justice to strike down the Privacy Shield agreement in 2020 (the Schrems II ruling), and it's what keeps the debate alive over whether the current EU-US Data Privacy Framework actually solves the problem. Many legal experts still expect a "Schrems III" case.
The EU has taken the consequence itself
This isn't just a theoretical discussion for compliance nerds anymore. The European Commission put real action behind the words in 2026:
- In April 2026, the Commission awarded a cloud contract to four European providers for the first time ever — worth up to €180 million over six years — where sourcing was explicitly evaluated on sovereignty criteria, not just price and features.
- In May 2026, the Commission started considering direct restrictions on the use of American cloud platforms for sensitive public-sector data — particularly financial, judicial, and health data.
- Public tenders across the EU increasingly require "not subject to third-country law with extraterritorial reach" — an explicit no to American (and other non-European) tech giants' infrastructure, no matter where the server physically sits.
- Initiatives like Gaia-X are working on shared European standards for transparent, sovereign cloud infrastructure, so businesses and public bodies don't have to choose between capability and independence.
In other words: what we've been prioritising at broberg.ai for a while is now the direction the entire EU is moving in.
Why this matters to you — as a citizen, consumer, and decision-maker
You don't need to build software for this to affect you. It affects anyone using a website, a public self-service portal, an app from their municipality, or any service that asks for their data.
The question isn't just "is it GDPR-compliant on paper," but: if the underlying infrastructure is owned by a foreign tech giant, who actually has control — and access — to your data, regardless of what the contract says? That's exactly the reflection municipal decision-makers should carry with them when tomorrow's digital solutions get built and put out to tender.
How we've built broberg.ai
It's one of the most important reasons we designed and built the entire broberg.ai universe the way we did.
Every building block in the foundation — the engine, the knowledge layer, the orchestration, the monitoring — is built entirely from scratch, by Danish IT architects and developers working alongside modern AI agents. Not a single line of code in that foundation depends on a tech giant's cloud infrastructure. And the whole stack is simultaneously 100% open source — transparency you can actually verify, not just a promise on a website.
We've already written about one concrete layer of this: how we route AI calls by task, not by habit, so that anything touching personal data automatically goes to a model hosted in the EU. But that's just one layer. The deeper point is that the entire foundation underneath it — hosting, engine, building blocks — was never dependent on an American tech giant to begin with.
It's not something we check off afterwards. It's the architecture we started with.
The hosting itself runs on our own European infrastructure — Stockholm, not Silicon Valley. And the engine that drives every single site in the universe — the CMS — is built on the exact same principle.
Want to know what a 100% independent foundation means for your solution? → Let's talk.
Source: the Netflix documentary The Great Hack about the Cambridge Analytica case.