Google Pub/Sub EU Alternative 2026: CLOUD Act 21/25, PRISM, and How to Build GDPR-Compliant Event Streaming
Post #1142 in the sota.io EU Message Broker Compliance Series
Google Pub/Sub is one of the most widely used managed message brokers in cloud-native architectures. Its simplicity, serverless scaling, and deep integration with the Google Cloud ecosystem make it a default choice for event-driven applications, data pipeline ingestion, and microservice decoupling. For EU-based organisations processing personal data, however, Pub/Sub carries one of the highest CLOUD Act exposure scores in this series.
Google LLC — the legal entity operating Pub/Sub — is incorporated in Delaware, operates under US federal jurisdiction, and is a confirmed PRISM participant and FedRAMP High contractor. Every Pub/Sub topic, every subscription, every push endpoint URL registered in your Google Cloud project is under the authority of the US Stored Communications Act and the CLOUD Act. This does not change whether your messages flow through the europe-west1 (Belgium) or europe-west3 (Frankfurt) region.
This guide explains exactly where the GDPR risks arise, which specific Pub/Sub features create the highest exposure, and which EU-native alternatives can replace Pub/Sub for compliant event streaming in 2026.
Google LLC — The Legal Entity Behind Pub/Sub
Google Pub/Sub is not operated by a European subsidiary. The legal entity is Google LLC (formerly Google Inc.), a Delaware limited liability company wholly owned by Alphabet Inc. (NASDAQ: GOOGL). Google LLC is the contracting entity for Google Cloud Platform services globally, including all EU customers.
CLOUD Act Exposure Score: 21/25
| Dimension | Score | Detail |
|---|---|---|
| US parent jurisdiction | 5/5 | Google LLC Delaware — full US federal jurisdiction |
| Government contracts | 5/5 | FedRAMP High (DoD IL2), CIA/DIA/NSA Contractor, PRISM participant |
| CLOUD Act warrant applicability | 4/5 | Cloud provider + communication service = dual CLOUD Act pathway |
| EU data residency protection | 4/5 | Regional endpoints exist but do not limit US access authority |
| Adequacy/SCCs effectiveness | 3/5 | SCCs exist but invalidated by PRISM participation under Schrems II logic |
Google's PRISM participation was disclosed in the 2013 NSA leaks. As a PRISM member, Google receives National Security Letters (NSLs) under FISA §702 without judicial review, and must respond to them without notifying the data subject or the EU data controller. This is structurally incompatible with GDPR Art.18 (right to restriction of processing) and Art.22 (protection from automated profiling decisions based on intercepted data).
What Pub/Sub Data Qualifies as Personal Data Under GDPR Art.4
GDPR Art.4(1) defines personal data as "any information relating to an identified or identifiable natural person." In Pub/Sub architectures, this is broader than most developers assume.
Message Payloads
The most obvious category. If your Pub/Sub messages contain:
- User IDs, email addresses, names, device identifiers
- Click events with session tokens
- IoT sensor readings linked to a household
- Financial transaction records
- Health events tied to a patient identifier
...then those messages are GDPR personal data. The Google Pub/Sub regional endpoint processes and delivers them, but Google LLC (Delaware) retains the authority to access them under a CLOUD Act order.
Subscription Metadata — A Hidden GDPR Risk
This is the category most architects miss. Even if your message payloads are encrypted end-to-end, the following Pub/Sub metadata is personal data under GDPR Art.4:
Push subscription endpoint URLs — if the URL includes a user ID, session token, or customer-specific path (e.g., https://api.yourapp.eu/webhooks/users/[user_id]/events), Google's Pub/Sub infrastructure must store and route to that URL. The URL itself identifies the data subject.
Subscription acknowledge deadlines and message delivery attempts — Pub/Sub retains the delivery attempt log including timestamp and subscription name. If the subscription name encodes a user context (common in multi-tenant architectures), this is personal data.
Topic IAM bindings — when topic-level IAM grants are linked to user-specific service accounts (e.g., one service account per customer for isolation), Google IAM logs record access patterns that constitute personal data under GDPR Recital 26 (singled-out individuals).
GDPR Risk: Art.5(1)(b) — Purpose Limitation. Google LLC retains the right to use metadata from your Pub/Sub infrastructure for internal purposes including abuse detection, capacity planning, and security monitoring — purposes that your DPA with Google does not fully control.
Push Subscriptions and Cross-Border Data Flows
Pub/Sub push subscriptions send HTTP POST requests to a URL you specify. If that URL is your EU-hosted application endpoint, you might assume the data stays in Europe. It does not — at least not completely.
The push delivery mechanism is coordinated by Pub/Sub's control plane. Even with a regional topic in europe-west3, the push acknowledgment logic and retry state are managed by Google LLC's global infrastructure. A CLOUD Act warrant can compel Google to disclose the complete push delivery log, including endpoint URLs, retry history, and delivery acknowledgment timestamps.
GDPR Risk: Art.44 — Transfers to Third Countries. Each push delivery from Pub/Sub's control plane involves data transfer to a US-controlled service, even when the target endpoint is in the EU.
Specific Pub/Sub Features with High GDPR Risk
Pub/Sub Lite vs Standard Pub/Sub
Google offers Pub/Sub Lite as a cheaper, zonal-scoped variant with data stored in a specific zone. Developers sometimes assume Pub/Sub Lite reduces GDPR risk because data is explicitly pinned to europe-west3-a. This assumption is incorrect.
Pub/Sub Lite is still operated by Google LLC. The zonal storage commitment is a data residency feature, not a legal jurisdiction change. Google LLC remains the data processor under US federal law regardless of where bytes are stored.
GDPR Risk: Pub/Sub Lite's data residency does not constitute adequate protection under Schrems II because the data importer (Google LLC) remains subject to FISA §702 surveillance.
Dataflow / BigQuery Integration Pipelines
Google Pub/Sub is commonly used as the source for Dataflow (Apache Beam) streaming pipelines that land data in BigQuery. In this architecture, personal data flows through:
- Pub/Sub topic (Google LLC)
- Dataflow worker (Google Cloud Compute, Google LLC)
- BigQuery table (Google LLC)
All three components are operated by Google LLC. An Art.28 DPA with Google covers this chain contractually, but a CLOUD Act warrant can compel Google to disclose data at any stage without your knowledge or the ability to notify affected users.
Schema Registry and Protobuf/Avro Schemas
Pub/Sub's schema registry stores Protobuf and Avro schema definitions in your Google Cloud project. If schemas contain field names that correspond to PII categories (e.g., patient_id, billing_address, health_condition), schema definitions themselves may constitute sensitive data under GDPR Art.9.
This is a low-probability but real risk for healthcare and fintech Pub/Sub implementations.
Dead-Letter Topics
When Pub/Sub exhausts delivery attempts for a message, it routes the message to a dead-letter topic. Dead-letter messages typically contain the full original payload plus additional metadata fields added by Pub/Sub (delivery attempt count, first delivery timestamp, subscription name).
GDPR Risk: Art.5(1)(e) — Storage Limitation. Dead-letter topics often accumulate personal data indefinitely. Under GDPR Art.17, data subjects have the right to erasure — but Pub/Sub does not provide a mechanism to delete messages from dead-letter topics selectively based on data subject identity. You must implement this erasure logic yourself, and the dead-letter message retention must be configured explicitly.
Best Practice: Set --max-delivery-attempts low (3-5) and configure dead-letter topic retention to match your legitimate interest period for debugging (typically 7 days maximum for production incidents).
Google Cloud's European Data Residency — Why It's Not Enough
Google offers Sovereign Cloud configurations in partnership with local providers:
- T-Systems (Deutsche Telekom) for Germany
- Thales for France
- S3NS for France (Thales subsidiary)
These sovereign cloud offerings are operated by European legal entities under local law, with Google LLC excluded from operational access. For organisations requiring true EU sovereignty, these offerings genuinely reduce CLOUD Act exposure — but they come with significant limitations:
What Sovereign Cloud covers:
- Data at rest in EU regions operated by EU entities
- Operational access by EU-resident staff only
- Legal jurisdiction under EU law for data access requests
What Sovereign Cloud does NOT cover:
- Standard Google Cloud Platform accounts (the default for all GCP customers)
- Pub/Sub in standard GCP regions — Pub/Sub sovereign cloud is only available through T-Systems/Thales partnerships
- Pricing — T-Systems Sovereign Cloud typically costs 30-60% more than standard GCP pricing
- Feature parity — not all Pub/Sub features are available in sovereign configurations
For most mid-market EU SaaS companies, Google Sovereign Cloud is not a realistic option. The minimum commitment, operational overhead, and cost delta make it a large-enterprise play. For the majority of developers evaluating Google Pub/Sub for a new project, the relevant entity is Google LLC Delaware.
CLOUD Act §2713 Collision with GDPR Art.28
When you sign a Google Cloud DPA (Data Processing Addendum) under GDPR Art.28, Google commits to processing personal data only on your documented instructions. CLOUD Act §2713 (18 U.S.C. §2713) requires US providers to disclose data in their "possession, custody, or control" regardless of where it is stored — including data in EU regions.
This creates a direct legal collision:
- GDPR Art.28(3)(a): Google may only process personal data on your documented instructions
- CLOUD Act §2713: Google must comply with US government orders without your knowledge or consent
Google's position in their DPA documentation is that they will notify customers of legal demands where permitted by law, and will challenge overbroad demands. This commitment does not resolve the fundamental incompatibility:
- NSL gag orders prevent Google from notifying you at all
- FISA §702 directives have no notification mechanism
- CLOUD Act warrants may include notification-prohibition clauses
The EDPB's Opinion 28/2023 on UK adequacy and its earlier Schrems II guidance both establish that SCCs cannot protect against FISA §702 access, because the data importer (Google LLC) is subject to US surveillance law that overrides contractual commitments.
GDPR Art.46 Transfer Safeguards — Effectiveness Assessment:
| Safeguard | Status for Google Pub/Sub |
|---|---|
| Standard Contractual Clauses | Signed, but ineffective for FISA §702 as per CJEU Schrems II |
| Adequacy Decision (US) | Partially restored by EU-US Data Privacy Framework (DPF) 2023, but legal challenges ongoing |
| Binding Corporate Rules | Not applicable for US government access scenarios |
| Transfer Impact Assessment | Required under EDPB Rec. 1/2020 — most assessments cannot conclude adequacy given PRISM |
EU-Native Alternatives to Google Pub/Sub
Redpanda Cloud — EU Regions, No US Parent (0/25)
Redpanda Data Inc. is a Delaware corporation, but Redpanda Cloud BYOC (Bring Your Own Cloud) allows deployment entirely within your own EU cloud account — meaning Redpanda Inc. has no access to your data. For the fully-managed tier, EU regions are available (AWS Frankfurt, GCP Frankfurt), but the data processor remains Redpanda Inc.
For maximum EU sovereignty, use Redpanda BYOC on Hetzner or OVHcloud, or self-host Redpanda on Hetzner (Kafka-compatible, Kafka API drop-in replacement).
CLOUD Act Score: 0/25 when self-hosted or BYOC on EU infrastructure. Redpanda Inc. Delaware CLOUD Act risk exists only for the managed cloud tier.
Pub/Sub Compatibility: Redpanda is Kafka-wire-protocol compatible. No code changes for Kafka producers/consumers. For Google Pub/Sub specifically, you need to adapt push-subscription semantics to Kafka consumer groups (minor architecture change).
Cost Comparison (Frankfurt region, 1 Gbps sustained throughput):
- Google Pub/Sub: ~€0.04/GB + €0.01/GB for cross-zone delivery + subscription fees ≈ €150-400/month
- Redpanda Cloud BYOC (Hetzner AX102): €99/month dedicated nodes, no per-message charges
- Self-hosted Redpanda (Hetzner CCX33): €51/month, zero message costs
Aiven for Apache Kafka — Helsinki (3/25)
Aiven Oy is headquartered in Helsinki, Finland. Finnish company, no US parent. Aiven is incorporated as a Finnish private company (osakeyhtiö), fully European ownership structure.
CLOUD Act Score: 3/25 — Aiven itself has no US parent. The 3-point deduction reflects that Aiven's managed infrastructure runs on hyperscaler VMs (AWS/GCP/Azure) as the underlying IaaS. The hyperscaler (AWS Frankfurt or GCP Frankfurt) is still subject to CLOUD Act. However, data is encrypted at rest with customer-managed keys (CMEK), and Aiven Oy — as the data processor — is not subject to CLOUD Act.
Pub/Sub Compatibility: Aiven offers Aiven for Apache Kafka with Schema Registry, Kafka Connect, and Kafka Mirror Maker 2. Full Kafka API compatibility. No Google-specific push subscription semantics — you use Kafka consumer groups instead.
Aiven for Google Pub/Sub is not a drop-in replacement. If your architecture relies heavily on Pub/Sub-specific features (fan-out subscriptions, dead-letter topics, filter syntax), you need to adapt your application code. Aiven offers a migration guide for Kafka-based alternatives.
Pricing: Aiven Kafka startup plan (Frankfurt): €112/month for 3-node cluster, 90 GB storage. Business plan: €450/month. Cheaper than Google Pub/Sub at high throughput.
Axual Platform — Amsterdam (0/25)
Axual BV is a Dutch company (Amsterdam) offering a managed Kafka platform specifically designed for regulated industries. Axual has no US parent and is entirely European. They focus on FSI (Financial Services Industry) and Telco customers in the EU.
CLOUD Act Score: 0/25 — Dutch company, European hosting (Equinix Amsterdam / Deutsche Telekom Frankfurt), no US parent, no CLOUD Act exposure.
Best For: Regulated environments (banking, insurance, healthcare) where the Axual platform's compliance certifications (ISO 27001, ISO 9001, SOC 2) are required alongside GDPR. Axual natively supports GDPR Art.17 (right to erasure) via Kafka data retention policies and record-level deletion.
Limitations: Axual is more expensive than self-hosted Kafka and targeted at enterprise customers. Pricing is typically negotiated — not self-serve.
Self-Hosted Apache Kafka on Hetzner — 0/25
For teams with Kafka expertise, self-hosting Apache Kafka on Hetzner (Germany) is the zero-cost, zero-exposure option.
Infrastructure:
# Minimum viable Kafka cluster for production (Hetzner)
- 3× Hetzner CX31 (€17.19/mo each) = €51.57/mo total
- Network: Hetzner private network (no public egress for inter-broker)
- Storage: Hetzner Volumes (€0.0476/GB/mo) for log retention
# Total: ~€70-120/month including storage
# vs Google Pub/Sub: €150-600/month at comparable throughput
GDPR Compliance:
- Data processed entirely in German data centers (Nuremberg/Falkenstein)
- Hetzner Online GmbH is a German company (Gunzenhausen, Bavaria) — 0/25 CLOUD Act
- No sub-processor in the Kafka path (you manage the infrastructure)
- Full control over GDPR Art.30 Record of Processing Activities — no Google DPA needed
Migration from Google Pub/Sub to Kafka:
The main conceptual differences:
| Google Pub/Sub | Apache Kafka |
|---|---|
| Topics → Subscriptions (fan-out) | Topics → Consumer Groups (pull semantics) |
| Push subscriptions (HTTP POST) | Kafka Streams / Connect (pull-based) |
| Dead-letter topics (automatic) | Kafka error topic (manual DLQ config) |
| Filter expressions | Kafka Streams filtering |
| Message ordering (per key) | Partition ordering (explicit key routing) |
| Ack-based delivery | Offset commit (consumer-side) |
For push subscription semantics specifically, you can replicate them with a Kafka consumer that reads from topics and makes HTTP POST calls to your endpoint. Libraries like kafka-webhook-bridge or custom Kafka consumer deployments handle this pattern.
LavinMQ — 84codes Open Source (0/25)
LavinMQ is an open-source message broker written in Crystal, developed by 84codes AB (Gothenburg, Sweden — the same company behind CloudAMQP). LavinMQ implements the AMQP protocol and is designed as a high-performance alternative to RabbitMQ.
CLOUD Act Score: 0/25 — 84codes AB is Swedish, LavinMQ is Apache 2.0 licensed. When self-hosted on Hetzner or OVHcloud, there is no US data processor in the path.
Pub/Sub Compatibility: LavinMQ uses AMQP 0-9-1 semantics (queues, exchanges, bindings) rather than the Pub/Sub API. For teams that were using Pub/Sub for simpler fan-out messaging (not high-throughput streaming), LavinMQ is a lightweight alternative that avoids Kafka operational complexity.
4-Week Migration Plan: Google Pub/Sub → Aiven Kafka (EU)
This plan assumes a typical microservices architecture with 3-5 Pub/Sub topics and push subscriptions.
Week 1: Inventory and Assessment
# List all Pub/Sub topics in your GCP project
gcloud pubsub topics list --format="table(name,labels)"
# List all subscriptions and their types
gcloud pubsub subscriptions list --format="table(name,topic,pushConfig.pushEndpoint,ackDeadlineSeconds,retainAckedMessages)"
# Identify push subscriptions (these need special handling)
gcloud pubsub subscriptions list --filter="pushConfig.pushEndpoint!=''" --format="table(name,pushConfig.pushEndpoint)"
# Check message retention settings
gcloud pubsub topics list --format="json" | python3 -c "
import json, sys
for t in json.load(sys.stdin):
print(t.get('name'), t.get('messageRetentionDuration', '7d default'))
"
Classify each topic:
- High-throughput streaming → Aiven Kafka or self-hosted Redpanda
- Simple fan-out (push webhooks) → LavinMQ or Aiven Kafka + webhook consumer
- BigQuery integration → Aiven Kafka + Kafka Connect BigQuery Sink (or migrate BigQuery to Exasol/Neon)
Week 2: Aiven Kafka Setup
# Install Aiven CLI
pip install aiven-client
# Create Aiven project (Frankfurt region)
avn project create eu-messaging-prod --cloud google-europe-west3
# Create Kafka service (startup-2 = 3 nodes, 90GB)
avn service create kafka-prod \
--service-type kafka \
--cloud google-europe-west3 \
--plan startup-2 \
--project eu-messaging-prod
# Enable Schema Registry and Kafka REST
avn service update kafka-prod \
--project eu-messaging-prod \
-c schema_registry=true \
-c kafka_rest=true
# Get connection info
avn service get kafka-prod --project eu-messaging-prod --format json
Create Kafka topics mirroring your Pub/Sub topics:
# Map Pub/Sub topics to Kafka topics
# Google Pub/Sub: projects/my-project/topics/user-events
# Kafka equivalent: user-events (with appropriate partitions)
avn service topic-create kafka-prod \
--project eu-messaging-prod \
user-events \
--partitions 12 \
--replication 3
Week 3: Dual-Write Migration
Run both systems in parallel during migration:
# Python producer: writes to both Google Pub/Sub and Kafka
from google.cloud import pubsub_v1
from confluent_kafka import Producer
import json
pubsub_client = pubsub_v1.PublisherClient()
kafka_producer = Producer({
"bootstrap.servers": "your-aiven-kafka.aivencloud.com:12345",
"ssl.ca.location": "/path/to/ca.pem",
"ssl.certificate.location": "/path/to/service.cert",
"ssl.key.location": "/path/to/service.key",
"security.protocol": "ssl"
})
def publish_event(topic_name, data: dict):
# Write to Pub/Sub (existing)
pubsub_topic = f"projects/my-project/topics/{topic_name}"
pubsub_client.publish(pubsub_topic, json.dumps(data).encode())
# Write to Kafka (new)
kafka_producer.produce(
topic=topic_name,
value=json.dumps(data).encode(),
key=data.get("user_id", "").encode()
)
kafka_producer.flush()
Week 4: Cutover and Pub/Sub Decommission
# 1. Verify all consumers have migrated to Kafka
# 2. Verify no lag on Kafka consumer groups
kafka-consumer-groups.sh --bootstrap-server ... --describe --group all
# 3. Set Pub/Sub subscription expiration policy to 1 day
gcloud pubsub subscriptions modify-push-config my-subscription --push-endpoint ""
gcloud pubsub subscriptions update my-subscription --expiration-period 1d
# 4. After 24h monitoring, delete Pub/Sub resources
gcloud pubsub subscriptions delete my-subscription
gcloud pubsub topics delete user-events
# 5. Remove Google Cloud project IAM bindings for Pub/Sub roles
gcloud projects remove-iam-policy-binding my-project \
--member "serviceAccount:app@my-project.iam.gserviceaccount.com" \
--role "roles/pubsub.publisher"
GDPR Art.30 Record of Processing Activities — Pub/Sub Section
When audited, your RoPA must document the Pub/Sub sub-processor chain. For a standard Google Pub/Sub implementation:
Processing Activity: Event-Driven User Notification System
Controller: [Your Company] ([EU Member State])
Processor: Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA
Sub-processors:
- Google LLC data centers (Frankfurt, Belgium, Warsaw)
- Google LLC global infrastructure (control plane operations)
Legal Basis: Art.6(1)(b) — contract performance / Art.6(1)(f) — legitimate interests
Transfer Safeguard: Standard Contractual Clauses (Art.46(2)(c)) + EU-US DPF certification
Data Subject Categories: End users (EU residents)
Data Categories: User identifiers, event payloads, delivery timestamps
Retention: [Your configured Pub/Sub message retention, typically 7 days]
Deletion Mechanism: Pub/Sub message auto-expiration + dead-letter topic cleanup
TIA Status: Transfer Impact Assessment required — Google's PRISM participation means TIA cannot conclude adequate protection without supplementary measures (end-to-end encryption of payloads prior to publish)
The TIA requirement under EDPB Recommendation 1/2020 means you must document whether Google Pub/Sub's access protections are effective against NSL/FISA demands — and the honest answer, based on public disclosures, is that they are not for the payload level.
Decision Framework: When to Choose What
| Situation | Recommendation | CLOUD Act Score |
|---|---|---|
| New project, full EU sovereignty required | Self-hosted Kafka on Hetzner + Redpanda | 0/25 |
| Managed service, EU-native operator | Aiven for Kafka (Helsinki) | 3/25 |
| Enterprise, regulated (FSI/healthcare) | Axual Platform (Amsterdam) | 0/25 |
| Simple fan-out, low throughput | LavinMQ self-hosted | 0/25 |
| BYOC option acceptable | Redpanda BYOC on OVHcloud | 0/25 |
| Migration to GCP Sovereign Cloud (DE/FR) | T-Systems / Thales Pub/Sub equivalent | ~2/25 |
| Staying with Google Pub/Sub | Implement payload encryption + DLP + TIA documentation | 21/25 — CLOUD Act risk persists |
Summary: Google Pub/Sub CLOUD Act Score 21/25
Google Pub/Sub scores 21 out of 25 on our CLOUD Act exposure scale — one of the highest in the EU Message Broker Series. The combination of:
- Google LLC Delaware as the legal operating entity
- PRISM participation (confirmed, ongoing since 2013)
- FedRAMP High authorization (DoD IL2, CIA/DIA contracts)
- CLOUD Act §2713 applicability to all data in Google's "possession, custody, or control"
- NSL gag orders preventing customer notification of government access
...means that Google Pub/Sub cannot serve as a legally compliant message broker for EU personal data in strict GDPR interpretations, particularly post-Schrems II.
For EU-based organisations that need to process personal data through a message broker:
- Zero GDPR risk: Self-hosted Kafka on Hetzner (Germany, 0/25) or Redpanda BYOC
- Managed with EU-native processor: Aiven for Kafka (Helsinki, 3/25)
- Enterprise regulated industries: Axual Platform (Amsterdam, 0/25)
If you are building a new EU-native SaaS and need a fully managed platform that integrates EU-compliant messaging with your deployment infrastructure, sota.io provides managed deployments on Hetzner Germany — 0/25 CLOUD Act exposure — with support for Kafka-based event streaming through your own Hetzner infrastructure.
This post is part of the sota.io EU Message Broker Compliance Series. Next: Azure Service Bus EU Alternative 2026 — Microsoft Corporation (Washington State, CLOUD Act 21/25, Azure Service Bus as PRISM infrastructure).
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.