Looker EU Alternative 2026: Google LLC CLOUD Act Exposure and GDPR-Compliant Business Intelligence
Post #3 in the sota.io EU Business Intelligence Series
Looker is one of the most sophisticated business intelligence platforms in the enterprise market. European organisations use it to build data products, embedded analytics, and operational dashboards on top of their cloud data warehouses. But Looker is owned by Google LLC — a Delaware limited liability company and a wholly owned subsidiary of Alphabet Inc. (a Delaware C-Corp) — and every byte of data processed through Looker's cloud infrastructure is subject to the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. §2713).
This is not an abstract legal theory. CLOUD Act §2713 compels US-incorporated companies — including limited liability companies — to produce data stored anywhere in the world in response to a US federal court order or National Security Letter, without notification to the data subject or the data controller. For EU companies routing sensitive business intelligence through Looker, this creates a direct collision with GDPR Art. 48 (transfers only with legal basis), Art. 28 (adequate DPA guarantees), and Art. 5(1)(f) (integrity and confidentiality).
Looker's Legal Entity Chain
The CLOUD Act risk begins with corporate structure:
| Entity | Incorporated | Jurisdiction |
|---|---|---|
| Alphabet Inc. | Delaware C-Corp | Ultimate parent |
| Google LLC | Delaware LLC | Looker operating entity since 2020 |
| Google Cloud EMEA Ltd | Ireland Ltd | EU sales and contracting entity |
| Google Ireland Ltd | Ireland Ltd | GDPR data controller for EU |
Critical point: Delaware LLC membership does not insulate Google LLC from US federal process. The CLOUD Act applies to any entity formed under US law. Google LLC is indisputably a US-formed entity — and National Security Letters issued under 18 U.S.C. §2709 bind it directly, without court oversight.
Google acquired Looker in June 2020 for approximately $2.6 billion. Since acquisition, Looker has operated as part of Google Cloud Platform — meaning Looker's infrastructure runs on GCP data centres, including US-based regions. Even EU-region GCP deployments (Frankfurt/Netherlands) are subject to CLOUD Act compulsion against Google LLC.
What Looker Products Are Affected?
Google offers Looker under several product tiers:
| Product | Cloud Hosted | Self-Hosted Option | CLOUD Act Risk |
|---|---|---|---|
| Looker (Enterprise/Platform) | Yes (GCP) | No | HIGH |
| Looker Studio (formerly Data Studio) | Yes (GCP) | No | HIGH |
| Looker Studio Pro | Yes (GCP) | No | HIGH |
| Looker (Embedded Analytics) | Yes (GCP) | No | HIGH |
| Looker Modeled Data Exploration | Yes (GCP) | No | HIGH |
All Looker tiers are cloud-only. There is no on-premises or self-hosted Looker deployment option for enterprise customers. This means EU organisations cannot isolate their business intelligence data from Google LLC's cloud infrastructure.
GDPR Conflict Analysis
Art. 28 — Data Processing Agreement
Google's DPA for Looker includes standard contractual clauses (SCCs) as the Art. 46 transfer mechanism. However, SCCs are undermined when the data importer is subject to laws that conflict with the clauses — specifically, laws that allow government access without notification. The Schrems II judgment (C-311/18) established that US surveillance laws create exactly this conflict for US-incorporated entities.
Art. 46 — Transfer Mechanisms
Google relies on SCCs for EEA-to-US data flows. However, the European Data Protection Board's Recommendations 01/2020 require supplementary technical and legal measures when SCCs cannot guarantee equivalent protection. For Looker, which operates on GCP infrastructure accessible to Google LLC, technical supplementary measures (encryption with EU-held keys) are not available in standard deployment configurations.
Art. 48 — Transfers Not Authorised by EU Law
CLOUD Act orders issued to Google LLC constitute "requirements of courts and administrative authorities" of a third country. Under Art. 48, such transfers are only lawful if based on an international agreement (such as a mutual legal assistance treaty). No MLAT between the US and EU covers CLOUD Act production orders for commercial data. This gap remains unresolved after Data Privacy Framework adoption in 2023.
Art. 35 — Data Protection Impact Assessment (DPIA)
Using Looker for high-risk data processing — financial analytics, HR metrics, health data, customer PII — triggers a mandatory DPIA obligation under Art. 35. The DPIA must assess residual risks after supplementary measures. For Looker, the residual risk of US government access cannot be reduced to near zero.
Google Cloud EU Data Boundary: What It Covers (and What It Doesn't)
Google launched the Cloud EU Data Boundary program in January 2022, with the primary goal of keeping EU customer data within the EU. However, the EU Data Boundary has significant limitations for Looker:
What it covers:
- Storing EU customer data at rest in EU GCP regions
- Restricting data in motion to EU regions for most services
- Limiting Google personnel access to EU-based staff for support
What it does NOT cover:
- Exemption from CLOUD Act compulsion against Google LLC
- Looker's internal metadata and usage analytics
- Google's product improvement telemetry from Looker usage
- Emergency support access from non-EU Google staff
The EU Data Boundary is a data residency commitment — it does not change Google LLC's legal obligations under US federal law. A CLOUD Act production order can compel Google LLC to produce Looker data regardless of where it is stored.
CLOUD Act Risk Matrix: BI Tools Comparison
| Platform | Legal Entity | CLOUD Act Subject | EU Data Boundary | Self-Hosted Option | GDPR Risk Level |
|---|---|---|---|---|---|
| Looker | Google LLC (Delaware) | Yes | Partial | No | HIGH |
| Tableau | Salesforce Inc. (Delaware) | Yes | No | No | HIGH |
| Power BI | Microsoft Corp. (Washington) | Yes | Partial (EDB) | No | HIGH |
| Qlik Sense SaaS | Qlik Technologies Inc. (PA) | Yes | No | Yes (Qlik Enterprise) | HIGH/LOW |
| Domo | Domo Inc. (Delaware) | Yes | No | No | HIGH |
| Apache Superset | ASF (501(c)(3)) | No | N/A | Yes | LOW |
| Metabase | Metabase Inc. (Delaware SaaS) | Yes (cloud) | No | Yes (OSS) | LOW (self-hosted) |
| Lightdash | Lightdash Ltd (UK Ltd) | No | N/A | Yes | LOW |
| Grafana | Grafana Labs (NY — SaaS) | Yes (cloud) | No | Yes (OSS) | LOW (self-hosted) |
| Cluvio | Cluvio GmbH (Berlin, DE) | No | EU-only | No | LOW |
| Toucan Toco | Toucan Toco SAS (Paris, FR) | No | EU-only | No | LOW |
EU-Native and Self-Hosted BI Alternatives
1. Apache Superset (self-hosted)
Legal entity: Apache Software Foundation — a US 501(c)(3) nonprofit. Superset is an open-source project under the Apache License 2.0. No CLOUD Act applicability when self-hosted.
Superset offers SQL-based exploration, interactive dashboards, and integration with modern data stacks (BigQuery, Snowflake, Redshift, PostgreSQL, ClickHouse). It supports LookML-style semantic layers through dbt integration. Large enterprises including Airbnb, Twitter, and Nielsen use Superset in production.
EU deployment: Run on EU-hosted infrastructure (Hetzner, OVHcloud, IONOS, or EU-region AWS/GCP with EU-incorporated contracting party).
GDPR risk: Low when self-hosted. DPIA required for cloud SaaS deployments on US providers.
2. Metabase Community Edition (self-hosted)
Legal entity: Metabase, Inc. — a Delaware C-Corp. CLOUD Act exposure applies to Metabase Cloud. However, Metabase Community Edition (open source, AGPL-3.0) deployed on EU infrastructure has no CLOUD Act exposure.
Metabase is one of the most accessible BI tools for non-technical users. It supports automated insight generation ("X-ray"), question-based exploration, embedded analytics, and a full SQL editor. Metabase Enterprise on EU-hosted infrastructure provides SSO, data sandboxing, and audit logging.
EU self-hosted pricing: Community Edition is free. Enterprise starts at approximately $500/month for cloud or can be licensed for on-premises deployment.
3. Lightdash (UK Ltd, open source)
Legal entity: Lightdash Ltd — a UK private limited company. No CLOUD Act exposure. Post-Brexit UK entity — GDPR adequacy decision in place (December 2020 retained adequacy under UK-GDPR).
Lightdash is a purpose-built open-source BI tool designed around dbt (data build tool) models. If your organisation already uses dbt for data transformation, Lightdash provides instant BI on top of dbt semantic layer definitions. It reads your schema.yml and models/ directly, eliminating duplicate metric definitions.
EU deployment: Self-hosted on EU infrastructure or via Lightdash Cloud (UK-hosted). UK Ltd entity significantly lower CLOUD Act risk than Google LLC.
4. Grafana OSS + Grafana Enterprise (self-hosted)
Legal entity: Grafana Labs — a New York company. CLOUD Act exposure applies to Grafana Cloud. However, Grafana OSS (Apache 2.0) and Grafana Enterprise deployed on EU infrastructure have no CLOUD Act exposure.
Grafana is primarily associated with observability, but it has evolved into a general-purpose data visualisation platform with support for 70+ data source plugins, including ClickHouse, BigQuery, PostgreSQL, MySQL, Snowflake, and Prometheus. Grafana's dashboard templating, alerting, and transformations make it viable for business analytics beyond infrastructure monitoring.
5. Cluvio GmbH (Berlin, EU-native SaaS)
Legal entity: Cluvio GmbH — incorporated in Berlin, Germany. No CLOUD Act exposure. German GmbH under EU law.
Cluvio is a commercial BI SaaS platform built for data analysts and engineers. It offers SQL-based dashboards, report scheduling, and team sharing. Cluvio runs on EU infrastructure and is contractually obligated under German law.
Pricing: From approximately €200/month for teams. Enterprise pricing available.
6. Toucan Toco (Paris, EU-native SaaS)
Legal entity: Toucan Toco SAS — incorporated in Paris, France. No CLOUD Act exposure. French SAS under EU law.
Toucan Toco specialises in storytelling analytics — business intelligence embedded in operational applications and customer-facing products. It is used by enterprises including TotalEnergies, L'Oréal, and Société Générale for embedded BI with EU compliance requirements.
Looker's Hidden CLOUD Act Vectors
Beyond the primary data processing risk, Looker creates several secondary CLOUD Act exposure vectors:
1. LookML Semantic Layer Metadata
LookML model definitions — including field names, business logic, and calculated metrics — are stored in Google's infrastructure and constitute commercially sensitive intellectual property. A CLOUD Act production order can compel delivery of LookML project files, exposing proprietary business metrics to US authorities.
2. Looker Actions and Scheduler
Looker Actions allow sending dashboard results to Slack, email, Google Sheets, and third-party APIs. Looker's scheduler processes action payloads on Google LLC infrastructure before delivery — creating a processing event subject to CLOUD Act compulsion.
3. Looker Embedded Analytics
Organisations using Looker's embedded analytics (iFrame or signed URLs) to deliver dashboards to customers process customer data through Google LLC's signing infrastructure. Customer data remains in scope for CLOUD Act production orders even when embedded in EU-hosted applications.
4. Looker API Usage
The Looker API exposes data via REST endpoints that pass through Google LLC's API gateway infrastructure in the US. API authentication tokens and query results traversing US infrastructure constitute data in transit subject to CLOUD Act interception warrants under 18 U.S.C. §2703.
Migration Strategy: Looker to EU-Compliant BI
Phase 1: Audit Current Looker Usage (Weeks 1-2)
- Export all LookML models from Looker repository
- Identify data sources connected to Looker (data warehouse, databases, APIs)
- Categorise dashboards by data sensitivity (PII, financial, operational)
- Map Looker users and permission groups for access control migration
- Document Looker Actions and scheduled deliveries
Phase 2: Data Warehouse Assessment (Weeks 2-3)
The migration target depends partly on your data warehouse:
| Data Warehouse | Recommended EU BI Alternative | Reason |
|---|---|---|
| BigQuery (GCP) | Apache Superset / Lightdash | BigQuery remains CLOUD Act exposed — consider moving to EU alternative |
| Snowflake (EU region, EU-incorporated) | Lightdash / Superset | Snowflake's EU corporate entity reduces risk |
| PostgreSQL (EU-hosted) | Metabase / Superset / Grafana | Full EU control with self-hosted BI |
| ClickHouse (EU-hosted) | Superset / Grafana | Excellent performance, EU-native deployment |
Phase 3: LookML to dbt Semantic Layer Migration (Weeks 3-6)
If moving to Lightdash, LookML models can be systematically migrated to dbt YAML definitions:
# LookML dimension → dbt metric
models:
- name: orders
columns:
- name: revenue
description: "Total revenue in EUR"
meta:
metrics:
total_revenue:
type: sum
label: "Total Revenue (EUR)"
Automated migration tools exist for converting LookML dimension, measure, and explore definitions to dbt schema.yml format.
Phase 4: Dashboard Migration (Weeks 4-8)
Priority order for dashboard migration:
- Dashboards processing EU personal data (GDPR Art. 35 DPIA scope)
- Financial analytics (commercially sensitive)
- HR and people analytics (special category data under Art. 9)
- Operational dashboards (lower sensitivity)
Phase 5: GDPR Compliance Update (Week 8)
- Update Record of Processing Activities (ROPA) to reflect new data processor
- Execute new Data Processing Agreement with EU-native BI provider
- Update privacy policy and cookie notice if dashboards were customer-facing
- If DPIA was conducted for Looker, document closure and open new DPIA for replacement
Practical Checklist: Migrating Away from Looker
- Extract all LookML projects from Looker Git integration
- Document all data source connections (credentials, connection strings)
- Export Looker dashboards as PDF/JSON for reference
- Identify all Looker API integrations in your codebase
- Review Looker's DPA to understand data retention after termination
- Request data deletion certificate after migration completion
- Conduct ROPA update for new BI processor
- Test EU BI alternative with production data in staging environment
- Validate GDPR Art. 28 DPA with new provider before go-live
- Update IT asset register to reflect processor change
Why Looker Studio Is Not a Safe Fallback
Many organisations use Looker Studio (formerly Google Data Studio) as a free alternative to Looker Enterprise. Looker Studio has the same CLOUD Act exposure as Looker — it is operated by Google LLC (Delaware) and processes data on GCP infrastructure.
Additionally, Looker Studio presents a unique GDPR risk: it is a free product, meaning the data protection economics are less transparent. Google's privacy policy for Looker Studio permits product improvement processing on usage data, which raises additional Art. 5(1)(b) purpose limitation concerns.
Looker Studio Pro (paid tier) improves on the free product's governance features but does not change the underlying CLOUD Act exposure.
The sota.io EU-Native PaaS Advantage
If you are migrating your BI infrastructure to EU-native open-source tools (Superset, Metabase, Lightdash, Grafana), you need EU-native hosting for the BI application layer itself.
sota.io is a European PaaS platform incorporated under EU law, hosting exclusively on EU infrastructure. Deploying your BI stack on sota.io means:
- No CLOUD Act exposure on the BI application layer
- EU-native contractual counterparty for Art. 28 DPA
- GDPR-compliant data residency for dashboards, query caches, and user data
- Simplified DPIA — EU hosting eliminates the US surveillance law conflict
Pair sota.io hosting with a self-hosted Superset, Metabase, or Lightdash deployment and an EU-region data warehouse to achieve a fully CLOUD-Act-free BI stack.
Summary
Looker is a best-in-class business intelligence platform — but it is a Google LLC product, subject to US CLOUD Act compulsion. The EU Data Boundary commitment does not protect against National Security Letters or FISA §702 production orders issued against Google LLC. For EU organisations processing sensitive business data through Looker, the GDPR conflict is structural and cannot be resolved through supplementary contractual measures alone.
EU-native alternatives — Apache Superset, Metabase CE, Lightdash, Grafana OSS, Cluvio, and Toucan Toco — provide equivalent or superior business intelligence capabilities without the US jurisdictional exposure. For organisations with existing dbt investments, Lightdash offers the fastest migration path. For maximum flexibility and data source coverage, Apache Superset deployed on EU infrastructure is the default recommendation.
The EU Business Intelligence series continues with Post #4: Qlik Sense EU Alternative — covering Qlik Technologies Inc. (Pennsylvania) and the CLOUD Act risk profile for one of the world's largest data integration and analytics platforms.
This article is part of the sota.io EU Business Intelligence Series. For the full series, see:
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.