A multinational enterprise based in Germany currently stores its encrypted LTO-9 backup tapes in a fire-rated safe inside the primary data center. To gain geographic redundancy, the systems administrator proposes shipping the tapes every week to a commercial vaulting facility in the United States. From a physical location storage standpoint, which factor presents the GREATEST data-security concern that must be resolved before the change is adopted?
The tapes would fall under U.S. legal jurisdiction, which could conflict with EU data-protection requirements.
The U.S. facility supplies 120-volt power, so the organization's 230-volt tape drives could not be used for periodic restore tests.
Air-freight transport may expose the cartridges to low humidity that can reduce media life.
Transit time could extend the recovery point objective beyond the company's service-level agreement.
Moving backup media from the EU to a facility in the United States changes the legal jurisdiction that governs the data. Once the tapes arrive in the U.S., they become subject to U.S. laws such as the CLOUD Act while still remaining under the GDPR because the data concerns EU residents. Unless the organization can rely on an adequacy decision, standard contractual clauses, or another lawful transfer mechanism, the relocation could breach EU data-protection rules and lead to significant fines. The other options describe logistical or environmental considerations (longer RPO, voltage differences, or media-handling conditions) that can be mitigated operationally; they are not the primary data-security risk created by the physical storage location.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the CLOUD Act and how does it impact data stored in the U.S.?
Open an interactive chat with Bash
How does GDPR regulate data transfers outside the EU?
Open an interactive chat with Bash
What are adequacy decisions, and how do they relate to data protection?