The focus should not be on the location, provided it is in the EU, but really the focus should be on carefully siloing the user data and make it only accessible to who needs them which is definitely no-one managing any servers and networks; it shouldn't matter (just dataloss, but not leaks which are not worthless). The info should be encrypted with different service dependent (healthcare, different levels, taxes etc) key pairs. As long as this data is accessible by anyone else but me, it's going to fall in the wrong hands anyway.