Why European Cloud Hosting Matters More After the CLOUD Act

The Law That Changed Everything

In March 2018, the United States quietly passed the Clarifying Lawful Overseas Use of Data Act — better known as the CLOUD Act. It was signed into law as part of an omnibus spending bill, receiving minimal public debate despite its extraordinary reach.

The CLOUD Act does something unprecedented: it gives US law enforcement and intelligence agencies the legal authority to compel American companies to hand over data regardless of where that data is physically stored. If your business data sits on a server in Frankfurt, operated by a US company, the US government can legally demand access to it without notifying you or the German authorities.

For European businesses, this single piece of legislation fundamentally undermines the premise that storing data in Europe keeps it safe under European law.

How the CLOUD Act Actually Works

The Mechanism

Under the CLOUD Act, a US court can issue a warrant requiring any US-headquartered company — or any company with sufficient ties to the US — to produce data in its “possession, custody, or control,” regardless of where that data is stored.

The critical elements:

Extraterritorial reach: The data’s physical location is irrelevant. A server in Amsterdam, a data center in Paris, a backup facility in Dublin — if the company controlling it is American, the data is accessible
No foreign government notification: The US government is not required to inform the country where the data is stored, or to go through mutual legal assistance treaties (MLATs)
Gag orders possible: Companies can be prohibited from informing their customers that their data has been requested
Broad scope: Applies to any “wire or electronic communication” and any “record or other information”

This creates a direct legal collision. GDPR prohibits the transfer of European personal data to third countries (including the US) without adequate safeguards. The CLOUD Act requires US companies to transfer data to US authorities on demand. A US company with European customers faces an impossible choice: violate GDPR or violate US law.

Some companies have tried to resolve this through contractual measures — Standard Contractual Clauses (SCCs), supplementary technical measures, or the EU-US Data Privacy Framework adopted in 2023. But privacy advocates and legal scholars argue that no contractual mechanism can override a US legal obligation backed by criminal penalties.

Schrems II: The Court Agrees

The CLOUD Act’s conflict with European data protection was already foreshadowed by the Schrems II ruling. In July 2020, the Court of Justice of the European Union struck down the EU-US Privacy Shield framework, finding that US surveillance laws — particularly FISA Section 702 and Executive Order 12333 — did not provide protections equivalent to EU law.

The court’s reasoning applies with equal force to the CLOUD Act:

No independent oversight: CLOUD Act warrants are issued by US courts with no participation from European judicial authorities
No redress for EU citizens: Europeans whose data is accessed have no effective legal remedy in the US system
Mass surveillance context: The CLOUD Act operates alongside broader US surveillance authorities that the CJEU already found incompatible with EU fundamental rights

The EU-US Data Privacy Framework adopted in 2023 attempts to address some of these concerns, but it faces ongoing legal challenges and many data protection experts view it as another temporary fix rather than a structural solution. The fundamental problem remains: US law gives the US government access to data that EU law says it shouldn’t have.

Why “EU Region” on a US Cloud Isn’t Enough

Cloud providers like AWS, Microsoft Azure, and Google Cloud offer European data center regions and make data residency commitments. These are genuinely useful for performance and some compliance requirements, but they do not solve the CLOUD Act problem.

Here’s why:

Legal control matters more than physical location: Even if your data never leaves an EU data center, the US company that operates it can be compelled to access and produce that data
Encryption keys under US control: If the cloud provider manages your encryption keys — as is the default for most services — they can decrypt your data in response to a CLOUD Act warrant
Metadata is data: Even with encrypted data, the US provider has access to metadata — who stores what, when it’s accessed, from where — which can be compelled under the CLOUD Act
Subsidiary structures don’t help: AWS Europe, Microsoft Ireland, Google Netherlands — these EU subsidiaries are ultimately controlled by US parent companies subject to US law

This doesn’t mean US cloud providers are malicious. Many actively push back against overly broad government requests. Microsoft famously fought a warrant for data stored in Ireland in the case that preceded the CLOUD Act (and technically won, before the CLOUD Act mooted the ruling). But the legal framework compels compliance, and companies that refuse face contempt proceedings and sanctions.

The European Alternative: Genuine Data Sovereignty

The only way to fully escape the CLOUD Act’s reach is to store data with a provider that is not subject to US jurisdiction. This means a company that is:

Headquartered in the EU or a GDPR-adequate country (like Switzerland)
Not a subsidiary of a US company
Not operationally dependent on US infrastructure in ways that create jurisdiction
Processing and storing data exclusively on EU/EEA territory

Hetzner (Germany)

Hetzner is a privately owned German company operating data centers in Nuremberg, Falkenstein, and Helsinki. They offer dedicated servers, cloud hosting, and managed services at prices that consistently undercut US hyperscalers. With no US parent company, no US investors, and no US operations, Hetzner is completely outside CLOUD Act jurisdiction. Their pricing transparency — no hidden egress fees, no complex tiered billing — has earned them a loyal following among developers and SMBs.

OVHcloud (France)

OVHcloud is Europe’s largest cloud provider, operating 40+ data centers worldwide. Headquartered in Roubaix, France, and listed on the Paris stock exchange, OVHcloud is fully European in ownership and governance. They offer a complete cloud stack — bare metal, public cloud, private cloud, and web hosting — with a strong emphasis on data sovereignty. Their “SecNumCloud” qualified offerings meet France’s highest security standard for cloud services.

Scaleway (France)

Scaleway, a subsidiary of the Iliad Group, operates from data centers in Paris and Amsterdam. They’ve built a reputation for developer-friendly cloud services with innovative pricing and strong environmental commitments (their data centers use adiabatic cooling). Scaleway positions itself explicitly as a sovereign European cloud alternative, with all data processing within the EU.

Infomaniak (Switzerland)

Swiss-based Infomaniak operates exclusively from Switzerland, benefiting from the country’s strong data protection laws and GDPR adequacy decision. They offer cloud hosting, email, video conferencing, and productivity tools — all from Swiss data centers powered by renewable energy. Switzerland’s legal framework provides an additional layer of protection against foreign data access requests.

Upcloud (Finland)

Finnish cloud provider UpCloud offers high-performance cloud servers from data centers across Europe. As a Finnish company, they operate entirely within EU jurisdiction and are subject only to EU and Finnish data protection law.

How to Audit Your Cloud Stack

Moving to European cloud hosting doesn’t have to be an all-or-nothing switch. Start with a systematic audit:

Step 1: Map Your Data Flows

Document every service that stores, processes, or transmits your data. Include not just primary hosting but also:

Backup services: Where do your backups go?
CDN providers: Which content delivery network caches your data?
Email and communication: Where are your emails stored?
Analytics: Where does your user data flow?
SaaS tools: Which third-party services have access to your data?

Step 2: Identify US-Controlled Services

For each service, determine whether the provider is a US company or US-controlled subsidiary. Check parent company ownership, not just the entity name on your contract.

Step 3: Classify by Sensitivity

Not all data carries the same risk. Prioritize migration based on data sensitivity:

Highest priority: Personal data of EU citizens, health data, financial records, legal documents
High priority: Business-critical data, customer communications, internal documents
Medium priority: Development infrastructure, internal tools, non-sensitive content
Lower priority: Static website hosting, public content, non-personal data

Step 4: Plan Migration by Priority

Start with the highest-sensitivity data and work down. For each migration:

Evaluate at least two European providers
Test performance and compatibility before committing
Plan for a parallel-running period to catch issues
Update your data processing records and privacy policies

Step 5: Verify Ongoing Compliance

Sovereignty isn’t a one-time achievement. Regularly review your stack for:

New services added without sovereignty review
Provider ownership changes (European companies being acquired by US entities)
Changes in legal frameworks that might affect data protection adequacy

The Cost Question

A common objection to European cloud hosting is cost. The reality is more nuanced than “US clouds are cheaper”:

Hetzner is frequently less expensive than equivalent AWS or Azure configurations, especially for compute-intensive workloads
OVHcloud offers competitive pricing with predictable billing and no egress fees
Scaleway provides transparent, developer-friendly pricing
US hyperscalers’ apparent cost advantages often depend on complex reserved-instance pricing, commitment discounts, and free-tier lock-ins that obscure the true long-term cost

When you factor in the cost of GDPR compliance measures needed for US cloud usage — data protection impact assessments, supplementary technical measures, legal reviews of SCCs, potential fines — European hosting often achieves cost parity or better.

The Bottom Line

The CLOUD Act created a legal reality that no amount of contractual engineering can fully address. As long as your data is controlled by a US company, it is accessible to the US government, regardless of where it physically sits. European cloud providers offer the only structural solution: genuine data sovereignty under European law, operated by European companies, stored on European soil.

The infrastructure exists. The providers are mature. The pricing is competitive. The only remaining question is whether you’re willing to make the switch before a data access request makes the decision for you.