Glossary · US Surveillance Law CLOUD Act (Clarifying Lawful Overseas Use of Data Act)
A 2018 US federal law that allows US authorities to compel American companies and their subsidiaries to hand over data, regardless of where the data is physically stored.
## What the CLOUD Act actually does
The Clarifying Lawful Overseas Use of Data Act (H.R. 4943) was passed by the US Congress in March 2018 and amended the Stored Communications Act. It does two things:
1. Allows US law enforcement to compel US-based service providers (and their foreign subsidiaries) to disclose data they "possess, control, or have custody of" — regardless of where the data is physically stored
2. Establishes a framework for "executive agreements" allowing foreign governments to request data directly from US providers
The first provision is the one that matters for European businesses.
## Why it matters for European data
Before CLOUD Act, US companies storing European user data on European servers could plausibly argue the data was outside US legal reach. After CLOUD Act, that argument doesn't work — if the company is US-based or US-controlled, the data is reachable regardless of physical location.
This applies to:
- Google (including all Google Cloud, Google Workspace, Google services)
- Microsoft (Microsoft 365, Azure, all Microsoft services)
- Amazon (AWS, all Amazon services)
- Apple (iCloud, all Apple services)
- Meta (Facebook, WhatsApp, Instagram metadata)
- Most US SaaS providers regardless of size
The law creates real conflict with GDPR. EU privacy law prohibits unauthorized data transfers; CLOUD Act may compel them. For European businesses using US providers, this creates ongoing legal exposure.
## What protections exist
Three theoretical safeguards exist, with varying practical effectiveness:
**1. Standard Contractual Clauses (SCCs)** — contractual mechanisms between EU and non-EU entities. Updated post-Schrems II to require additional safeguards. Effective for routine processing; insufficient against direct US legal compulsion.
**2. Encryption with EU-controlled keys** — if data is encrypted and the US provider doesn't hold the keys, compelled disclosure produces only ciphertext. Operationally complex but genuine protection.
**3. EU-resident processing only** — using EU-headquartered providers with no US corporate ties, avoiding CLOUD Act jurisdiction entirely.
Of these, only the third provides categorical protection. The first two reduce risk but don't eliminate it.
## Why the "EU data residency" claim isn't enough
US providers (Microsoft, Google, AWS) market "EU data residency" — claims that European customer data stays on European servers. This is technically true but legally insufficient.
The CLOUD Act applies based on company nationality and corporate control, not server location. A Microsoft Ireland subsidiary is still subject to CLOUD Act because Microsoft Corporation (US parent) has corporate control. EU data residency on US-controlled infrastructure doesn't escape CLOUD Act jurisdiction.
## What changed in 2024-2026
The CLOUD Act has been used in increasing volume since 2018. Public reporting on specific cases is limited (Section 2511 of Title 18 generally prohibits disclosure of CLOUD Act warrants), but transparency reports from major US providers show steadily increasing volume of cross-border data requests.
The European response has accelerated:
- **Schrems II** (2020) — invalidated the Privacy Shield specifically because of US surveillance laws including CLOUD Act
- **EU Data Strategy** — emphasizes EU-controlled cloud infrastructure as strategic priority
- **GAIA-X initiative** — European cloud federation explicitly designed to provide CLOUD-Act-free alternatives
- **Sovereign cloud requirements** — French (Cloud de Confiance) and German (BSI C5) frameworks specifically require CLOUD Act protection
## Practical implications for European businesses
For most European businesses, the practical CLOUD Act response in 2026 is:
1. **Classify data sensitivity.** Not all data has equal CLOUD Act exposure. General business data can stay on US providers with documented controls. Sensitive data (legal, medical, personal data of high-risk individuals) should move to EU-controlled providers.
2. **Use EU-controlled providers for sensitive workloads.** [Hetzner](/en/alternatives/hetzner-vs-aws/), [Scaleway](/en/alternatives/scaleway-vs-google-cloud/), [OVHcloud](/en/alternatives/ovhcloud-vs-microsoft-azure/), [Infomaniak](/en/alternatives/infomaniak-vs-digitalocean/) are EU-headquartered with no US corporate control.
3. **For public sector and regulated industries**, sovereign cloud (Open Telekom Cloud, T-Systems Sovereign Cloud, French Cloud de Confiance) is increasingly required.
The CLOUD Act isn't going away. The legal framework around it will continue evolving, but the underlying jurisdiction issue is structural — addressed by choosing providers, not by configuring providers.
Was this helpful?
Thanks for your feedback!