Resource

The US CLOUD Act: What It Means for Your Data in Europe

The US CLOUD Act lets American authorities access your data even when hosted in Europe. Understand its reach, its conflict with GDPR, and how to protect yourself.

The US CLOUD Act: What It Means for Your Data in Europe

Since 2018, a US federal law — the CLOUD Act (*Clarifying Lawful Overseas Use of Data Act*) — allows United States authorities to compel an American provider to hand over the data it holds, wherever in the world it is stored. Including in a data centre located in Europe.

For a European business or public body, this raises a concrete question: can your most sensitive data, because it passes through a provider subject to US law, be taken from you without your knowledge? In many cases, the answer is yes.

What is the CLOUD Act, concretely?

The CLOUD Act rests on a principle of extraterritoriality. What matters is not where the data is stored, but the nationality — or legal attachment — of the provider. A host whose parent company is American, or a European subsidiary controlled by a US group, can be compelled by a US warrant to disclose customer data.

Three points are essential:

  • Location does not protect you. Data hosted "in Europe" by an American operator remains within the CLOUD Act's reach.
  • The request can be silent. A gag order can forbid the provider from telling you.
  • Encryption helps but is not enough if the provider also holds the decryption keys.

Does the CLOUD Act really apply in Europe?

Yes. No border puts data out of reach once an operator subject to US law sits anywhere in the processing chain — and that presence is often wider than assumed: a sub-processor, a mail service, an authentication layer, a backup tool.

CLOUD Act vs GDPR: a conflict of laws

The GDPR in principle forbids transfers of personal data to a third country without equivalent protection. A CLOUD Act order demands exactly that. The two collide head-on, and the *Schrems II* ruling confirmed that contractual clauses alone do not neutralise the risk. The only structural way out is to remove every US-subject operator from the chain — the logic of a sovereign cloud.

How to assess your exposure

Map your dependencies: which services you use, who really operates them, what data flows through them, and which is critical or regulated (GDPR, health, trade secrets). A structured assessment objectifies the risk before any migration budget.

Take the 2-minute assessment — identify your CLOUD Act-exposed dependencies and the first priority actions. Request a consultation

Frequently asked questions

What is the US CLOUD Act?

A 2018 US law allowing American authorities to require a US-subject provider to disclose the data it holds, regardless of the storage country.

Does the CLOUD Act apply in Europe?

Yes, as soon as a US-subject operator is in the processing chain, even via a European data centre.

Are the CLOUD Act and GDPR compatible?

No — they are in direct tension. Only an architecture without any US-subject operator truly resolves the conflict.