The CLOUD Act: What Every EU Law Firm Must Know
The US CLOUD Act grants extraterritorial jurisdiction over your data. Here's what that means for your firm and your clients.
The 30-Second Summary
If your firm uses Microsoft 365, Google Workspace, or any US-headquartered cloud provider, your client data can be compelled by US law enforcement—regardless of where the servers are physically located.
This is not theoretical. This is the law.
What is the CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into US law on March 23, 2018. It amended the Stored Communications Act to clarify that US law enforcement can compel US-based technology companies to provide data stored on servers regardless of their physical location.
Key Provisions
- Extraterritorial Reach: US warrants apply to data stored anywhere in the world if controlled by a US company
- No Customer Notification Required: Companies may be prohibited from informing customers about data requests
- Executive Agreements: Bilateral agreements can streamline cross-border data requests
Why This Matters for EU Law Firms
The Attorney-Client Privilege Risk
When US authorities issue a CLOUD Act warrant to Microsoft for data stored in their Dublin data center, Microsoft must comply. Your client communications, case files, and privileged documents are not protected by EU law in this scenario.
The GDPR Collision
Here’s where it gets complicated:
- GDPR Article 48 states that court orders from non-EU countries are not recognized unless there’s an international agreement
- CLOUD Act compliance may therefore violate GDPR
- You face legal risk from both jurisdictions
The “Safe Harbor” Myth
Many firms believe that using “EU data centers” provides protection. This is incorrect.
| Provider | EU Data Center | Still Subject to CLOUD Act? |
|---|---|---|
| Microsoft Azure | Yes (Dublin, Amsterdam) | Yes |
| AWS | Yes (Frankfurt, Paris) | Yes |
| Google Cloud | Yes (Multiple EU locations) | Yes |
The parent company’s jurisdiction determines data jurisdiction, not server location.
What Can You Do?
Option 1: Accept the Risk
Some firms decide the convenience outweighs the risk. This is a valid business decision, but it should be an informed decision.
Option 2: Non-US Providers
Use cloud providers headquartered outside the US and its allied jurisdictions. Note: UK providers may have similar issues due to bilateral agreements.
Option 3: Sovereign Infrastructure
Deploy AI and document management on infrastructure you physically control, under your jurisdiction.
This is why we built Tacitus.
Further Reading
- US Department of Justice: CLOUD Act Resources
- European Data Protection Board: Statement on CLOUD Act
- Article 48 GDPR Text
Ready to assess your firm’s jurisdiction risk? Download our Sovereign AI Checklist or request a briefing.