The US CLOUD Act: What Every EU Organization Must Know

The Clarifying Lawful Overseas Use of Data Act allows US law enforcement to compel American companies to produce data stored anywhere in the world. If you use Microsoft, Google, Amazon, or OpenAI—this applies to you.

THE LAW

Enacted March 23, 2018

Amends the Stored Communications Act (18 U.S.C. § 2703) to clarify extraterritorial application.

THE REACH

Global, Regardless of Server Location

US warrants apply to data stored in any country if controlled by a US-headquartered company.

THE CONFLICT

Direct Collision with GDPR

Compliance with CLOUD Act may violate GDPR Article 48. Organizations face legal risk from both jurisdictions.

What is the CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a United States federal law enacted on March 23, 2018. It was passed as part of the Consolidated Appropriations Act of 2018, with bipartisan support and relatively little public debate.

The law addresses a gap that emerged from the Microsoft Ireland case (2013-2018), where Microsoft challenged a US warrant seeking emails stored in its Dublin data center. The CLOUD Act resolved this by explicitly stating that US warrants apply to data controlled by US companies regardless of where that data is physically stored.

Key Provisions

§1 Extraterritorial Reach: A provider of electronic communication or remote computing services must comply with preservation, backup, or disclosure obligations regardless of whether the data is located inside or outside the United States.
§2 Executive Agreements: The US may enter into bilateral agreements with foreign governments to streamline cross-border data requests, potentially bypassing traditional MLAT processes.
§3 Motion to Quash: Providers may challenge warrants if disclosure would violate the laws of a "qualifying foreign government," but this is a limited and uncertain remedy.

Who is Affected?

Any organization using services from a US-headquartered technology company is potentially affected. This includes:

Cloud Infrastructure

Microsoft Azure
Amazon Web Services (AWS)
Google Cloud Platform
Oracle Cloud

SaaS Applications

Microsoft 365 (Outlook, Teams, SharePoint)
Google Workspace
Salesforce
Dropbox, Box, Slack

AI Services

OpenAI (ChatGPT, GPT API)
Microsoft Copilot
Google Gemini
Anthropic Claude (API)

Legal Tech

Harvey AI
Casetext / CoCounsel
Thomson Reuters (Westlaw)
LexisNexis

The GDPR Collision

For EU organizations, the CLOUD Act creates a direct conflict with the General Data Protection Regulation (GDPR). This puts companies in an impossible position.

GDPR Article 48 - Transfers Not Authorised by Union Law

"Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State."

In plain language: A US court order alone is not a valid legal basis for transferring personal data from the EU.

If You Comply with CLOUD Act

• Potential GDPR violation (Article 48)
• Fines up to EUR 20M or 4% global revenue
• Breach of client confidentiality
• Professional liability exposure

If You Refuse CLOUD Act Demand

• Contempt of US court
• Potential criminal penalties
• Service termination by provider
• Business relationship consequences

The European Data Protection Board (EDPB) has stated that CLOUD Act demands do not constitute a valid legal basis under GDPR. However, this doesn't help the US-headquartered service provider who faces US legal consequences for non-compliance.

The "EU Data Center" Myth

Many organizations believe that using an "EU region" or "EU data center" option protects them from CLOUD Act exposure. This is incorrect.

Belief	Reality
"My data is in Azure's Dublin data center, so it's under Irish law."	Microsoft is a US company. CLOUD Act applies regardless of server location.
"I use AWS Frankfurt. German data protection laws apply."	Amazon is a US company. CLOUD Act supersedes physical location.
"My contract says data stays in the EU."	Contracts cannot override federal law. The provider must comply with valid warrants.
"I encrypt my data, so they can't read it anyway."	The provider may hold encryption keys, or be compelled to provide access methods.

The Key Principle

Jurisdiction follows the company, not the server.

If the parent company is headquartered in the United States, data under its control is subject to US law enforcement demands, regardless of where that data physically resides.

What Are Your Options?

Organizations have several approaches to managing CLOUD Act risk, each with different trade-offs:

1

Accept the Risk

Many organizations decide the convenience of US cloud providers outweighs the jurisdiction risk. This is a valid business decision, but it should be informed and documented.

Best for: Organizations with low-sensitivity data, or those willing to accept residual risk.

2

Use Non-US Providers

Switch to cloud providers headquartered outside US jurisdiction. This eliminates CLOUD Act exposure but may involve migration costs and feature limitations.

Considerations: UK providers may have similar issues due to bilateral agreements. Verify the parent company jurisdiction carefully.

Example: Tacitus Cloud Bridge — EU-jurisdiction single-tenant cloud.

3

Physical Sovereignty (Air-Gap)

Deploy on hardware you physically control, with no network connection to external systems. There's nothing to compel because there's nothing to access remotely.

Best for: Organizations with strict confidentiality requirements (law firms, healthcare, government, R&D).

Example: Tacitus Cortex — Air-gapped AI appliance for your server room.

Ready to Discuss Sovereignty?

Our team can assess your current infrastructure and recommend the appropriate level of protection for your organization's needs.

Request a Briefing Explore Solutions