Skip to content
EuropeanStack

The CLOUD Act Explained for EU Companies (2026 Guide)

What the US CLOUD Act is, when American authorities can reach data stored in Europe, how it conflicts with the GDPR, and what EU companies can actually do.

EuropeanStack Editorial·

The CLOUD Act is the reason "our data is stored in an EU data centre" does not end the data-sovereignty conversation. Passed in the United States in 2018, it lets US authorities compel American providers to hand over data they control regardless of where in the world it is stored — including servers in Frankfurt, Paris, or Dublin. This guide explains what the law actually says, what it does not say, where it collides with the GDPR, and the realistic options European companies have.

What Is the CLOUD Act?

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US federal law from March 2018 that requires providers subject to US jurisdiction to disclose data in their "possession, custody, or control" to US law enforcement, no matter where that data is physically located. It amended the Stored Communications Act of 1986, which had governed US law-enforcement access to electronic communications but was written long before global cloud infrastructure existed.

The law resolved a real dispute. In 2013, US authorities served Microsoft a warrant for emails stored in its Dublin data centre; Microsoft refused, arguing US warrants stop at the border. The case (United States v. Microsoft Corp.) reached the Supreme Court — and while it was pending, Congress passed the CLOUD Act, which answered the question by statute: data location does not matter, provider jurisdiction does. The case was dismissed as moot.

Two things the CLOUD Act is not, because both misreadings are common:

  • It is not mass surveillance. CLOUD Act demands are targeted law-enforcement requests for specific accounts, and content generally still requires a warrant issued by a US court on probable cause. Bulk intelligence collection is a separate legal regime (FISA Section 702 — see below).
  • It is not new power to seize data from any company on Earth. It applies to providers "subject to US jurisdiction" — which is broader than "US companies", but is not unlimited.

Whose Data Can US Authorities Actually Reach?

US authorities can reach data held by any provider subject to US jurisdiction — which includes the EU subsidiaries and EU data centres of American companies, and can include European companies with substantial US operations. The test is corporate control and jurisdiction, not server location.

In practice this means:

ScenarioCLOUD Act exposure
US provider, data in USYes — this was always the case
US provider, data in EU data centre (e.g. a hyperscaler's Frankfurt region)Yes — location is explicitly irrelevant
EU subsidiary of a US parent holding EU dataYes — the parent's jurisdiction follows corporate control
EU provider with significant US presence (offices, entities)Possibly — "subject to US jurisdiction" can capture it; legal exposure depends on the corporate structure
EU provider with no US establishmentEffectively out of direct reach — US authorities must use mutual legal assistance (MLAT) via European courts
Any provider holding only end-to-end encrypted data without the keysThe provider can be compelled, but can only hand over ciphertext

That last row matters as much as the jurisdiction rows: a provider can only disclose what it can access. This is the structural argument for end-to-end encrypted European services such as Proton Mail, Tuta, Tresorit, and CryptPad, where the provider does not hold usable keys to customer content.

The scale of the question is visible in our own data: a meaningful share of software marketed as "European" has a US parent company, which is exactly the CLOUD Act scenario. EuropeanStack tags these products with a "US-owned" ownership badge — the breakdown is on the stats page, and our methodology explains how we verify ultimate ownership, not just brand headquarters.

How Does the CLOUD Act Conflict With the GDPR?

The conflict is direct: GDPR Article 48 says a third-country court order or administrative decision requiring a transfer of personal data is only enforceable in the EU if it is based on an international agreement such as a mutual legal assistance treaty — and a CLOUD Act demand served directly on a provider is precisely not that. The European Data Protection Board and the European Data Protection Supervisor said as much in a 2019 joint assessment: absent an international agreement, a company complying with a CLOUD Act order would generally lack a lawful basis for the transfer under the GDPR.

The result is a genuine legal bind for US-controlled providers holding EU personal data: comply with the US order and risk GDPR infringement (fines up to €20 million or 4% of global turnover), or refuse and face contempt in the United States. The law anticipated part of this with a "comity" mechanism letting providers challenge orders that conflict with foreign law — but the statutory challenge is narrow, and it fully applies only where the target is not a US person and the foreign country has an executive agreement with the US.

Those executive agreements are the CLOUD Act's second half: the law authorises bilateral deals letting each side's authorities demand data directly from the other side's providers. The US–UK agreement has been in force since October 2022 and an agreement with Australia followed; the EU and US have discussed an e-evidence agreement for years without concluding one. As of mid-2026, no CLOUD Act executive agreement exists between the US and the EU, which means the Article 48 conflict remains unresolved.

Is This the Same Issue as Schrems II and the Privacy Shield?

No — Schrems II was about US intelligence surveillance law, while the CLOUD Act is about law-enforcement access; they are separate regimes that get conflated because both undermine the idea that EU data is beyond US reach. The 2020 Schrems II judgment struck down the Privacy Shield transfer framework over FISA Section 702 and related surveillance programmes. Its successor, the EU–US Data Privacy Framework, received an adequacy decision in July 2023 and survived its first direct court challenge in September 2025 — but the DPF governs transfers of data to the US; it does not switch off the CLOUD Act, which applies even when the data never leaves Europe.

A moment that made the stakes concrete: in June 2025, a Microsoft France executive told a French Senate committee that the company could not guarantee that French customer data would never be transmitted to US authorities without France's agreement. That is not a scandal so much as an honest statement of what US jurisdiction means — no US-controlled provider can credibly promise otherwise.

What Can EU Companies Actually Do?

There are four realistic strategies, and they differ in cost and in how much they actually change:

  1. Use European-owned providers for sensitive workloads. A provider with no US corporate presence is outside direct CLOUD Act reach; US authorities must route requests through European legal process instead. This is the strongest structural fix, and it is what this directory exists for — from European cloud hosting like Hetzner, OVHcloud, and Scaleway to encrypted email and file storage. Check ultimate ownership, not the brand: our reviews flag US-owned "European" products explicitly.
  2. Use end-to-end encryption where you must keep a US provider. If the provider holds no keys, a compelled disclosure yields ciphertext. This works for storage and communication tools; it does not work for services that must process your data in cleartext (most SaaS applications, analytics, AI services).
  3. Treat US vendors' "sovereign cloud" offerings as risk reduction, not immunity. EU data boundaries, EU-only support staff, and local trustee arrangements narrow day-to-day access, but as long as the operator is ultimately US-controlled, the underlying jurisdictional question stands. Evaluate them honestly — see our guide to what EU data residency actually means.
  4. Do the contractual and organisational basics regardless. Classify which data is genuinely sensitive, read subprocessor lists, require disclosure-notification clauses where the vendor's transparency reports show it will use them, and document the reasoning in your transfer impact assessments. This does not defeat the CLOUD Act, but regulators treat documented, risk-based decisions very differently from unexamined defaults.

If you are prioritising: move the data that would hurt most first — email archives, customer databases, HR and health data, legal documents. A pragmatic path many companies follow is European providers for communication and storage, encryption for what must stay, and acceptance (documented) for low-sensitivity workloads. Our guide to migrating off Google Workspace covers the highest-impact move step by step.

Frequently Asked Questions

No. The GDPR permits using US providers, and the EU-US Data Privacy Framework currently provides a lawful transfer basis for certified companies. The CLOUD Act issue is a risk question, not a legality question: you are accepting that a foreign government can, through legal process invisible to you, compel your provider to disclose your data.
No. The CLOUD Act explicitly applies to data in a provider's possession, custody, or control regardless of storage location. An EU region changes latency, residency commitments, and which day-to-day staff touch the data — it does not change the provider's legal obligations to US authorities.
End-to-end encryption where the customer holds the keys does, practically: the provider can only disclose ciphertext it cannot read. Provider-managed encryption at rest does not — the provider holds the keys and can be compelled to use them. The dividing line is who can decrypt, not whether something is encrypted.
No. The CLOUD Act governs targeted law-enforcement demands with court oversight, typically in criminal investigations. FISA Section 702 governs foreign-intelligence surveillance and was the core of the Schrems II judgment. They are separate laws with separate procedures — but both contribute to the same conclusion: US-controlled infrastructure is subject to US legal process wherever it runs.
It can try, via the Act's comity mechanism or by arguing GDPR Article 48, and some providers commit contractually to challenging orders. But the statutory challenge is narrow, no US-EU executive agreement exists to anchor it, and the corporate parent remains under US jurisdiction. Refusal is a litigation position, not a guarantee — which is why structural answers (European ownership or customer-held keys) are stronger than contractual ones.

Related Reading