Term
Cloud Act
US law from 2018 (Clarifying Lawful Overseas Use of Data Act). US authorities can compel US providers to hand over data even when it is stored outside the US — for example in the EU. It conflicts with the GDPR.
Not legal advice
Cloud Act — explained in detail
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, H.R. 4943) is a US federal law enacted in 2018. It amends the Stored Communications Act and clarifies that US-based providers of electronic communication and cloud services must disclose data when ordered to do so by US authorities (via warrant or subpoena) — regardless of where that data is physically stored. If the server sits in a data center inside the EU, this does not change the disclosure obligation as long as the provider is subject to US jurisdiction.
What matters is control over the data, not the storage location. As a result, the law affects not only US corporations such as Google, Microsoft, or Amazon, but also their subsidiaries, provided the parent company has effective control over the data. The act contains a so-called comity mechanism: providers can challenge an order if it conflicts with the law of another country. The CLOUD Act also creates a framework for government-to-government executive agreements intended to speed up cross-border data requests.
In the conflict with the GDPR, Article 48 GDPR is especially relevant. Under it, providers subject to EU law may transfer personal data to third countries on the basis of a foreign authority’s order only if there is a basis in international law — such as a mutual legal assistance treaty (MLAT). The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have concluded that a CLOUD Act order alone does not replace this basis: providers subject to EU law cannot base disclosure and transfer to the US solely on such orders.
Example / practical relevance
A company uses an LLM service from a US provider and processes personal or confidential data through it. Even if the provider commits to storing all data in an EU data center (data residency), this does not rule out a request under the CLOUD Act, because the provider remains subject to US law. This very tension became visible in 2025, when a major US cloud provider publicly admitted it could not guarantee full data sovereignty for EU customers.
For the use of AI and cloud services this means, in practice: data residency in the EU lowers the risk but does not eliminate it. Those with high confidentiality requirements additionally examine factors such as the provider’s legal jurisdiction, encryption with their own key control, EU-operated sovereignty offerings, or European alternatives.
Distinction from similar terms
Data residency merely describes the geographic storage location of data and is a technical and organizational measure; the CLOUD Act shows that storage location alone does not guarantee sovereignty. The GDPR is European data protection law and, through Article 48, defines the limits within which a data transfer to third countries is permissible. An MLAT (Mutual Legal Assistance Treaty) is the intergovernmental legal-assistance instrument that can form a valid basis for such transfers — in contrast to the unilateral CLOUD Act order.
Entdecke mehr
Headless without an API bill — how do you reach the best AI models for automation in 2026?
Provider comparison mid-2026: who has a headless mode, whose subscription still covers it — and why BYOK is the most stable foundation.
GlossarEU AI Act (KI-Verordnung)
Regulation (EU) 2024/1689 is the EU's first comprehensive law on artificial intelligence. It regulates AI systems by risk in four tiers, from prohibited practices to minimal risk, and sets obligations for providers and deployers.
LexikonFunction Calling / Tool Use
How an LLM uses tools: define a tool as a schema, the model picks the function and arguments, the result returns to the chat — the basis of every agent.