Back to glossary

Term

Cloud Act

US law from 2018 (Clarifying Lawful Overseas Use of Data Act). US authorities can compel US providers to hand over data even when it is stored outside the US — for example in the EU. It conflicts with the GDPR.

Cloud Act — explained in detail

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, H.R. 4943) is a US federal law enacted in 2018. It amends the Stored Communications Act and clarifies that US-based providers of electronic communication and cloud services must disclose data when ordered to do so by US authorities (via warrant or subpoena) — regardless of where that data is physically stored. If the server sits in a data center inside the EU, this does not change the disclosure obligation as long as the provider is subject to US jurisdiction.

What matters is control over the data, not the storage location. As a result, the law affects not only US corporations such as Google, Microsoft, or Amazon, but also their subsidiaries, provided the parent company has effective control over the data. The act contains a so-called comity mechanism: providers can challenge an order if it conflicts with the law of another country. The CLOUD Act also creates a framework for government-to-government executive agreements intended to speed up cross-border data requests.

In the conflict with the GDPR, Article 48 GDPR is especially relevant. Under it, providers subject to EU law may transfer personal data to third countries on the basis of a foreign authority’s order only if there is a basis in international law — such as a mutual legal assistance treaty (MLAT). The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have concluded that a CLOUD Act order alone does not replace this basis: providers subject to EU law cannot base disclosure and transfer to the US solely on such orders.

Example / practical relevance

A company uses an LLM service from a US provider and processes personal or confidential data through it. Even if the provider commits to storing all data in an EU data center (data residency), this does not rule out a request under the CLOUD Act, because the provider remains subject to US law. This very tension became visible in 2025, when a major US cloud provider publicly admitted it could not guarantee full data sovereignty for EU customers.

For the use of AI and cloud services this means, in practice: data residency in the EU lowers the risk but does not eliminate it. Those with high confidentiality requirements additionally examine factors such as the provider’s legal jurisdiction, encryption with their own key control, EU-operated sovereignty offerings, or European alternatives.

Distinction from similar terms

Data residency merely describes the geographic storage location of data and is a technical and organizational measure; the CLOUD Act shows that storage location alone does not guarantee sovereignty. The GDPR is European data protection law and, through Article 48, defines the limits within which a data transfer to third countries is permissible. An MLAT (Mutual Legal Assistance Treaty) is the intergovernmental legal-assistance instrument that can form a valid basis for such transfers — in contrast to the unilateral CLOUD Act order.

Entdecke mehr

Themenuebersicht