The US CLOUD Act and What It Means for European Businesses

In March 2018, the United States enacted the Clarifying Lawful Overseas Use of Data Act, better known as the CLOUD Act. The law was passed with relatively little public fanfare, overshadowed by the Cambridge Analytica scandal that dominated headlines at the time. But for European businesses, the CLOUD Act may be the single most consequential piece of US technology legislation of the past decade. It fundamentally changes the relationship between US technology companies and the data they store — including data belonging to European citizens and organisations.

What the CLOUD Act does

The CLOUD Act amends the Stored Communications Act of 1986 to make explicit what was previously ambiguous: US law enforcement agencies can compel any American company to produce data in its possession, custody, or control, regardless of where that data is physically stored. If a US company operates a data centre in Frankfurt, Amsterdam, or Paris, the data on those servers is still subject to a US warrant or subpoena under the CLOUD Act.

This is not limited to cases involving US citizens or US-based crimes. The scope is broad. A US prosecutor investigating a matter with no connection to Europe can demand data about European citizens stored on European soil, simply because the company that controls the servers is incorporated in the United States.

The law does provide a mechanism for companies to challenge orders that conflict with foreign law, but this “comity analysis” is narrow and untested. In practice, US companies comply with CLOUD Act requests because the penalties for non-compliance — contempt of court, fines, criminal liability — are severe and immediate, while the process for challenging an order is slow and uncertain.

The conflict with GDPR

The conflict between the CLOUD Act and GDPR is structural, not incidental. GDPR Article 48 states that any judgment of a court or decision of an administrative authority of a third country requiring a data controller or processor to transfer personal data may only be recognised or enforceable if based on an international agreement. No such agreement exists between the EU and the US for CLOUD Act purposes.

This means that when a US company complies with a CLOUD Act order by handing over data about EU residents, it is likely violating GDPR. The company faces an impossible choice: comply with US law and violate European law, or resist the US order and face American legal consequences. European businesses that use these US services are caught in the crossfire, with their data subject to a legal regime they did not choose and cannot control.

The EU-US Data Privacy Framework, adopted in 2023 as a successor to the invalidated Privacy Shield, does not resolve this conflict. The framework primarily addresses intelligence surveillance under FISA Section 702 and Executive Order 12333, but it does not limit the scope of the CLOUD Act. Legal challenges to the framework are already underway, and many data protection professionals expect it to face the same fate as its predecessors.

Which services are affected

Every US-headquartered technology company is subject to the CLOUD Act. For European businesses, this affects the most commonly used SaaS products:

• Email: Gmail is operated by Google, a US company. Every email sent through Gmail is potentially accessible under a CLOUD Act order.
• File storage: Google Drive and Dropbox store files on infrastructure controlled by US parent companies, regardless of which data centre region you select.
• Cloud infrastructure: AWS and Google Cloud are the two largest cloud providers globally, and both are subject to US jurisdiction. Even their EU regions are not exempt.
• Email marketing: Mailchimp and SendGrid process subscriber lists and campaign data under US corporate control.
• Analytics: Google Analytics transfers visitor data to Google’s infrastructure, which multiple European DPAs have found to violate GDPR.
• Design and databases: Figma and Airtable round out the list of commonly used US tools with CLOUD Act exposure.

What European businesses should do

The most direct mitigation is to move to service providers that are not subject to US jurisdiction. European SaaS products incorporated under EU or Swiss law and operating data centres exclusively in Europe eliminate CLOUD Act exposure entirely. This is not a workaround or a legal grey area — it is simply choosing providers that operate under a different legal framework.

For email, Proton Mail and Tuta are hosted in Switzerland and Germany respectively, with end-to-end encryption that adds a technical layer of protection on top of the legal one. For file storage, Nextcloud and Tresorit keep your documents within European jurisdiction. For cloud infrastructure, Hetzner Cloud and Scaleway operate from data centres in Germany, France, and the Netherlands.

These are not fringe products. They are mature, production-ready platforms used by thousands of European organisations, including government agencies and publicly listed companies.

Beyond compliance: a strategic decision

Choosing to move away from US-hosted services is often framed as a compliance burden, but it is more accurately understood as a strategic advantage. European businesses that can demonstrate genuine data sovereignty win trust with customers, pass vendor security assessments more easily, and avoid the regulatory uncertainty that shadows every transatlantic data transfer.

The CLOUD Act is not going away. If anything, the trend in US law is toward broader surveillance powers, not narrower ones. European businesses that act now — by migrating to EU-hosted providers and building a GDPR-compliant software stack — will be better positioned than those who wait for the next court ruling or regulatory enforcement action to force their hand.

For a deeper look at what data sovereignty means in practice and how to build a fully European technology stack, read our comprehensive guide to data sovereignty in Europe. You can also browse European alternatives by category or by hosting country to find the right products for your organisation.