The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), enacted in 2018, grants US law enforcement the power to compel American technology companies to produce data stored anywhere in the world. For European organisations relying on US cloud providers, the Act creates a fundamental tension with GDPR and EU data sovereignty objectives.
The CLOUD Act's origins lie in a landmark law enforcement dispute: United States v. Microsoft Corporation (commonly known as the "Microsoft Ireland case"). In December 2013, US authorities served Microsoft with a warrant under the Stored Communications Act (18 U.S.C. Chapter 121) demanding access to email content stored on servers in Microsoft's Dublin, Ireland data centre. Microsoft challenged the warrant, arguing that the SCA did not authorise extraterritorial data seizure.
The case wound through the courts for years. In July 2016, the Second Circuit Court of Appeals ruled in Microsoft's favour (In re Warrant to Search a Certain E-Mail Account, 829 F.3d 197 (2d Cir. 2016)), holding that the SCA did not apply extraterritorially. The US government appealed to the Supreme Court, which heard oral arguments in February 2018.
Before the Supreme Court could rule, Congress intervened. The Clarifying Lawful Overseas Use of Data Act (H.R.4943) was introduced in February 2018 and enacted on 23 March 2018 as part of the Consolidated Appropriations Act, 2018. The Act amended the SCA to explicitly state that a US provider must comply with legal process requiring disclosure of electronic communications "regardless of whether such communication, record, or other information is located within or outside of the United States." The Supreme Court subsequently vacated the Microsoft Ireland case as moot.
In practical terms, the CLOUD Act means that any company subject to US jurisdiction — which includes any company incorporated in the United States or with significant US operations — can be compelled to hand over data to US law enforcement, even if that data is stored in an EU data centre. This creates a direct extraterritorial reach into European data stores.
The CLOUD Act also created a framework for executive agreements between the United States and qualifying foreign governments. These bilateral agreements allow law enforcement agencies in each country to issue orders directly to providers in the other country, bypassing the traditional Mutual Legal Assistance Treaty (MLAT) process, which is widely regarded as too slow for the pace of digital investigations — MLAT requests often take 10 months or longer to fulfil.
To qualify for an executive agreement, a foreign government must demonstrate respect for the rule of law, non-discrimination, and procedural safeguards including independent judicial review. The US Attorney General and Secretary of State must certify that the partner country meets these standards, and Congress has a 180-day review period.
The first executive agreement was concluded with the United Kingdom. The US-UK Data Access Agreement was signed on 3 October 2019 and became effective on 3 October 2022. Under this agreement, UK law enforcement can serve orders directly on US-based providers (and vice versa) for data related to serious crime investigations, subject to independent authorisation requirements. The agreement explicitly prohibits orders targeting the other country's nationals or residents.
Negotiations for a US-EU executive agreement were launched in September 2019 following a Council of the EU decision authorising the European Commission to open negotiations. However, talks stalled over fundamental structural issues: the EU is not a single sovereign but a union of 27 Member States with different legal traditions, and the CLOUD Act's framework was designed for bilateral state-to-state agreements. The Commission must reconcile the executive agreement framework with GDPR requirements, fundamental rights under the EU Charter, and the CJEU's jurisprudence on mass surveillance. As of early 2025, no US-EU agreement has been concluded.
The CLOUD Act creates a direct legal conflict with the GDPR, specifically Article 48, which states that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer personal data "may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State."
A CLOUD Act order is issued by a US court — a third-country tribunal. In the absence of a US-EU executive agreement or applicable MLAT, a US provider that complies with a CLOUD Act order by producing EU personal data is arguably violating GDPR Article 48 and the Chapter V transfer restrictions. Conversely, refusing to comply with the CLOUD Act order would expose the provider to contempt sanctions under US law.
The CLOUD Act does include a comity analysis provision under Section 103(h)(2), which allows providers to file a motion to quash or modify an order if compliance would create a "material risk" of violating the laws of a qualifying foreign government. A court evaluating such a motion must consider factors including the interests of the foreign government, the likelihood of penalties, and the location of the data subject. However, this mechanism is discretionary — the court is not required to quash the order — and it only applies to countries with which the US has an executive agreement, meaning it currently provides no protection for EU data.
The European Data Protection Board addressed this conflict in its joint response to the European Parliament LIBE Committee, emphasising that CLOUD Act orders cannot constitute a valid legal basis for data transfers under GDPR and that EU-based subsidiaries of US companies should not comply with such orders absent a proper legal channel. The EDPB recommended that the EU conclude its own e-evidence framework — which materialised as Regulation (EU) 2023/1543 on European Production and Preservation Orders for electronic evidence — as an alternative mechanism for cross-border law enforcement data access within the EU.
For European enterprises, public-sector bodies, and regulated entities, the CLOUD Act creates a structural data-sovereignty risk when using US cloud providers — even when data is stored exclusively within EU territory. Because jurisdiction under the CLOUD Act attaches to the provider (based on US incorporation or control), not the location of the data, geographic data residency alone is insufficient to eliminate the risk of US government access.
This reality has driven several responses in the European market:
The CLOUD Act remains one of the most potent catalysts for European digital sovereignty. Until a comprehensive US-EU executive agreement is concluded — one that provides reciprocal safeguards meeting EU fundamental rights standards — the legal conflict will persist, and it will continue to shape infrastructure procurement decisions across the continent.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), enacted in March 2018, allows US law enforcement to compel American technology companies to produce data stored anywhere in the world, regardless of where the servers are physically located.
Yes. If your data is hosted by a US-headquartered provider (AWS, Microsoft Azure, Google Cloud), US authorities can compel disclosure under the CLOUD Act even if the data is stored in EU data centres. This creates a direct conflict with GDPR Article 48.
The most effective way to avoid CLOUD Act exposure is to use cloud providers that are headquartered and incorporated within the EU, with no US parent company. European providers like OVHcloud, Hetzner, and Scaleway are not subject to US jurisdiction.