In December 2023, the US Congress renewed FISA Section 702 — the law that authorizes US intelligence agencies to collect communications of non-US persons from US cloud providers (Axios, 2023). In April 2024 it was reauthorized with expanded powers that European data protection experts flagged immediately (CDT, 2024). Neither move was an outlier. Neither was a hack. Both are entirely legal under US law.
In parallel, the CLOUD Act lets US law enforcement compel data production from US-headquartered companies — worldwide. Two laws, different agencies, same outcome for anyone whose data sits with a US cloud provider: the data is reachable.
For organizations storing customer, employee, or business data with US providers, this isn’t abstract. It’s the status quo.
What the US CLOUD Act actually does
The Clarifying Lawful Overseas Use of Data Act, signed in 2018, gives US law enforcement the right to compel US companies to hand over data — regardless of where that data is physically stored.
Your contracts in a Frankfurt data center, your emails in EU-hosted Workspace, your backups in Oregon or Dublin — all potentially reachable. Server location is irrelevant. What matters is whether the provider is a US company.
In scope (selection): Microsoft (Azure, M365, Teams, SharePoint), Google (Workspace, Cloud), Amazon (AWS), Apple (iCloud), Meta, Oracle, Salesforce, Slack, Zoom, Dropbox, ServiceNow, Atlassian.
Why the EU-US Data Privacy Framework doesn’t solve it
The EU-US Data Privacy Framework, adopted by the European Commission in 2023, is supposed to make US transfers safe. The history is short and lopsided:
| Agreement | Adopted | Invalidated by CJEU | Reason |
|---|---|---|---|
| Safe Harbor | 2000 | 2015 (Schrems I) | US mass surveillance |
| Privacy Shield | 2016 | 2020 (Schrems II) | Insufficient protection from US intelligence |
| Data Privacy Framework | 2023 | Challenge filed | noyb / Max Schrems litigating at the CJEU |
Two predecessors. Two struck down. In September 2025 the DPF survived its first judicial challenge (the Latombe case at the EU General Court), but a broader noyb challenge is in flight at the CJEU — focused on the expanded FISA 702 powers and the use of executive orders as a legal foundation.
Translation: Anyone planning around DPF survival is planning on sand. If the CJEU strikes the DPF down, every transfer that relied on it becomes unlawful overnight — the way Schrems I and Schrems II played out before.
Concrete risks
1. Access to trade secrets
US authorities can reach contracts, strategy documents, M&A files, patent drafts, trade secrets. Whether they exercise this in any specific case is unknowable — the risk is structural, not anecdotal, and you can’t audit it from outside.
2. Economic intelligence
US intelligence agencies have an explicit economic intelligence mandate. Former senior officials have said in public that capabilities are used to advance US economic interests. Strategic industries — energy, defense, automotive, pharma — sit closer to that line than average.
3. The compliance dilemma you can’t fix
GDPR Art. 48 forbids handing personal data to third-country authorities without a mutual legal assistance treaty. The CLOUD Act says the opposite. If a US provider complies with a US court order and produces EU data, it violates GDPR. If it resists, it faces US penalties. The dilemma sits with the provider. The consequence sits with you.
4. The contract can’t override the statute
US providers contractually promise GDPR compliance. A contract can’t override a statute. When a US court orders production, the provider produces — regardless of what the DPA says.
What organizations can actually do
Option 1: Non-US providers for non-critical workloads
EU-headquartered providers — telco-affiliated clouds, mid-market EU hosters — aren’t subject to the CLOUD Act. For AI workloads, consider vendors headquartered outside US jurisdiction.
Option 2: Sovereign cloud — with caveats
Sovereign-cloud initiatives (various joint ventures) promise that EU data is managed only by EU staff. Whether that genuinely defeats the CLOUD Act is legally contested — the parent is still a US entity in many of these setups. Get this reviewed by counsel before relying on it.
Option 3: On-premise
The only option that gives you complete data sovereignty: your own infrastructure. No US provider, no CLOUD Act, no FISA 702. For AI workloads, turnkey platforms now go live in six weeks.
Option 4: Hybrid
The pragmatic mix: non-critical workloads in the cloud (email, calendar, general collaboration); sensitive workloads on-premise (contracts, HR, IP, AI processing of enterprise knowledge). Risk goes down. Cloud doesn’t disappear.
Your data under your control — not under the CLOUD Act contboxx Vault is on-premise AI: every byte stays on your network. No US provider, no third-country transfer, no CLOUD Act exposure. Book a free demo
FAQ
Does the CLOUD Act apply to European subsidiaries of US companies?
Yes. The CLOUD Act applies to US companies and their subsidiaries worldwide. If a European subsidiary of a US group processes your data, that data is in scope — regardless of where the subsidiary is registered. The corporate structure doesn’t break the reach.
Can encryption protect against the CLOUD Act?
Only if you hold the key yourself (Bring Your Own Key) and the cloud provider has no access to it. Most cloud services manage the keys on your behalf — and on a CLOUD Act request, those keys are produced along with the data. Server-side encryption is not the answer here.
Are companies notified when their data is disclosed?
Not necessarily. US courts can issue gag orders that prevent the provider from telling the customer. You may never learn that US authorities accessed your data. That’s an enforcement design choice, not an oversight.
Bottom line
The US CLOUD Act isn’t a theoretical risk. It’s standing law. Every organization that uses US cloud services implicitly accepts that US authorities can reach their data. The EU-US Data Privacy Framework doesn’t change that — two predecessors were struck down for the same underlying reasons.
The right response isn’t panic. It’s category-by-category: sensitive workloads off US clouds. Everything else: a real risk assessment, not dogma.
Data sovereignty explained → | AI compliance for enterprises: the full guide →