CLOUD Act

The Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act, was passed on 23 March 2018 as part of the Consolidated Appropriations Act 2018 and signed into law the same day. It amends the Stored Communications Act and adds Section 2713 to Title 18 of the US Code.

The direct trigger was the Microsoft Corp. v. United States case. In December 2013 the US Department of Justice ordered Microsoft to disclose emails stored in a Dublin data centre. Microsoft refused, citing the territorial limits of US warrants. The CLOUD Act resolved the question legislatively; the Supreme Court declared the case moot on 17 April 2018.

The CLOUD Act clarifies that a warrant, subpoena or court order compels a US-based provider to produce user data under its control, regardless of where the data is physically stored. The scope covers both content (emails, files, messages) and metadata. Providers headquartered or with subsidiaries in the United States fall under the act, including Google, Microsoft, Amazon, Apple, Meta and Oracle.

Part II of the act authorises the US executive to enter bilateral executive agreements with foreign governments allowing mutual direct law-enforcement access to data. A first such agreement with the United Kingdom has been in force since October 2022. Negotiations with the European Union have been ongoing since 2019 without conclusion.

In a joint opinion of 10 July 2019 the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) found that the CLOUD Act conflicts with Article 48 of the GDPR. Article 48 requires that disclosure of personal data to third-country authorities generally rests on an international agreement such as a mutual legal assistance treaty (MLAT). A direct handover to US authorities without such a legal basis is impermissible under EU data protection law.

The result is a conflict of obligations: a US provider with a European subsidiary may simultaneously be required to disclose data under US law and be barred from doing so under EU law. In its Schrems II ruling of 2020 the CJEU named the structural reach of such US surveillance laws as a central reason for invalidating the EU-US Privacy Shield.

US cloud providers such as Amazon Web Services, Microsoft Azure, Google Cloud and Dropbox are subject to the CLOUD Act even if they operate European subsidiaries or store data in EU data centres. Public agencies, hospitals and companies handling personal data must therefore review whether using these providers is compatible with the GDPR. The Schrems II ruling concretised this obligation through the concept of a Transfer Impact Assessment.

A technical mitigation is zero-knowledge encryption. If the provider itself cannot decrypt the content, US authorities cannot obtain readable data even under a valid order. Swiss providers such as Proton and Tresorit and the Spanish provider Internxt rely on such architectures.

EU-based cloud infrastructure without US ownership, such as Hetzner, OVHcloud, Scaleway or Infomaniak, falls outside the CLOUD Act because the parent companies are subject solely to European jurisdiction. The conflict of obligations with the GDPR therefore does not arise.

In July 2023 the EU-US Data Privacy Framework entered into force as a successor to the Privacy Shield. It is intended to restore a stable legal basis for EU-US data transfers. Critics, including the original plaintiff Maximilian Schrems, regard the framework as legally vulnerable, and a further CJEU referral is considered likely. The CLOUD Act itself remains unchanged; its reach continues to drive the ongoing data protection debate.