The CLOUD Act vs GDPR: Why Your US Cloud Provider Is a Compliance Risk
The US CLOUD Act lets authorities access your data on US cloud providers, even in the EU. Understand the cloud act risk to data sovereignty and find European alternatives.
If your company uses AWS, Google Cloud, Microsoft Azure, or any SaaS product built by a US company, there is a law that most European businesses have never heard of that gives US authorities the legal right to access your data. It does not matter that your servers are in Frankfurt. It does not matter that you signed a Data Processing Agreement. The US government can demand your data, and your provider is legally required to comply.
That law is the Clarifying Lawful Overseas Use of Data Act, better known as the CLOUD Act. And it is fundamentally incompatible with GDPR. The US CLOUD Act affects businesses across Europe, regardless of where their servers are physically located.
What the CLOUD Act Actually Says
Signed into US law in March 2018, the CLOUD Act grants US law enforcement the authority to compel US-based technology companies to provide data stored on their servers, regardless of where in the world that data is physically located.
Before 2018, this was legally murky. Microsoft famously fought a court battle (United States v. Microsoft Corp.) over whether the US government could force them to hand over emails stored in their Dublin, Ireland data center. The case went all the way to the Supreme Court. Before a ruling was issued, Congress passed the CLOUD Act, making the answer unambiguous: yes, the US government can compel access to data held by US companies anywhere in the world.
Key provisions of the CLOUD Act:
- 1. US providers must comply with warrants for data regardless of where it is stored
- 2. Providers can challenge requests that conflict with foreign law, but the burden of proof is on the provider
- 3. The data subject (you, the customer) may never be informed that a request was made
- 4. Executive agreements between countries can streamline cross-border data requests
That third point is critical. Your customer data could be accessed by US intelligence agencies and you would have no way of knowing it happened.
Why GDPR and the CLOUD Act Cannot Coexist
GDPR Article 48 is explicit: no court judgment or administrative decision from a third country (meaning any non-EU country) that requires a data controller or processor to transfer personal data can be recognized or enforced unless it is based on an international agreement. There is no such agreement between the EU and the US for law enforcement data access.
This creates a direct legal conflict. If a US warrant arrives under the CLOUD Act, a provider like Microsoft or Google faces two options:
Option A: Comply with the US warrant
Hand over the data. This violates GDPR Article 48 and potentially Article 6 (lawfulness of processing). The provider and potentially the data controller face GDPR fines of up to 4% of global turnover.
Option B: Refuse the US warrant
Defy the warrant and face contempt of court charges in the US, along with potential criminal liability for executives. This has never happened. US companies have consistently complied with US law enforcement demands.
In practice, US companies will always choose US law over EU regulations. They are incorporated in the US, their executives live in the US, and US courts can hold them in contempt. GDPR fines are a business cost. Jail time for contempt of court is personal.
The Schrems Saga: Three Frameworks, Three Failures
The conflict between US surveillance law and EU privacy rights has been litigated for over a decade by Austrian privacy activist Max Schrems. The pattern keeps repeating.
2015: Safe Harbor invalidated (Schrems I)
The EU Court of Justice struck down the Safe Harbor framework after Snowden revelations proved US mass surveillance programs accessed data held by US companies. The court found that Safe Harbor did not adequately protect EU citizens' data from US government access.
2020: Privacy Shield invalidated (Schrems II)
The replacement framework lasted four years. The EU Court of Justice ruled that US surveillance laws (particularly Section 702 of FISA and Executive Order 12333) were incompatible with EU fundamental rights. The court found that US law did not provide EU citizens with adequate legal remedies against surveillance.
2023: EU-US Data Privacy Framework adopted
The current framework relies on Executive Order 14086, signed by President Biden, which introduced proportionality requirements for US intelligence activities and a Data Protection Review Court. NOYB (Schrems' organization) filed a challenge in early 2024. Legal experts widely expect this framework to be invalidated as well, because the underlying US surveillance laws remain unchanged.
The pattern is clear
Each framework has been struck down because the fundamental problem remains unsolved: US law requires access to data that EU law says must be protected. No political agreement can resolve a structural legal conflict. Building your infrastructure on the assumption that the current framework will survive is a gamble with your customers' data.
This Is Not Theoretical: Real Enforcement Actions
European data protection authorities have been actively enforcing against US data transfers. These are not edge cases or academic concerns. They are regulatory actions against household names.
- • Austria (December 2021): The Austrian DPA (DSB) ruled that a website's use of Google Analytics violated GDPR because data was transferred to the US without adequate protections post-Schrems II.
- • France (February 2022): The French DPA (CNIL) reached the same conclusion, ordering a website to stop using Google Analytics. The CNIL explicitly stated that Google's additional safeguards were insufficient.
- • Italy (June 2022): The Italian DPA (Garante) gave website operators 90 days to stop using Google Analytics or face suspension of data flows.
- • Denmark (July 2022): The Danish DPA (Datatilsynet) banned Google Workspace and Chromebooks in schools, finding that data transfers to the US could not be adequately protected.
- • Sweden (June 2023): IMY (the Swedish DPA) fined four companies a combined 12.3 million SEK for using Google Analytics, including Tele2 (800,000 SEK) and CDON (300,000 SEK).
- • Meta (May 2023): The Irish DPC fined Meta 1.2 billion EUR for transferring EU user data to the US. The largest GDPR fine ever issued at the time.
These rulings target the use of US services, not just misconfigurations or careless handling. The core finding across all of them is the same: US law gives intelligence agencies access to data held by US companies, and no contractual or technical measure can fully prevent that access.
The Scope of Exposure: It Goes Beyond Cloud Hosting
Most businesses think of this as a "cloud hosting" problem. Use an EU region on AWS and you are covered, right? Wrong. The CLOUD Act applies to the company, not the server location. But the problem extends far beyond infrastructure.
Every US-headquartered SaaS tool your company uses is subject to the CLOUD Act:
| Category | US-Owned Services | EU-Sovereign Alternatives |
|---|---|---|
| Cloud Infrastructure | AWS, Google Cloud, Azure | Hetzner, OVHcloud, Scaleway |
| Google Workspace, Microsoft 365 | Proton Mail, Mailcow (self-hosted) | |
| File Storage | Google Drive, Dropbox, OneDrive | Nextcloud, Proton Drive |
| CRM | Salesforce, HubSpot | Self-hosted solutions, EU SaaS |
| Communication | Slack, Microsoft Teams, Zoom | Element (Matrix), Rocket.Chat |
| Analytics | Google Analytics | Umami, Matomo, Plausible (EU-hosted) |
| CDN/DNS | Cloudflare, AWS CloudFront | Bunny.net (Slovenia), KeyCDN (Switzerland) |
A typical European company might use 10 to 20 US SaaS tools. Each one is a potential vector for US government data access. Customer emails in Google Workspace, contracts in Dropbox, sales pipelines in HubSpot, internal conversations in Slack. All of it is accessible under the CLOUD Act.
The "EU Region" Argument Does Not Hold Up
Cloud providers market EU data residency as a compliance solution. AWS has regions in Frankfurt, Stockholm, and Dublin. Google Cloud offers a "data residency" option. Microsoft lets you choose European data centers.
This does not solve the legal problem. The CLOUD Act applies to the company, not the data center. Amazon is a US company. A warrant served on Amazon in Seattle compels them to produce data stored on their Frankfurt servers. The European Data Protection Board (EDPB) confirmed this interpretation in their recommendations on supplementary transfer measures.
What about encryption?
Encryption helps, but only if you control the keys. Most cloud providers offer encryption at rest and in transit, but they hold the encryption keys. This means they can decrypt the data when compelled by a warrant. Client-side encryption where you hold the keys is the only technical safeguard that works, and it breaks most cloud functionality.
If your cloud provider can read your data (to index it, process it, or serve it to you), they can be compelled to hand it over in readable form.
What European Businesses Should Do About Cloud Act Risk
The goal is not to eliminate every US service overnight. It is to understand the risk, reduce exposure where it matters most, and build a path toward sovereignty for sensitive data.
Map your data flows
Before you can fix anything, you need to know where your data goes. Every SaaS tool, every API integration, every CDN request. You may discover third-party dependencies you did not know existed. A single Google Font request sends visitor IP addresses to US servers on every page load.
Classify data by sensitivity and regulatory impact
Client data, financial records, and health information need the strongest protections. Marketing content and public information are lower risk. Prioritize migrating the most sensitive data to EU-sovereign infrastructure first.
Move infrastructure to EU-sovereign providers
For hosting, Hetzner (Germany) and OVHcloud (France) offer competitive pricing with full EU sovereignty. For email, Proton Mail Business provides end-to-end encryption under Swiss law. For file storage, Nextcloud can be self-hosted on your own EU servers.
Self-host where practical
Self-hosting eliminates third-party access entirely. Tools like Nextcloud (file sharing), Gitea (code hosting), Zitadel (SSO), and n8n (workflow automation) can replace US SaaS products and run on a single EU server. The operational overhead is real but manageable, especially for sensitive workloads.
Document your transfer impact assessments
For any US service you continue to use, GDPR requires a documented Transfer Impact Assessment (TIA). This must evaluate the specific risks of US government access to the data, the supplementary measures in place, and whether those measures are effective. "We use Standard Contractual Clauses" is not sufficient on its own.
The Hidden Data Flows You Are Missing
Most companies focus on their primary cloud services when assessing CLOUD Act risk. But data leaks to US providers in ways that are easy to overlook:
- • Google Fonts: Loading fonts from fonts.googleapis.com sends visitor IP addresses to Google on every page load. The German court in Munich (LG Munich, Case No. 3 O 17493/20) ruled this violates GDPR and awarded damages to the claimant.
- • CDN services: Using Cloudflare means every visitor request passes through US-controlled infrastructure. Even if the nearest edge server is in Europe, the company is American and subject to the CLOUD Act.
- • Embedded content: YouTube videos, Google Maps, reCAPTCHA, and social media widgets all create data transfers to US servers, often before any consent is given.
- • Third-party scripts: Marketing tools, A/B testing platforms, and customer support widgets frequently load JavaScript from US servers, transmitting visitor data with each request.
These hidden data flows are why a surface-level audit is not enough. You need to analyze every network request your website and applications make to identify all US data transfers.
What This Means for Specific Industries
The risk is not equal across all businesses. Some industries face significantly higher exposure.
Law Firms
Attorney-client privilege does not protect against CLOUD Act warrants served on US providers. Client communications in Google Workspace, case files in Dropbox, and billing data in US SaaS tools are all potentially accessible. Swedish law firms handling sensitive corporate or criminal matters should treat this as a critical risk.
Healthcare
Patient data is among the most sensitive categories under GDPR. Health records stored in US cloud services could be accessed without the patient's knowledge or consent. EU health data processing regulations add an additional layer of requirements that US providers struggle to meet.
Financial Services
Banks and financial institutions face strict data localization requirements under regulations like DORA (Digital Operational Resilience Act). Customer financial data on US infrastructure creates both GDPR and sector-specific regulatory exposure.
Government and Public Sector
Public sector data on US cloud infrastructure means a foreign government can potentially access citizen data. Several EU countries have already mandated sovereign cloud solutions for government IT.
Frequently Asked Questions
Does the CLOUD Act apply to data stored in the EU?
Yes. The CLOUD Act applies to any data held by a US-headquartered company or its subsidiaries, regardless of where the data is physically stored. If your cloud provider is American, US authorities can compel them to hand over data stored on EU servers without notifying you or obtaining an EU court order.
Is Google Workspace GDPR compliant for European businesses?
Legally uncertain. Multiple European data protection authorities have ruled against Google services. The Danish DPA banned Google Workspace in schools. The Austrian and French DPAs found Google Analytics transfers unlawful. While the EU-US Data Privacy Framework provides a current legal basis, it faces legal challenges and could be invalidated like its predecessors Safe Harbor and Privacy Shield.
What are European alternatives to US cloud providers?
For infrastructure: Hetzner (Germany), OVHcloud (France), and Scaleway (France). For productivity: Nextcloud (file sharing), Proton Mail (email), CryptPad (documents), and Element (messaging). For analytics: Umami, Matomo, or Plausible hosted on EU servers. Self-hosting on EU servers gives the strongest sovereignty guarantees.
Can I still use AWS if I need GDPR compliance?
Technically yes, with significant caveats. You need a Data Processing Agreement, should use EU regions only, implement client-side encryption where possible, and accept residual legal risk. AWS is a US company subject to the CLOUD Act regardless of which region stores your data. The EU-US Data Privacy Framework currently provides a legal basis, but this framework could be invalidated by courts, just as Safe Harbor and Privacy Shield were before it.
What is the cloud act risk for European businesses?
The CLOUD Act allows US authorities to compel any US-headquartered cloud provider to hand over data, even if that data is stored on EU servers. For European businesses using Google Cloud, AWS, Azure, or Cloudflare, this creates a direct conflict with GDPR requirements for data sovereignty. The risk is not theoretical: post-Schrems II, EU data protection authorities have issued rulings against US cloud transfers.
Key Takeaways
- 1. The CLOUD Act and GDPR are structurally incompatible. No political framework has resolved this conflict, and the current EU-US Data Privacy Framework faces the same legal challenges as its predecessors.
- 2. EU data regions do not protect you. The CLOUD Act applies to the company, not the server location. Data stored in Frankfurt by an American company is still subject to US warrants.
- 3. Enforcement is real and accelerating. European DPAs are actively fining companies for US data transfers. The 1.2 billion EUR Meta fine shows the scale of penalties.
- 4. European alternatives exist and are competitive. Hetzner, OVHcloud, Proton, and Nextcloud offer mature, cost-effective replacements for most US cloud services.
- 5. Start with visibility. You cannot fix what you cannot see. Map every data flow, identify every US dependency, then prioritize migration based on data sensitivity.
Find Out Where Your Data Actually Goes
Most companies are surprised by how many US data transfers their websites and applications make. Our Border Tracer tool maps every external request, identifies the jurisdiction of each endpoint, and flags CLOUD Act exposure you did not know you had.
Try it at brightinteraction.com and see the full picture of where your customer data flows. Then talk to us about a practical plan to reduce your exposure without disrupting your business.
Get Your Free Data Flow Analysis