hyggecloud / knowledge / cloud act

The US CLOUD Act, simply explained

There's a sentence we hear in almost every intro call: "But our data is in Frankfurt." This article explains why that sentence is the wrong reassurance — without legalese and without scaremongering. The topic deserves neither.

What the CLOUD Act is — in one paragraph

The Clarifying Lawful Overseas Use of Data Act is a US federal law from 2018. Its core: US authorities can compel American companies to hand over data those companies possess, hold or control — explicitly including data stored outside the USA. The trigger was a legal battle between Microsoft and the US justice system over emails on a server in Ireland; the CLOUD Act ended the debate by writing the reach into law.

What matters isn't where the server stands. What matters is who owns the company that runs it.

That's why an "EU region" at AWS, Azure or Google Cloud changes nothing about the core problem: Amazon, Microsoft and Google are US companies. To the CLOUD Act, Frankfurt, Dublin or Paris are postcodes, not safe havens.

"But that only affects criminals, right?"

  • It's about control, not guilt. For your GDPR assessment, what matters isn't whether access is likely, but whether it's legally possible without European law being able to effectively prevent it. That was precisely the core of the CJEU's Schrems rulings.
  • The rules can change. Sanctions, export controls and political directives hit entirely innocent organisations too — the International Criminal Court case in 2025 showed this drastically: Microsoft blocked the chief prosecutor's email account following US sanctions. No crime, no court order against him — a political decision in Washington sufficed.
  • Your customers don't ask about probabilities. In security questionnaires and processor reviews, the structural answer counts. "US provider, but EU region" is increasingly assessed as what it is: a residual risk you can carry — or not.

Schrems II and the shaky bridge

In 2020, the Court of Justice of the EU invalidated the Privacy Shield agreement (Schrems II): US surveillance law and EU fundamental rights are structurally incompatible. Its successor — the EU-US Data Privacy Framework — has faced constant legal criticism ever since, and another invalidation by the CJEU is a scenario privacy professionals openly reckon with.

Practically, that means: if you build your architecture on this agreement, you build on a politically negotiable bridge. It may hold. It may also collapse with the next ruling — and then the infrastructure question is back on the table, this time under time pressure.

What about the hyperscalers' "sovereign cloud" offerings?

AWS, Microsoft and Google have responded to the European debate: EU data residency, European operating staff, sometimes separate corporate structures. These are real improvements in residency and operational control — but the crux remains: the parent company is and stays a US corporation. Whether each construction effectively excludes CLOUD Act access is disputed and ultimately a bet on future case law. For some risk profiles that's enough. For many who want to switch for sovereignty reasons, it's half the answer at full price.

The realistic options

  • Option 1 — Stay and document: assess the risk, consider extra encryption with your own key custody, keep a clean transfer impact assessment. Legitimate if the effort of moving outweighs the benefit — but it remains risk management, not risk removal.
  • Option 2 — Hybrid: sensitive workloads (customer data, core databases) to an EU provider, uncritical services stay. Often the most pragmatic first step — and a good test of your own migration capability.
  • Option 3 — The consistent move: infrastructure to a provider without a US parent. Takes the structural problem out of the equation entirely — and in most cases cuts costs substantially along the way. Which providers qualify: see our alternatives overview.
Important: This article is a general assessment from an infrastructure perspective, not legal advice. Evaluating your specific case belongs with your DPO or counsel — both of whom we gladly work with closely in projects.
Does the CLOUD Act also apply to European subsidiaries of US corporations?

By prevailing interpretation: yes, as soon as the US parent "controls" the data — which is exactly what the law targets. A European legal shell with a US corporation behind it therefore doesn't fundamentally solve the problem.

Does encryption help against the CLOUD Act?

Only if the provider never sees the keys (true bring-your-own-key with external key management, end-to-end encryption). With the provider's standard key management, the provider holds the key — and thus the access. Such architectures are possible, but demanding, and they heavily restrict managed services.

Is moving just the database to Europe enough?

Often a sensible first step (the "hybrid" option) — but watch the data flows: if US services still access the data (analytics, monitoring, backups), the problem just moves one layer down. An honest data flow map is the start of any solution — we create one in the Hygge Check.

How big is your CLOUD Act exposure, really?

In the Hygge Check we create your data flow map and assess which of your workloads are affected — a factual basis for your DPO and your management.

→ Book an intro call

With your DPO if you like