In brief
Definition
What is the CLOUD Act?
The CLOUD Act, for Clarifying Lawful Overseas Use of Data Act, is a US federal law passed on 23 March 2018 as part of the Consolidated Appropriations Act. It amends the Stored Communications Act of 1986 to clarify the geographic scope of injunctions addressed to electronic communication service providers.
Concretely, the law affirms two principles. First, a provider subject to US jurisdiction must produce the data it holds, controls or possesses, regardless of its physical storage location. Second, the US government may sign bilateral executive agreements with third countries to facilitate cross-border requests, subject to equivalent legal guarantees.
The scope of the CLOUD Act is therefore not limited to companies based in the United States. Any entity with a sufficient operational or capital link, for example an active subsidiary on the US market, may receive such an injunction.
Historical context
From the Microsoft case to the adopted text
Concrete impact
What it changes for a European organisation
Six tangible consequences observed in the legal, procurement and architecture departments of large European organisations since 2018.
Data accessible outside the EU
A US warrant may target data hosted in a French datacenter, operated by a European subsidiary of a US group. Physical location alone no longer creates a legal barrier.
No client notification
The procedure may include a gag order forbidding the provider from informing the client of the request. The European client may remain unaware that a transfer took place.
Conflict with the GDPR
Transferring personal data outside the EU without a GDPR legal basis exposes the organisation to CNIL sanctions. The CLOUD Act potentially creates a conflict of laws for the providers concerned.
Contractual clauses to revisit
The terms of service of most hyperscalers now include a CLOUD Act clause. Public sector and OIV contracts must respond with strengthened notification and residency commitments.
Cost of compliance
For regulated actors (health, finance, defence), assessing then framing CLOUD Act exposure mobilises lawyers, architects and procurement. This cost weighs on the real TCO of the solutions concerned.
Reputation effect
In European public tenders, CLOUD Act exposure has become a discriminating criterion. Several administrations now require an immunity attestation or hosting with a SecNumCloud operator.
Common misconceptions
Three frequent confusions
Frequently asked
The essentials in 5 questions
What is the CLOUD Act?
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US federal law passed on 23 March 2018. It authorises US authorities to compel a provider subject to their jurisdiction to disclose data stored abroad, under certain conditions.
Does the CLOUD Act apply in Europe?
Indirectly, yes. Any provider with an operational or capital link to the United States may be concerned, including its European subsidiaries. The physical location of the data in Europe does not, on its own, create a legal barrier.
Which companies are concerned?
All entities subject to US law: US companies (AWS, Microsoft, Google), integrated European subsidiaries of US groups, and their sub-contractors. Purely European actors with no capital or operations in the US are not targeted.
How to protect against the CLOUD Act?
Several levers: choose a European provider under European control, use a framed partnership (Bleu, S3NS) with SecNumCloud qualification, deploy BYOK or HYOK with an external HSM, or encrypt client-side before any send to an exposed service. The combination depends on the sensitivity level.
Does the GDPR protect against the CLOUD Act?
No. The GDPR frames the processing of personal data but does not neutralise a foreign injunction. On the contrary, a disclosure under the CLOUD Act may create a conflict with the GDPR, exposing the organisation to CNIL sanctions. This is one of the arguments of the Schrems II debate.
Sources and references
Further reading
On NextHop