CLOUD Act
US law allowing authorities to compel US cloud providers to hand over foreign-stored data.
Last refreshed: 13 April 2026
Can any EU cloud strategy truly protect European data while the CLOUD Act exists?
Timeline for CLOUD Act
Mentioned in: Sovereign cloud spend set to triple by 2027
European Tech Sovereignty- What is the CLOUD Act and how does it affect Europeans?
- The CLOUD Act (2018) lets US authorities compel US cloud providers like Microsoft and Amazon to produce customer data regardless of where it is stored, including in EU data centres.Source: US Department of Justice CLOUD Act guidance
- Does the CLOUD Act override GDPR?
- There is a direct conflict: GDPR restricts international data transfers without adequate protection, while the CLOUD Act requires disclosure. EU regulators consider US cloud services non-compliant for sensitive data on this basis.Source: European Data Protection Board guidance
- Can European companies avoid the CLOUD Act by using EU cloud providers?
- Only by switching to cloud providers that have no US ownership or legal nexus. European providers like OVHcloud and Hetzner are not subject to the CLOUD Act; US-owned European subsidiaries remain subject to it.Source: EU cloud sovereignty analysis
- Has the CLOUD Act ever been used to access EU data?
- The US government does not publish individual case details. Legal experts believe it has been used in law enforcement and intelligence operations involving data stored in European AWS and Azure regions.Source: Electronic Frontier Foundation CLOUD Act analysis
Background
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), signed into law in 2018, gives US law enforcement and national security agencies the authority to compel US-headquartered cloud providers — including AWS, Azure, and Google Cloud — to produce customer data regardless of where it is physically stored. This includes data stored in EU data centres. The CLOUD Act is the primary legal basis for European cloud sovereignty concerns: any cloud service operated by a US company is, in principle, subject to US government access demands, undermining EU data protection and national security requirements. European sovereign cloud frameworks — including France's ANSSI SecNumCloud certification — explicitly require providers to be immune from non-EU legal access requests.