The CLOUD Act data access regime describes the set of US federal statutes, primarily the Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713), FISA Section 702 and the USA PATRIOT Act, that together authorise American law-enforcement and intelligence agencies to compel US-controlled cloud providers to disclose data regardless of where that data is physically stored. For European organisations in government, finance, healthcare or the legal profession, these statutes create a structural conflict with GDPR obligations, sector-specific regulations and the reasonable expectation of confidentiality that underpins professional secrecy.
The Three Statutes That Create Extraterritorial Access
Three distinct US legal instruments give American authorities the power to reach data stored anywhere in the world, as long as the provider controlling that data falls under US jurisdiction.
The CLOUD Act (18 U.S.C. § 2713)
Enacted in 2018, the Clarifying Lawful Overseas Use of Data Act resolved a legal ambiguity that had paralysed law enforcement since the Second Circuit’s ruling in Microsoft Corporation v. United States (829 F.3d 197, 2d Cir. 2016). In that case the court held that a domestic search warrant could not compel Microsoft to hand over emails stored in its Dublin data centre. Rather than accept that outcome, Congress passed the CLOUD Act, which explicitly requires any US provider to disclose data it possesses, has custody of or controls, regardless of where the data is stored. The controlling legal test is corporate control, not data geography.
FISA Section 702
Foreign Intelligence Surveillance Act Section 702 (50 U.S.C. § 1881a) authorises the US intelligence community to collect communications of non-US persons located outside the United States directly from US-based electronic communication service providers. Unlike a criminal warrant, a FISA 702 order is issued by the Foreign Intelligence Surveillance Court in a closed, ex parte proceeding. The target, the foreign customer whose data is collected, has no standing to appear, no right to notification and no practical avenue to challenge the order. Microsoft, Google and Amazon are all certified as FISA 702 providers.
The USA PATRIOT Act
Section 215 of the USA PATRIOT Act, though amended by the USA FREEDOM Act of 2015, preserved broad authority to obtain business records and other tangible items relevant to a national-security investigation. The practical effect for cloud customers is that metadata, access logs, account records and, in some configurations, content held by a US provider can be subject to compelled disclosure on a national-security basis, again without the data subject’s knowledge.
Why EU Data Centre Location Does Not Provide Legal Protection
The physical location of a server in Frankfurt, Amsterdam or Dublin is legally irrelevant under the CLOUD Act. The statute’s text makes this explicit: the obligation to preserve and disclose applies to data that the provider “possesses, has custody of, or controls,” irrespective of the data’s physical location. The European Data Protection Board has stated this directly:
“The location of the data is irrelevant to whether a US provider must comply with a US court order. What matters is whether the provider is subject to US jurisdiction.” (European Data Protection Board, Guidelines on the use of cloud services by the public sector)
This means that an organisation storing sensitive workloads on Microsoft Azure’s West Europe region, AWS Frankfurt or Google Cloud’s Belgian zone is exposed to the same extraterritorial access risk as if the data were hosted in Virginia. The provider’s US incorporation is the connecting factor, and none of the major hyperscalers have severed that connection through structural divestiture of their European operations.
Non-Disclosure Orders and the Secrecy Problem
A CLOUD Act warrant or FISA 702 order can be accompanied by a non-disclosure requirement, colloquially called a gag order, that legally prohibits the provider from informing the customer that a request was made or fulfilled. Brad Smith, President of Microsoft Corporation, acknowledged this publicly:
“When US law enforcement submits a lawful request, we are required to comply, and in many cases we are legally prohibited from telling the customer that the request was made.” (Brad Smith, Microsoft, On the Issues blog)
The practical consequence is that a data controller subject to GDPR Article 33 (breach notification) or Article 34 (communication to data subjects) may be structurally unable to fulfil those obligations, because it does not know a disclosure has occurred. This creates a compliance asymmetry: the GDPR demands transparency, and US law can simultaneously prohibit it.
EU e-Evidence Regulation: A Different Architecture
EU e-Evidence Regulation 2023/1543 (Regulation (EU) 2023/1543 of the European Parliament and of the Council) establishes a mechanism for cross-border access to electronic evidence within the EU. It differs from US extraterritorial regimes in three material ways:
| Dimension | US CLOUD Act / FISA 702 | EU e-Evidence Regulation 2023/1543 |
|---|---|---|
| Issuing authority | US federal court or FISA Court (closed, ex parte) | Judicial or independent authority in an EU member state |
| Notification to data subject | Can be prohibited by gag order | Notification rights preserved; derogation requires judicial approval |
| Fundamental-rights review | Minimal; no standing for foreign data subjects | Explicit proportionality and necessity review required |
| Territorial scope | Unilateral; no consent from data-subject country required | Mutual recognition within EU legal order |
While EU e-Evidence creates its own questions about proportionality and safeguards, it operates within a constitutional framework that includes the EU Charter of Fundamental Rights. US statutes do not extend those protections to non-US persons.
Which European Organisations Face the Highest Exposure
Not all data carries the same risk weight. However, certain categories of European organisation face compounded exposure because a covert foreign-government access order can trigger cascading violations across multiple legal regimes simultaneously.
- Public-sector bodies: National and local government agencies holding citizen data, identity records and law-enforcement information are attractive intelligence targets and face the most severe sovereignty concerns.
- Healthcare organisations: Special-category data under GDPR Article 9 demands the highest standard of care. Disclosure to a foreign government agency without legal basis under EU law constitutes an unlawful transfer.
- Financial institutions: Banks, insurers and payment processors subject to DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) must demonstrate supply-chain control and resilience. A covert disclosure order on a cloud provider disrupts incident reporting chains and third-party risk frameworks.
- Legal service providers: Law firms and in-house legal teams are bound by professional secrecy and legal privilege. Discovery of client files through a FISA 702 collection could destroy privilege and expose the firm to bar sanctions.
Due-Diligence Steps for Compliance Officers
Documenting and quantifying jurisdictional risk is now a standard expectation in cloud procurement for regulated sectors. The following steps represent a minimum standard of care.
1. Map the provider’s corporate control chain
Determine whether any parent, subsidiary, affiliate or joint-venture partner in the provider’s group is incorporated, domiciled or has principal place of business in the United States. US incorporation anywhere in the group typically exposes the entire group’s data to CLOUD Act obligations.
2. Conduct a Transfer Impact Assessment
GDPR Chapter V and the European Data Protection Board’s recommendations on supplementary measures (EDPB Recommendations 01/2020) require a Transfer Impact Assessment (TIA) for any transfer to a third country, including transfers that may occur covertly through foreign government access. The TIA must assess whether US surveillance law, including FISA 702, renders the destination’s legal framework essentially equivalent to EU law. Based on the Schrems II judgment (C-311/18), the answer for bulk US intelligence access programmes is generally no.
3. Review contractual terms for notification obligations
Examine whether the provider’s data processing agreement contains a genuine commitment to notify the customer of government access requests to the maximum extent permitted by law, and whether it includes a commitment to challenge overbroad requests. Clauses that disclaim liability for government-compelled disclosures should be treated as red flags, not standard boilerplate.
4. Classify workloads by sensitivity tier
Not every workload carries equal risk. Establish a data classification framework that maps data sensitivity to permissible infrastructure types. The most sensitive workloads, including those containing special-category personal data, legally privileged material or state security information, should be restricted to providers whose entire corporate structure is outside US jurisdiction.
5. Document the residual risk and escalate
Where a US-controlled provider is retained despite identified jurisdictional risk, compliance officers should produce a written risk acceptance record that names the specific statutes creating the exposure, quantifies the likelihood and impact of a covert access event, and is signed off by a named executive. This creates an audit trail demonstrating that the risk was identified, evaluated and accepted with authority, rather than overlooked.
The IBM Cost of a Data Breach Report 2023 found that the average total cost of a data breach reached USD 4.45 million, the highest in the study’s history. Against that benchmark, the cost of jurisdictional due diligence is modest. Microsoft’s own transparency reporting indicates the company received 12,523 legal demands from US authorities in the first half of 2023 affecting data stored globally. And the European Data Protection Board’s Annual Report 2023 identified US data transfers as one of the most frequently raised concerns in national supervisory authority complaints across the EU, confirming that regulators are actively scrutinising this risk.
FAQ
Does storing data in an EU-based Microsoft Azure or AWS data centre protect it from US government access?
No. Under the CLOUD Act (18 U.S.C. § 2713), US authorities can compel a US-controlled provider to disclose data regardless of where that data is physically stored. The controlling factor is whether the provider is subject to US jurisdiction, not the location of its servers.
Can a European customer be notified when a CLOUD Act or FISA order is served on its cloud provider?
Not necessarily. Both CLOUD Act warrants and FISA 702 orders can carry non-disclosure provisions that legally prohibit the provider from informing the customer or data subject that a disclosure request has been made or fulfilled.
How does the EU e-Evidence Regulation differ from US extraterritorial access regimes?
EU e-Evidence Regulation 2023/1543 governs cross-border access to electronic evidence within the EU through judicial authorisation, data-subject rights and fundamental-rights safeguards. US statutes such as the CLOUD Act and FISA 702 operate unilaterally and do not require the consent, notification or oversight of the country where the data subject or data reside.
Which European organisations face the highest jurisdictional risk from US cloud services?
Regulated sectors face the greatest exposure: government bodies holding citizen data, healthcare organisations processing special-category data under GDPR Article 9, financial institutions subject to DORA and EBA guidelines, and legal service providers bound by professional secrecy. A covert government access order in any of these sectors can trigger regulatory fines, professional sanctions and reputational harm simultaneously.
What is the first due-diligence step a compliance officer should take when evaluating a US-controlled cloud service?
Map the corporate control chain of the provider to determine whether any parent, subsidiary or affiliate is incorporated or domiciled in the United States. US incorporation anywhere in the group typically brings the entire group’s data within the reach of the CLOUD Act, irrespective of which entity contracts with the European customer.
