Updated juni 24, 2026
Summary: The CLOUD Act, FISA 702 and the Patriot Act allow US authorities to compel disclosure of data held by US-controlled providers regardless of where servers sit. European organisations in regulated sectors must document and quantify this jurisdictional risk as part of every cloud procurement decision.

The CLOUD Act data access regime describes the set of US federal statutes, primarily the Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713), FISA Section 702 and the USA PATRIOT Act, that together authorise American law-enforcement and intelligence agencies to compel US-controlled cloud providers to disclose data regardless of where that data is physically stored. For European organisations in government, finance, healthcare or the legal profession, these statutes create a structural conflict with GDPR obligations, sector-specific regulations and the reasonable expectation of confidentiality that underpins professional secrecy.

The Three Statutes That Create Extraterritorial Access

Three distinct US legal instruments give American authorities the power to reach data stored anywhere in the world, as long as the provider controlling that data falls under US jurisdiction.

The CLOUD Act (18 U.S.C. § 2713)

Enacted in 2018, the Clarifying Lawful Overseas Use of Data Act resolved a legal ambiguity that had paralysed law enforcement since the Second Circuit’s ruling in Microsoft Corporation v. United States (829 F.3d 197, 2d Cir. 2016). In that case the court held that a domestic search warrant could not compel Microsoft to hand over emails stored in its Dublin data centre. Rather than accept that outcome, Congress passed the CLOUD Act, which explicitly requires any US provider to disclose data it possesses, has custody of or controls, regardless of where the data is stored. The controlling legal test is corporate control, not data geography.

FISA Section 702

Foreign Intelligence Surveillance Act Section 702 (50 U.S.C. § 1881a) authorises the US intelligence community to collect communications of non-US persons located outside the United States directly from US-based electronic communication service providers. Unlike a criminal warrant, a FISA 702 order is issued by the Foreign Intelligence Surveillance Court in a closed, ex parte proceeding. The target, the foreign customer whose data is collected, has no standing to appear, no right to notification and no practical avenue to challenge the order. Microsoft, Google and Amazon are all certified as FISA 702 providers.

The USA PATRIOT Act

Section 215 of the USA PATRIOT Act, though amended by the USA FREEDOM Act of 2015, preserved broad authority to obtain business records and other tangible items relevant to a national-security investigation. The practical effect for cloud customers is that metadata, access logs, account records and, in some configurations, content held by a US provider can be subject to compelled disclosure on a national-security basis, again without the data subject’s knowledge.

Key point: All three statutes share one architectural feature: the obligation runs against the provider, not against the customer. The European customer has no party status in the proceeding and may never learn that disclosure occurred.

Why EU Data Centre Location Does Not Provide Legal Protection

The physical location of a server in Frankfurt, Amsterdam or Dublin is legally irrelevant under the CLOUD Act. The statute’s text makes this explicit: the obligation to preserve and disclose applies to data that the provider “possesses, has custody of, or controls,” irrespective of the data’s physical location. The European Data Protection Board has stated this directly:

“The location of the data is irrelevant to whether a US provider must comply with a US court order. What matters is whether the provider is subject to US jurisdiction.” (European Data Protection Board, Guidelines on the use of cloud services by the public sector)

This means that an organisation storing sensitive workloads on Microsoft Azure’s West Europe region, AWS Frankfurt or Google Cloud’s Belgian zone is exposed to the same extraterritorial access risk as if the data were hosted in Virginia. The provider’s US incorporation is the connecting factor, and none of the major hyperscalers have severed that connection through structural divestiture of their European operations.

Non-Disclosure Orders and the Secrecy Problem

A CLOUD Act warrant or FISA 702 order can be accompanied by a non-disclosure requirement, colloquially called a gag order, that legally prohibits the provider from informing the customer that a request was made or fulfilled. Brad Smith, President of Microsoft Corporation, acknowledged this publicly:

“When US law enforcement submits a lawful request, we are required to comply, and in many cases we are legally prohibited from telling the customer that the request was made.” (Brad Smith, Microsoft, On the Issues blog)

The practical consequence is that a data controller subject to GDPR Article 33 (breach notification) or Article 34 (communication to data subjects) may be structurally unable to fulfil those obligations, because it does not know a disclosure has occurred. This creates a compliance asymmetry: the GDPR demands transparency, and US law can simultaneously prohibit it.

EU e-Evidence Regulation: A Different Architecture

EU e-Evidence Regulation 2023/1543 (Regulation (EU) 2023/1543 of the European Parliament and of the Council) establishes a mechanism for cross-border access to electronic evidence within the EU. It differs from US extraterritorial regimes in three material ways:

Dimension US CLOUD Act / FISA 702 EU e-Evidence Regulation 2023/1543
Issuing authority US federal court or FISA Court (closed, ex parte) Judicial or independent authority in an EU member state
Notification to data subject Can be prohibited by gag order Notification rights preserved; derogation requires judicial approval
Fundamental-rights review Minimal; no standing for foreign data subjects Explicit proportionality and necessity review required
Territorial scope Unilateral; no consent from data-subject country required Mutual recognition within EU legal order

While EU e-Evidence creates its own questions about proportionality and safeguards, it operates within a constitutional framework that includes the EU Charter of Fundamental Rights. US statutes do not extend those protections to non-US persons.

Which European Organisations Face the Highest Exposure

Not all data carries the same risk weight. However, certain categories of European organisation face compounded exposure because a covert foreign-government access order can trigger cascading violations across multiple legal regimes simultaneously.

  • Public-sector bodies: National and local government agencies holding citizen data, identity records and law-enforcement information are attractive intelligence targets and face the most severe sovereignty concerns.
  • Healthcare organisations: Special-category data under GDPR Article 9 demands the highest standard of care. Disclosure to a foreign government agency without legal basis under EU law constitutes an unlawful transfer.
  • Financial institutions: Banks, insurers and payment processors subject to DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) must demonstrate supply-chain control and resilience. A covert disclosure order on a cloud provider disrupts incident reporting chains and third-party risk frameworks.
  • Legal service providers: Law firms and in-house legal teams are bound by professional secrecy and legal privilege. Discovery of client files through a FISA 702 collection could destroy privilege and expose the firm to bar sanctions.
Compliance note: Under GDPR Article 48, any transfer of personal data to a foreign authority based solely on a foreign-court judgment or law-enforcement order that is not authorised by an international agreement such as a mutual legal assistance treaty is not, in itself, a lawful ground for transfer. This means a CLOUD Act-compelled disclosure places the provider, not just the customer, in a legal conflict between US and EU law.

Due-Diligence Steps for Compliance Officers

Documenting and quantifying jurisdictional risk is now a standard expectation in cloud procurement for regulated sectors. The following steps represent a minimum standard of care.

1. Map the provider’s corporate control chain

Determine whether any parent, subsidiary, affiliate or joint-venture partner in the provider’s group is incorporated, domiciled or has principal place of business in the United States. US incorporation anywhere in the group typically exposes the entire group’s data to CLOUD Act obligations.

2. Conduct a Transfer Impact Assessment

GDPR Chapter V and the European Data Protection Board’s recommendations on supplementary measures (EDPB Recommendations 01/2020) require a Transfer Impact Assessment (TIA) for any transfer to a third country, including transfers that may occur covertly through foreign government access. The TIA must assess whether US surveillance law, including FISA 702, renders the destination’s legal framework essentially equivalent to EU law. Based on the Schrems II judgment (C-311/18), the answer for bulk US intelligence access programmes is generally no.

3. Review contractual terms for notification obligations

Examine whether the provider’s data processing agreement contains a genuine commitment to notify the customer of government access requests to the maximum extent permitted by law, and whether it includes a commitment to challenge overbroad requests. Clauses that disclaim liability for government-compelled disclosures should be treated as red flags, not standard boilerplate.

4. Classify workloads by sensitivity tier

Not every workload carries equal risk. Establish a data classification framework that maps data sensitivity to permissible infrastructure types. The most sensitive workloads, including those containing special-category personal data, legally privileged material or state security information, should be restricted to providers whose entire corporate structure is outside US jurisdiction.

5. Document the residual risk and escalate

Where a US-controlled provider is retained despite identified jurisdictional risk, compliance officers should produce a written risk acceptance record that names the specific statutes creating the exposure, quantifies the likelihood and impact of a covert access event, and is signed off by a named executive. This creates an audit trail demonstrating that the risk was identified, evaluated and accepted with authority, rather than overlooked.

The IBM Cost of a Data Breach Report 2023 found that the average total cost of a data breach reached USD 4.45 million, the highest in the study’s history. Against that benchmark, the cost of jurisdictional due diligence is modest. Microsoft’s own transparency reporting indicates the company received 12,523 legal demands from US authorities in the first half of 2023 affecting data stored globally. And the European Data Protection Board’s Annual Report 2023 identified US data transfers as one of the most frequently raised concerns in national supervisory authority complaints across the EU, confirming that regulators are actively scrutinising this risk.

FAQ

Does storing data in an EU-based Microsoft Azure or AWS data centre protect it from US government access?

No. Under the CLOUD Act (18 U.S.C. § 2713), US authorities can compel a US-controlled provider to disclose data regardless of where that data is physically stored. The controlling factor is whether the provider is subject to US jurisdiction, not the location of its servers.

Can a European customer be notified when a CLOUD Act or FISA order is served on its cloud provider?

Not necessarily. Both CLOUD Act warrants and FISA 702 orders can carry non-disclosure provisions that legally prohibit the provider from informing the customer or data subject that a disclosure request has been made or fulfilled.

How does the EU e-Evidence Regulation differ from US extraterritorial access regimes?

EU e-Evidence Regulation 2023/1543 governs cross-border access to electronic evidence within the EU through judicial authorisation, data-subject rights and fundamental-rights safeguards. US statutes such as the CLOUD Act and FISA 702 operate unilaterally and do not require the consent, notification or oversight of the country where the data subject or data reside.

Which European organisations face the highest jurisdictional risk from US cloud services?

Regulated sectors face the greatest exposure: government bodies holding citizen data, healthcare organisations processing special-category data under GDPR Article 9, financial institutions subject to DORA and EBA guidelines, and legal service providers bound by professional secrecy. A covert government access order in any of these sectors can trigger regulatory fines, professional sanctions and reputational harm simultaneously.

What is the first due-diligence step a compliance officer should take when evaluating a US-controlled cloud service?

Map the corporate control chain of the provider to determine whether any parent, subsidiary or affiliate is incorporated or domiciled in the United States. US incorporation anywhere in the group typically brings the entire group’s data within the reach of the CLOUD Act, irrespective of which entity contracts with the European customer.

Frequently asked questions

Does storing data in an EU-based Microsoft Azure or AWS data centre protect it from US government access?
No. Under the CLOUD Act (18 U.S.C. u00a7 2713), US authorities can compel a US-controlled provider to disclose data regardless of where that data is physically stored. The controlling factor is whether the provider is subject to US jurisdiction, not the location of its servers.
Can a European customer be notified when a CLOUD Act or FISA order is served on its cloud provider?
Not necessarily. Both CLOUD Act warrants and FISA 702 orders can carry non-disclosure or gag-order provisions that legally prohibit the provider from informing the customer or data subject that a disclosure request has been made or fulfilled.
How does the EU e-Evidence Regulation differ from US extraterritorial access regimes?
EU e-Evidence Regulation 2023/1543 governs cross-border access to electronic evidence within the EU through judicial authorisation, data-subject rights and fundamental-rights safeguards. US statutes such as the CLOUD Act and FISA 702 operate unilaterally and do not require the consent, notification or oversight of the country where the data subject or data reside.
Which European organisations face the highest jurisdictional risk from US cloud services?
Regulated sectors face the greatest exposure: government bodies holding citizen data, healthcare organisations processing special-category data under GDPR Article 9, financial institutions subject to DORA and EBA guidelines, and legal service providers bound by professional secrecy. A breach of confidentiality through a covert government access order in any of these sectors can trigger regulatory fines, professional sanctions and reputational harm simultaneously.
What is the first due-diligence step a compliance officer should take when evaluating a US-controlled cloud service?
Map the corporate control chain of the provider to determine whether any parent, subsidiary or affiliate is incorporated or domiciled in the United States. US incorporation anywhere in the group typically brings the entire group's data within the reach of the CLOUD Act, irrespective of which entity contracts with the European customer.