--- title: "The US CLOUD Act Explained: Why Server Location Alone Is Not Enough" date: 2025-12-04T10:40:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/us-cloud-act-erklärt-warum-der-serverstandort-allein-nicht-schützt" section: "Entries: Articles" --- ### What Is the CLOUD Act? [\#](#what-is-the-cloud-act "What Is the CLOUD Act?") **CLOUD = Clarifying Lawful Overseas Use of Data Act (2018)** **In short:** Providers subject to US jurisdiction must comply with valid US legal orders for data in their possession, custody or control, regardless of where that data is physically stored. #### How It Applies in Practice [\#](#how-it-applies-in-practice "How It Applies in Practice") **Scenario:** A US cloud provider operates a data centre in Germany. The data belongs to an EU customer. 1. A US authority obtains a valid legal order for specific data 2. The order is served on the provider, not on the customer 3. The provider must produce the data it controls, even if it is stored in an EU data centre 4. The order can be accompanied by a non-disclosure requirement, so the customer may not be informed The CLOUD Act includes a mechanism for providers to challenge orders that conflict with foreign law, and executive agreements between the US and partner states can structure such requests. Neither changes the core point: an EU server location does not shield data held by a US provider. --- ### Who Is Affected? [\#](#who-is-affected "Who Is Affected?") #### AWS, Microsoft Azure, Google Cloud [\#](#aws-microsoft-azure-google-cloud "AWS, Microsoft Azure, Google Cloud") All three are **US companies**. Therefore: - AWS region Frankfurt: subject to the CLOUD Act - Azure EU data centres: subject to the CLOUD Act - Google Cloud EU regions: subject to the CLOUD Act - Any other region of these providers: subject to the CLOUD Act The server location does not change the provider’s legal obligations. The same logic applies to EU subsidiaries of US groups, because the parent retains control over the data. #### Who Is Not in Scope? [\#](#who-is-not-in-scope "Who Is Not in Scope?") **Providers without US jurisdiction**, for example: - OVHcloud (France) - Scaleway (France) - IONOS (Germany) - Hetzner (Germany) These companies are not subject to US orders under the CLOUD Act. They are subject to EU and national law, including EU law enforcement access regimes, which are bound by EU fundamental rights and judicial oversight. --- ### CLOUD Act vs. FISA: Two Different Issues [\#](#cloud-act-vs-fisa-two-different-issues "CLOUD Act vs. FISA: Two Different Issues") The CLOUD Act is often mixed up with US intelligence surveillance law. They are separate regimes: **CLOUD Act (2018):** Law enforcement. Court-issued orders in criminal investigations, served on providers, with extraterritorial reach over data the provider controls. **Section 702 FISA and Executive Order 12333:** Foreign intelligence collection. These programmes, together with the lack of effective redress for EU citizens, were the reason the CJEU invalidated Privacy Shield in the Schrems II ruling (July 2020). The CLOUD Act was not the basis of that decision. For an IT decision-maker, both point in the same direction: data held by US providers is reachable by US authorities through legal channels that EU customers cannot block contractually. --- ### The EU-US Data Privacy Framework and Its Limits [\#](#the-eu-us-data-privacy-framework-and-its-limits "The EU-US Data Privacy Framework and Its Limits") The EU-US Data Privacy Framework (DPF, adequacy decision of 10 July 2023) addresses the surveillance and redress concerns from Schrems II. It introduced binding safeguards for intelligence collection and a Data Protection Review Court for complaints by EU individuals. The EU General Court upheld the framework in September 2025; an appeal before the Court of Justice is pending. **What the DPF does not change:** The CLOUD Act remains in force. A valid US order still obliges the provider to produce the data first. Redress mechanisms operate after the fact. For data where any foreign government access is unacceptable (trade secrets, patient data, government records), legal frameworks reduce but do not eliminate the exposure. Only keeping the data out of the providers’ control eliminates it. --- ### Practical Implications [\#](#practical-implications "Practical Implications") #### For Compliance-Critical Data [\#](#for-compliance-critical-data "For Compliance-Critical Data") **Examples:** - Medical data (patient records) - Financial data - Trade secrets - Government and public sector data **Recommendation:** Do not store this data with providers subject to US jurisdiction. If cloud services are used at all, apply client-side encryption with keys held exclusively in your own infrastructure. For backup and archive data, on-premises secondary storage removes the question entirely. #### For Non-Critical Data [\#](#for-non-critical-data "For Non-Critical Data") **Examples:** - Test data - Public content - Temporary working data **Recommendation:** Hyperscaler storage can be acceptable here, since the impact of disclosure is low. Classify data before deciding. --- ### Approaches to a Solution [\#](#approaches-to-a-solution "Approaches to a Solution") #### 1. European Providers [\#](#1-european-providers "1. European Providers") **Approach:** Use providers without US jurisdiction for sensitive workloads. **Advantages:** - No CLOUD Act exposure - EU law and EU jurisdiction apply - Simpler GDPR position (no third-country transfer) **Trade-offs:** - Smaller service portfolio than the hyperscalers - Pricing and ecosystem differ; compare per workload #### 2. Client-Side Encryption [\#](#2-client-side-encryption "2. Client-Side Encryption") **Approach:** Encrypt data before it leaves your infrastructure. Only you hold the keys. **Advantages:** - A provider compelled to produce data can only hand over ciphertext - Hyperscaler services remain usable for storage **Trade-offs:** - Server-side processing and search on encrypted data are limited - Key management becomes a critical responsibility: lose the keys, lose the data #### 3. On-Premises First, Cloud as Supplement [\#](#3-on-premises-first-cloud-as-supplement "3. On-Premises First, Cloud as Supplement") **Approach:** Keep critical data, backups and archives on-premises. Use cloud selectively for non-critical workloads or as an additional geo-redundant copy. **Advantages:** - Critical data stays under your physical and legal control - No provider can be compelled to hand over what it does not hold - Predictable costs, no egress fees on recovery **Trade-off:** - You operate the infrastructure, which requires capacity planning and maintenance (typically covered by maintenance contracts) --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Can AWS, Azure or Google refuse a CLOUD Act order?** They can challenge orders in US courts, for example where compliance would violate foreign law and a qualifying executive agreement exists. If the order stands, they must comply. **Is there an EU equivalent to the CLOUD Act?** The EU e‑Evidence Regulation creates a framework for cross-border production orders within the EU, with judicial safeguards. EU member state authorities can also compel disclosure under national law. The difference: EU access regimes are subject to EU fundamental rights and CJEU review. **Does the CLOUD Act conflict with the GDPR?** There is tension. A US order can require disclosure that the GDPR would only permit under narrow conditions (Art. 48 GDPR). Providers sit between both regimes. As a customer, you carry the compliance risk for your data. **What is the best strategy?** Classify your data. Keep critical and regulated data on-premises or with EU providers. Use US cloud services, if at all, for non-critical data or with client-side encryption. For backups and archives, on-premises systems give you the strongest position. --- ### Further Resources [\#](#further-resources "Further Resources") → What Is Data Sovereignty? Definition and Three Dimensions (/en/blog/was-ist-datensouveraenitaet/) → EU-US Data Privacy Framework: How Stable Is the New Framework? (/en/blog/eu-us-data-privacy-framework/) → GDPR and Cloud Storage: Legally Compliant Handling of Personal Data (/en/blog/dsgvo-cloud-speicherung/) → Data Egress Fees: The Hidden Costs of Your Cloud Backup (/en/blog/egress-kosten-cloud/) → Silent Brick System: On-Premises Secondary Storage (/en/produkte/silent-brick-system/) → Request a demo (/​en/​kontakt/​demo/​) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### Data Sovereignty Data sovereignty describes an organization's complete control over its data: where it is stored, who can access it, which legal framework applies to it and whether it is available at any time without dependency on a single provider. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/data-sovereignty) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)