The CLOUD Act (2018) is a US federal law that authorizes law enforcement agencies to require US companies to hand over data they store on behalf of customers — regardless of the physical location of the servers. This affects Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform and all other US companies and their subsidiaries.

The practical consequence is significant: if backup data is stored with a US cloud provider — even on a server in Frankfurt — a US authority can demand its disclosure. The provider is then faced with a conflict between US law (obligation to disclose) and EU law ( prohibition on disclosure to third parties without legal basis). European data protection authorities — including the Austrian DSB, the French CNIL and the Bavarian LDA — have ruled in several decisions that the use of US cloud services for certain data categories represents an inadequate level of protection.

The EU-US Data Privacy Framework (2023) is the attempt to resolve this conflict — but the successor to the Privacy Shield invalidated by the CJEU Schrems II ruling (2020) is legally fragile. Another Schrems ruling by the CJEU appears possible. For organizations that must ensure data sovereignty in the long term, on-premises storage or use of purely European cloud providers is the more robust strategy.

Frequently asked questions

No. The CLOUD Act is linked not to the physical server location but to the legal framework of the company storing the data. An AWS server in Frankfurt is subject to US law because AWS is a US company. What matters is which law the provider is subject to — not where its servers are located.
Yes. Microsoft is a US company and is subject to the CLOUD Act. This applies even to data stored in Microsoft data centers within the EU. Microsoft has introduced its own structures (EU Data Boundary) to minimize the conflict — but this does not provide complete immunity from the CLOUD Act.