CLOUD Act Exposure: A 2026 Buyer's Checklist for EU SMEs

The US Clarifying Lawful Overseas Use of Data Act — the CLOUD Act, signed into law in 2018 — grants US law enforcement authorities the power to compel US-based technology companies to produce electronic data stored anywhere in the world. This applies to Microsoft, Google, Amazon Web Services, Salesforce, Slack, and every other US-headquartered cloud service provider, regardless of whether the data is stored in Frankfurt, Dublin, or São Paulo.

For EU businesses using US cloud services, this creates a direct conflict with GDPR. The GDPR prohibits transfers of personal data to third countries unless an adequate level of protection can be ensured. An order under the US CLOUD Act that compels disclosure of EU personal data to a US federal agency is precisely the kind of transfer that GDPR Article 48 was designed to block.

This article explains the conflict in detail, identifies the specific GDPR provisions implicated, provides a practical checklist for evaluating US cloud vendors in 2026, and identifies the EU sovereign alternatives available to SMEs.

What the CLOUD Act Actually Does

Before the CLOUD Act, US law enforcement relied on the Stored Communications Act of 1986 to compel disclosure of data held by US providers. Providers who stored data outside the US challenged those warrants on jurisdictional grounds. In 2018, the US Supreme Court was due to rule on this question in United States v. Microsoft Corporation. Congress mooted the case by passing the CLOUD Act weeks before the ruling.

The CLOUD Act resolved the jurisdictional question in the government's favour. A US provider served with a CLOUD Act order must produce the requested data regardless of where it is stored. The provider can seek to quash the order if compliance would violate the laws of a foreign government with a "qualifying bilateral agreement," but no such agreement exists between the US and the EU. The EU-US Data Privacy Framework is a data transfer adequacy mechanism; it is not a qualifying bilateral agreement under the CLOUD Act, and it does not prevent CLOUD Act orders from being served.

The GDPR Provisions in Conflict

Article 48 of the GDPR provides that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement — such as a mutual legal assistance treaty — in force between the requesting third country and the EU or a member state.

A CLOUD Act order is not based on such an agreement. It is a unilateral exercise of US jurisdiction over a US person. When a US provider complies with a CLOUD Act order by disclosing EU personal data, it is making a transfer to a US government authority that has no GDPR legal basis. This exposes the provider to GDPR liability — and, depending on the circumstances, the EU data controller who placed the data with that provider.

Article 46 of the GDPR requires that where personal data is transferred to a third country, appropriate safeguards must be in place. Standard contractual clauses, binding corporate rules, and adequacy decisions are the primary Article 46 mechanisms. None of them protect against CLOUD Act compelled disclosure, because the safeguard operates between the EU controller and the non-EU processor — not between the processor and a US federal agency.

The Schrems II ruling of the Court of Justice of the EU (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, July 2020) invalidated the EU-US Privacy Shield precisely because US surveillance law — including FISA 702 and Executive Order 12333 — allowed US authorities to access personal data of EU residents without adequate protections. The CLOUD Act represents an extension of the same legal problem. An EU data exporter relying on SCCs with a US provider must assess whether US law allows authorities to access the data in a way that undercuts the SCC's protections. The CLOUD Act makes clear that it does.

The Data Act Dimension

Regulation (EU) 2023/2854 (the EU Data Act), which entered into application on 12 September 2025, adds a further layer of protection. Article 30 of the Data Act prohibits cloud service providers from transferring non-personal data held in the EU to third-country governments unless the transfer is based on an international agreement between the EU and that country, or the provider has obtained authorisation from a competent authority in the EU.

Article 30 does not apply to personal data — that remains governed by the GDPR — but it extends the protection logic to commercial and industrial data. For EU SMEs whose cloud environments hold a mix of personal and non-personal data (as most cloud environments do), Article 30 of the Data Act and Article 48 of the GDPR together substantially constrain the lawful use of US cloud services for sensitive data categories.

2026 Buyer's Checklist for EU SMEs

Use this checklist when evaluating any US-headquartered cloud service provider or when reviewing contracts with existing vendors.

1. Confirm the provider's country of establishment. If the parent company, the contracting entity, or any entity in the corporate chain is established in the United States, CLOUD Act jurisdiction applies. Having EU subsidiaries or EU data centres does not exempt a US parent from CLOUD Act obligations.

2. Check whether the vendor has published a CLOUD Act transparency report. Major providers including Microsoft, Google, and Amazon publish reports disclosing the number of CLOUD Act orders received. Review these reports to understand the frequency and scope of orders directed at your sector.

3. Assess what categories of data you store with the provider. Data that is genuinely low-risk — public content, non-personal operational logs — presents a different risk profile than HR records, customer personal data, financial data, or health data. Classify your data estate before assessing CLOUD Act exposure.

4. Review the Data Processing Agreement and transfer mechanism. Verify which Article 46 mechanism is relied upon (typically SCCs under the 2021 Commission Decision). Note that the SCC's transfer impact assessment must address CLOUD Act risk explicitly; most standard DPAs do not.

5. Request the vendor's transfer impact assessment. Since Schrems II, EU-based controllers are required to conduct a transfer impact assessment for SCCs with US providers. Ask the vendor for their documented TIA. If they cannot provide one, that is a material compliance gap.

6. Evaluate technical measures. End-to-end encryption with keys held by the EU controller — not the provider — is the primary technical measure that can defeat a CLOUD Act order targeting data content. Assess whether the provider's architecture supports customer-managed encryption keys for all data at rest and in transit.

7. Assess your contractual notification rights. Does the DPA or service agreement require the provider to notify you before complying with a government order, to the extent permitted by law? If not, negotiate this clause. Notification allows the EU controller to seek a protective order before disclosure occurs.

8. Consider data residency commitments. Data residency agreements keep data within EU borders for storage and processing. They do not block CLOUD Act orders — a US parent remains subject to US jurisdiction regardless of where data is physically stored — but they may trigger procedural steps that provide additional notification time.

9. Evaluate EU sovereign alternatives. For sensitive data categories, assess whether an EU-headquartered provider offers equivalent functionality. Providers headquartered in France, Germany, the Netherlands, or other EU member states are not subject to CLOUD Act jurisdiction for their EU operations.

10. Document your risk-based decision. Where you assess the risk as acceptable — because data is non-sensitive, encryption is in place, or the use case justifies it — document that assessment. Regulators will ask for evidence of a considered risk-based approach, not a binary choice.

EU Sovereign Cloud Alternatives

Several EU-headquartered cloud providers have built market positions specifically around CLOUD Act immunity. OVHcloud (France), Hetzner (Germany), IONOS (Germany), Scaleway (France), and Exoscale (Switzerland) are among the infrastructure providers whose parent companies are not subject to US jurisdiction.

For SaaS applications, the landscape is more fragmented. EU-native alternatives exist in CRM (Sellsy, SuperOffice), collaboration (Nextcloud, Cryptpad), and data analytics, but coverage is uneven. EU SMEs may need a hybrid approach: EU-native infrastructure for sensitive data, with US SaaS tools limited to non-sensitive operational use cases and subject to the checklist above.

Frequently Asked Questions

Does storing data in an EU AWS or Azure data centre protect it from the CLOUD Act? No. AWS and Microsoft Azure's EU data centres are operated by US parent companies. A CLOUD Act order served on Amazon.com Inc. or Microsoft Corporation requires production of data stored in those EU data centres. Data residency is not CLOUD Act immunity.

Does the EU-US Data Privacy Framework block CLOUD Act orders? No. The Data Privacy Framework is a mechanism for establishing GDPR adequacy for commercial transfers to certified US companies. It does not bind the US government's law enforcement powers or create any restriction on CLOUD Act orders.

What should I do if my cloud provider receives a CLOUD Act order for my data? Review your DPA for notification clauses. If you are notified, seek legal advice immediately. A motion to quash in the relevant US court is possible but rarely successful. The more effective strategy is proactive — ensuring that the most sensitive data is either encrypted with customer-managed keys or stored with an EU-sovereign provider.

Is the CLOUD Act relevant for SMEs that don't do business with the US? Yes. The CLOUD Act is triggered by using a US cloud provider, not by doing business with US customers. Any EU SME using Microsoft 365, Google Workspace, Salesforce, AWS, or similar US services has CLOUD Act exposure for data stored in those services.

Sources

• US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 18 U.S.C. §§ 2701–2713 (2018)
• Regulation (EU) 2016/679 (GDPR), Article 46 (Transfers subject to appropriate safeguards), Article 48 (Transfers or disclosures not authorised by Union law)
• Court of Justice of the EU, Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II), 16 July 2020
• Regulation (EU) 2023/2854 (EU Data Act), Article 30 (Unlawful third-country government access and transfers)
• European Commission, Standard Contractual Clauses for the transfer of personal data to third countries (Commission Decision 2021/914)
• EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data