The US CLOUD Act vs. GDPR: A Legal Collision European Businesses Cannot Patch with Contracts

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), signed into US law on 23 March 2018, creates a legal obligation that directly conflicts with the EU’s General Data Protection Regulation. This is not a matter of interpretation. The two laws impose contradictory requirements on the same data, and no contractual mechanism available today fully resolves the conflict.

European organisations using Microsoft 365, Google Workspace, AWS, or any service operated by a US-headquartered company need to understand this conflict in concrete terms, not as a theoretical privacy concern but as a legal exposure that affects their GDPR compliance posture.

What the CLOUD Act Actually Requires

The CLOUD Act (codified at 18 U.S.C. §2713) states:

“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”

The key phrase is “regardless of whether such communication, record, or other information is located within or outside of the United States.” This means a US court order or subpoena issued to Microsoft can compel disclosure of data stored on servers physically located in Frankfurt, Dublin, or Amsterdam.

The CLOUD Act applies to:

• All US-headquartered companies and their subsidiaries worldwide
• All data in their possession, custody, or control, regardless of storage location
• All types of electronic communications, including email, files, chat messages, calendar entries, and metadata

The Act does include a “comity analysis” provision (18 U.S.C. §2703(h)) that allows a provider to challenge an order if complying would violate the laws of a “qualifying foreign government.” But this provision only applies to countries that have signed an executive agreement with the US under the CLOUD Act. The EU as a whole has not signed such an agreement. Individual member states have not either. The comity provision is, for European data, largely inoperative.

What GDPR Requires

Article 48 of the GDPR states:

“Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.”

In plain language: a US court order is not, by itself, a lawful basis for transferring personal data from the EU to the US. A provider that complies with a CLOUD Act order by handing over EU personal data without a mutual legal assistance treaty (MLAT) request may violate GDPR.

Article 6 of the GDPR provides lawful bases for processing, none of which straightforwardly cover compliance with a foreign law enforcement order that bypasses EU legal channels. Article 49 provides derogations for specific situations (such as “necessary for important reasons of public interest”), but the European Data Protection Board (EDPB) has consistently held that these derogations should be interpreted narrowly and cannot serve as a routine basis for transfers.

The Contradiction

The collision is straightforward:

1. The CLOUD Act says: “You must hand over the data when we order you to, regardless of where it is stored.”
2. The GDPR says: “You must not hand over personal data to a foreign authority without going through proper EU legal channels.”

A US cloud provider that receives a CLOUD Act order for data belonging to European customers faces a choice: comply with US law and risk violating GDPR, or refuse to comply with US law and face contempt of court in the United States.

Microsoft, Google, and Amazon have all publicly acknowledged this conflict. Microsoft’s own transparency reports document thousands of law enforcement requests per year. In its 2023 transparency report, Microsoft disclosed that it received 9,056 legal demands from US law enforcement, covering 16,110 accounts. Google’s 2023 transparency report showed 60,547 US government requests for user data across all Google services. Not all of these involved EU data, but neither company discloses how many did.

Why Existing Safeguards Fall Short

Standard Contractual Clauses (SCCs)

SCCs are the most common mechanism European organisations use to legitimise data transfers to the US. The European Commission adopted new SCCs in June 2021 (Commission Implementing Decision 2021/914) to replace the older versions invalidated in spirit by the Schrems II ruling.

But SCCs are contractual. They bind the parties to certain data protection obligations. They do not and cannot override the CLOUD Act, which is a law. A US provider that signs SCCs promising not to disclose data without lawful EU authorisation is making a promise it may be legally compelled to break.

The EDPB’s post-Schrems II guidance (Recommendations 01/2020) requires organisations to conduct a “Transfer Impact Assessment” (TIA) before relying on SCCs. That assessment must evaluate whether the legal framework of the recipient country provides “essentially equivalent” protection to the GDPR. For the US, the answer, after Schrems II, was no. The question is whether the 2023 EU-US Data Privacy Framework changes that conclusion.

The EU-US Data Privacy Framework (DPF)

The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework on 10 July 2023 (Commission Implementing Decision C(2023) 4745). This framework replaced the invalidated Privacy Shield and is based on US Executive Order 14086, signed by President Biden on 7 October 2022.

The DPF introduces a Data Protection Review Court (DPRC) in the US and imposes proportionality requirements on US intelligence agencies’ access to EU data. Organisations that self-certify under the DPF can transfer data to the US without SCCs.

But the DPF has significant limitations:

• It does not address the CLOUD Act directly. The DPF focuses on intelligence agency access (FISA Section 702, Executive Order 12333). Law enforcement access under the CLOUD Act is a separate legal basis with a separate process.
• It rests on an executive order. Executive Order 14086 can be revoked or modified by any future president without Congressional approval. The protections it provides are not statutory.
• It is likely to face legal challenge. Max Schrems and noyb have publicly stated their intention to challenge the DPF. If the Court of Justice of the European Union (CJEU) follows the reasoning of Schrems I and Schrems II, the DPF could be invalidated, just as Safe Harbor and Privacy Shield were before it. Given that the incoming US administration in 2025 signalled a different posture on transatlantic data cooperation, the stability of the framework is uncertain.

Contractual Protections from Cloud Providers

Microsoft, Google, and AWS all offer contractual commitments to challenge law enforcement requests that conflict with EU law. Microsoft’s “EU Data Boundary” commitment, for example, promises to store and process EU customer data within the EU and to challenge any government request that conflicts with EU law.

These commitments are meaningful as expressions of intent. They are not meaningful as legal protections. A provider that receives a valid US court order cannot simply decline to comply because of a contractual commitment to a customer. Contempt of court carries real consequences: fines, sanctions, and potential criminal liability for company officers.

The practical value of these commitments is that the provider will challenge the order through the legal system. But the outcome of that challenge is uncertain, and the customer may never know the order was issued. CLOUD Act orders can include non-disclosure provisions that prevent the provider from informing the customer.

Practical Implications for European Organisations

GDPR Accountability

Under GDPR’s accountability principle (Article 5(2)), the data controller (your organisation) is responsible for ensuring lawful processing. If personal data you control is disclosed to US authorities via a CLOUD Act order served on your cloud provider, the legal question is whether you took adequate measures to prevent that disclosure.

Relying solely on SCCs, the DPF, or contractual commitments from Microsoft may not satisfy the accountability standard, particularly if a supervisory authority later determines that the risk was foreseeable and alternative processing arrangements were available.

Data Protection Impact Assessments

Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) when processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Processing personal data on US-controlled infrastructure, given the known CLOUD Act exposure, arguably meets this threshold.

A DPIA for US cloud services should document the CLOUD Act risk, the safeguards in place, the residual risk after those safeguards, and the alternatives considered. If the alternatives (EU-hosted services with EU-jurisdictional providers) were available and comparable, a supervisory authority may question why they were not chosen.

Sector-Specific Exposure

Certain sectors face amplified risk:

• Legal services: Attorney-client privilege may not be respected under US law enforcement orders.
• Healthcare: Patient data disclosed under a CLOUD Act order would violate both GDPR and most member states’ health data protection laws.
• Financial services: DORA (Digital Operational Resilience Act) explicitly requires financial entities to assess ICT third-party concentration risk, including jurisdictional risk.
• Public sector: Government data processed on US-controlled infrastructure raises sovereignty concerns beyond data protection.

What Organisations Should Do

The CLOUD Act vs. GDPR conflict cannot be resolved by better contracts. It is a structural issue created by conflicting legal obligations across jurisdictions. The options available to European organisations are:

1. Understand the exposure. Conduct a transfer impact assessment for every service that processes EU personal data on US-controlled infrastructure. Document the specific CLOUD Act risk.

2. Classify your data. Not all data carries the same risk. Personal data subject to GDPR has higher exposure than non-personal operational data. Sensitive categories (health, legal, financial, children’s data) carry the highest exposure.

3. Apply supplementary measures where possible. Client-side encryption with customer-held keys can reduce (but not eliminate) the risk. If the provider cannot decrypt the data, a CLOUD Act order produces encrypted content the provider cannot read. Microsoft’s Double Key Encryption and Google’s Client-side Encryption offer this for some services, with functional limitations.

4. Evaluate EU-jurisdictional alternatives for high-risk data. For the most sensitive data categories, the most effective mitigation is processing on infrastructure controlled by an EU-jurisdictional entity. This eliminates the CLOUD Act vector entirely.

5. Document your decisions. Whatever approach you choose, document it. Supervisory authorities will not penalise organisations that made reasonable, documented decisions based on available information. They will penalise organisations that did not assess the risk at all.

The CLOUD Act and GDPR will continue to coexist in tension until either the US changes its law or the EU and US negotiate a comprehensive agreement that addresses law enforcement access. Neither outcome is imminent. European organisations need to make decisions based on the law as it stands, not as they hope it will change.

Sovereign Shift maps every data flow to US-controlled infrastructure and identifies where EU-jurisdictional alternatives exist. The audit delivers the documentation your DPIA and NIS2 assessment need. Get in touch →