The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), signed into US law on 23 March 2018, creates a legal obligation that directly conflicts with the EU’s General Data Protection Regulation. This is not a matter of interpretation. The two laws impose contradictory requirements on the same data, and no contractual mechanism available today fully resolves the conflict.
European organisations using Microsoft 365, Google Workspace, AWS, or any service operated by a US-headquartered company need to understand this conflict in concrete terms, not as a theoretical privacy concern but as a legal exposure that affects their GDPR compliance posture.