Definition
CLOUD Act
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) is a US federal law that compels US-based service providers to disclose data they hold or process, regardless of where in the world the data is physically stored.
For European buyers, the CLOUD Act creates a direct conflict with GDPR Article 48: the EU forbids data transfers to a non-EU authority absent an international agreement, while the CLOUD Act requires the disclosure. Even a European subsidiary or an EU-region deployment of a US-domiciled service does not solve this — the parent entity is still compelled. The only architectural solution is on-premise deployment by a non-US-affiliated vendor.
Why it matters
- ✓For ANSSI-regulated French organisations, banks under EBA, NIS2 essential entities and HDS-certified healthcare hosts, CLOUD Act exposure is a procurement disqualifier.
- ✓The European Cloud Sovereignty Framework (SEAL-3) was created largely in response to this conflict.
- ✓On-premise deployment by an EU vendor is the only configuration with verifiable CLOUD Act immunity.
Common questions
Does FISA 702 have the same effect?
Yes, in practice. FISA Section 702 authorises bulk surveillance of non-US persons by US intelligence agencies and binds US-domiciled providers similarly. It is the secondary lever European DPAs cite when ruling on Standard Contractual Clauses.