The CLOUD Act: What European companies need to know about data storage in US clouds

In this article, we take a look at the CLOUD Act, discuss risks and possible consequences and give you a recommendation on what you can do to minimize the risks of the CLOUD Act.

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) allows US authorities to access data stored by US companies, regardless of whether this data is located in the US or abroad. It was created to enable US authorities to obtain faster access to electronic evidence in the fight against serious crimes such as terrorism and cybercrime.

It creates a clear legal basis for US companies to disclose data, regardless of where it is stored. At the same time, the law promotes international cooperation: under certain conditions, foreign authorities can also obtain direct access to data from US providers through bilateral agreements. The aim of these regulations is to make law enforcement more efficient and reduce legal conflicts between national data protection laws.

From a European perspective, the CLOUD Act has faced criticism since its introduction – especially concerning the protection of personal data and business-critical information. The core concern is that US authorities can even access data stored in European data centers if the cloud provider is owned by a US-based company.

Using cloud services from American providers therefore potentially entails a loss of data sovereignty. Even when data is physically stored in Europe, the CLOUD Act may allow US authorities to access it. This applies not only to personal information but also to trade secrets and intellectual property.

The latter is especially concerning for many companies: the risk that state access could lead to sensitive information falling into the wrong hands is increasingly perceived as a threat of industrial espionage – particularly when technical expertise or strategically important data is involved.

Another unresolved issue is how the CLOUD Act aligns with the GDPR. The regulation stipulates that personal data may only be transferred to or processed in third countries if an adequate level of protection is guaranteed. If this requirement is undermined by the CLOUD Act – for instance, because technical or contractual safeguards fail to apply – it could constitute a clear violation of European data protection law.

Anyone who underestimates the impact of the CLOUD Act and stores sensitive data – such as trade secrets or personal information – unencrypted in a US cloud is exposing their company to real risk. If data access by US authorities goes unnoticed or is not detected in time, this can lead to a leak of critical information. This could result in the loss of business-critical company secrets through industrial espionage. Given the current "America First" trend, such targeted sabotage is no longer entirely unrealistic.

Trust from customers and partner companies is also at stake – often with long-term consequences. However, this doesn’t mean that American cloud providers should be ruled out entirely. In many cases, only a small portion of company data is truly sensitive. If you use US-based clouds solely for data that doesn’t require special protection, there’s little cause for concern. For highly sensitive data from critical business areas, however, a dedicated strategy is recommended.

To minimize the risks of the CLOUD Act and comply with the requirements of the GDPR, European companies should consider the following measures:

• Choose European cloud and hosting providers: Opt for providers with headquarters and data centers in the EU that are not subject to US law, especially for your highly sensitive data and business areas.

• Conclude an AVV: A carefully worded data processing agreement (AVV) with the cloud provider is essential. It regulates how data may be processed and is a central component of GDPR compliance – even in the context of the CLOUD Act. An AVP protects you in terms of GDPR compliance, but your trade secrets are still not 100% secure.
  
• Check data sovereignty: Ensure that your data is not processed by subsidiaries of US companies.

There are many ways to effectively meet the requirements of the CLOUD Act without relinquishing control over your own data or violating the GDPR. A differentiated strategy is crucial: While less critical data can be stored in international clouds without any problems, information that requires special protection needs a safe haven.

This is exactly where makandra comes in: We develop and operate customized applications for sensitive data – from individual software to AI solutions to internal wiki software. Everything is hosted and developed in Germany, with the highest security standards and full GDPR compliance.