Skip to main content
US CLOUD Actdata sovereigntyGDPRcross-border data transfercloud actdata privacy

What Is the US CLOUD Act?

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018, is a United States law that lets US authorities compel US-based providers to hand over data in their possession, custody, or control, regardless of where in the world that data is physically stored. In practice, it means data held by a US company can be reached by US authorities even when it sits in a data center in Frankfurt, Dublin, or anywhere else.

For European organizations, the CLOUD Act is the concrete reason that storing data in an EU region is not the same as keeping it beyond foreign reach. It is central to the debate about data sovereignty, and it is one of the main drivers behind Europe's push for sovereign infrastructure.

TL;DR

The US CLOUD Act (2018) lets US authorities compel US-based providers to disclose data they have possession, custody, or control of, regardless of where it is stored, including EU data centers. It amended the Stored Communications Act and can extend to US companies and their subsidiaries. It creates a direct conflict with the GDPR: under Article 48, a foreign order does not by itself make a data transfer lawful, so a provider can be caught between US and EU law. Storing data in an EU region does not remove it from reach if the operator is subject to US jurisdiction. The reliable defense is sovereignty: a provider outside US jurisdiction, running where you control it.

What the US CLOUD Act Is

The CLOUD Act updated the 1986 Stored Communications Act, which sets the rules for when the US government can compel providers to produce stored electronic communications. Before the Act, there was legal doubt about whether a US warrant could reach data stored abroad. The CLOUD Act removed that doubt in the government's favor: what matters is not where the data sits, but whether a US-reachable provider controls it.

It applies to providers subject to US jurisdiction, which includes US-headquartered companies and, depending on the control they hold, their subsidiaries. The trigger is control over the data, not the data's location.

How It Works

The mechanism is straightforward and that is exactly why it matters:

  • A US authority issues a lawful order (a warrant or subpoena) for specific data.
  • The order is served on a provider subject to US jurisdiction that has possession, custody, or control of that data.
  • The provider must produce the data, whether it is stored in the US or in an EU region. Geography does not shield it.

The Act also created a framework for executive agreements between the US and other countries to streamline cross-border requests, but the core obligation on US-reachable providers stands regardless of any such agreement.

How the US CLOUD Act reaches data LOCATION DOES NOT SHIELD THE DATA US authority issues order US-based providerhas possession, custody, or control Data in US regionreachable Data in EU regionstill reachable Collides with GDPR Article 48a foreign order does not, by itself, make the transfer lawful under EU law
Click to enlarge

The Conflict with GDPR

The CLOUD Act puts European organizations in a genuine bind. If a US provider discloses EU personal data to US authorities under a CLOUD Act order, that disclosure can itself breach the GDPR. Under Article 48 of the GDPR, a judgment or decision by a third-country authority does not, on its own, make a transfer of personal data lawful; it needs a valid basis under EU law, such as an international agreement.

The European Data Protection Board has taken a restrictive view here: in the absence of such a basis, an EU-bound provider generally cannot lawfully hand personal data to US authorities in response to a direct CLOUD Act request. The result is a conflict of laws, obey the US order and risk GDPR penalties, or follow GDPR and risk US non-compliance, that no amount of contractual language fully resolves.

What It Means for EU Organizations

The practical lesson is that jurisdiction, not geography, decides who can reach your data. A data catalog is a sensitive example: it describes what data you hold, where it flows, and who owns it, exactly the kind of map you do not want exposed to a foreign order. Choosing where that catalog runs, and who operates it, is a sovereignty decision.

This is why residency alone does not solve the problem, and why interest in sovereign cloud and European-operated infrastructure has grown. The reliable way out of the conflict is to ensure the provider holding your data is not subject to US jurisdiction in the first place, and that the data can run in an environment you control.

How Dawiso Fits

Dawiso is built so the CLOUD Act conflict does not apply to your governed metadata.

  • European-owned and operated. Dawiso is built and run by a European company, so there is no US parent that a CLOUD Act order can compel on your behalf.
  • Deploy where you control it. Run Dawiso in a private cloud inside your own EU tenant or fully on-premise, so your data and metadata stay in an environment and jurisdiction you control.
  • Metadata-only, isolated per customer. In hybrid setups only metadata is transferred, and each customer has a separate metadata store, supporting GDPR, ISO 27001, and SOC 2.
  • Governance that supports compliance. The data catalog, classification, and lineage give you the picture of personal and sensitive data that GDPR and the EU Data Act assume you have.

The wider case is in European data sovereignty and the data catalog.

Conclusion

The US CLOUD Act lets US authorities compel US-based providers to disclose data wherever it is stored, which is why EU residency on a US-operated platform does not put data beyond reach. It collides with the GDPR, leaving European organizations in a conflict of laws that contracts cannot fully fix. The dependable answer is sovereignty: keep your most sensitive systems, your data catalog included, with a European provider, running where you control it.

See it in action

Data & Analytics Catalog

Create a unified view of your data assets and gain insights faster with automated data discovery.