Back to Top

What does the CLOUD Act mean for European companies?

1. What is the CLOUD Act?

The CLOUD Act ("Clarifying Lawful Overseas Use of Data Act") was passed in the USA in March 2018. It obliges US-based cloud providers such as Microsoft, Google and AWS to allow US law enforcement agencies - such as the FBI - access to users' data, even if it is stored on servers in Europe.

The CLOUD Act also requires the U.S. to enter into bilateral government agreements with foreign states that allow foreign investigative authorities access to data stored by U.S. companies. In return, US investigators will also have access to data stored in the country in question. This inevitably leads to conflicts with existing national data protection regulations. 

2. What is the current status of the CLOUD Act?

For the time being, the CLOUD Act is a unilateral initiative of the USA, and the European Union is very interested in a regulation for the entire Union that is not softened by bilateral agreements with member states. Nevertheless, this action by the USA is already threatening to undermine European efforts to improve data protection. The result for enterprises is uncertainty about compliance at present and in the future.

3. What are the potential problems of the CLOUD Act for European companies?

In particular, the CLOUD Act can undermine efforts to ensure strong data protection. It collides with the European GDPR ("General Data Pretection Regulation"), which has been binding since 25 May 2018. Strictly speaking, cloud services by US providers are no longer data protection-compliant for European companies, even if hosted in data centres in Europe

Data processed in the EU is subject to European Union law and thus to the GDPR. It stipulates that the transfer of personal data to a third country on the basis of a court ruling or an administrative decision must be governed by an international agreement such as a mutual legal assistance agreement between the requesting third country and the EU or a member state. However, such an agreement does not exist for the CLOUD Act between the EU and the USA - neither do bilateral agreements exist between individual EU member states with the USA.

Due to this legal situation, the disclosure of data stored and processed in the EU is a violation of the GDPR, which is punishable with fines. For US providers who are active in data processing in Europe, this means that they ultimately have to decide which law they want to violate: the European GDPR or the US Cloud Act.

4. How can European companies prevent these problems?

For companies that are concerned about the confidentiality of sensitive business information as well as their customer data and legal compliance when using clouds, one question in particular is becoming increasingly important: where are the headquarters of the provider whose solutions and cloud resources are being used?

The safest way under data protection law is to host the data and applications at a European cloud provider in a data center with a European location.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <h2> <h3> <h4> <h5> <h6> <!--break--> <p> <div> <img>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.