How a narrow criminal investigation law avalanched into misinformed fear of mass surveillance and breaches of global data privacy.
Data used to be the small bits of knowledge your community held about you; the local bakery knowing your favorite bread, a bartender knowing your order, and this knowledge rarely extended a few miles beyond your home. Today, our data is scattered across countries and oceans. With global cloud providers like Microsoft, Google, and AWS, hosting our data in centers far from where it was created. This has created major anxiety and confusion surrounding data governance and privacy, particularly when navigating the conflicting jurisdictions of regional, national, and international privacy laws. The U.S. CLOUD Act was born from this chaos.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act is a federal law passed by the United States in 2018. It created a legal framework for cloud providers to follow when U.S. law enforcement requests data from their servers, regardless of where that data is stored globally. The CLOUD Act applies only to U.S. companies or entities under U.S. jurisdiction. Like all legal requests for information, it requires valid warrants, subpoenas, or court orders and does not provide the U.S. government with unfettered access to foreign or governmental data. Data requests must be limited to investigations into serious criminal offenses like terrorism, child exploitation, cybercrime, or narcotics trafficking.
As its name suggests, the CLOUD Act intended to clarify international data governance. Instead, it has triggered widespread confusion, concern, and a wave of data repatriation efforts across the EMEA region. The article will debunk the most common myths surrounding the U.S. CLOUD Act, highlight how major cloud providers operate under EU and US law simultaneously, and provide practical recommendations to help address lingering data security concerns.
Myth #1: “The U.S. CLOUD Act allows the U.S. government to access any data worldwide.”
Reality:
The CLOUD Act applies only when a U.S. company controls the data and when a lawful warrant exists under probable cause standards. The Act does not override foreign laws like the GDPR, the EU Charter of Fundamental Rights, or other local data protection, secrecy, and sovereignty laws. This gives cloud providers the ability to challenge requests that conflict with EU law.
We’ve seen some of the world’s largest cloud providers successfully invoke comity provisions. Microsoft’s transparency reports show the company frequently challenges cross-border warrants. AWS states that it never provides customer data to the U.S. government without a valid subpoena or warrant. Google’s transparency report similarly emphasizes that it requires a “binding legal process” and rejects overbroad requests for its data.
So no, the U.S. CLOUD Act does not allow the U.S. government to access any data worldwide. There are strict requirements and processes the U.S. government must follow to access data.
Myth #2: “The CLOUD Act allows general surveillance of foreign citizens or public-sector systems.”
Reality:
The Act cannot be used for mass surveillance of foreign citizens or public sector systems. Intelligence agency activities, such as the authorization to conduct warrantless surveillance on foreign citizens, are governed by the Foreign Intelligence Surveillance Act and are focused on national security—not the CLOUD Act. The key difference is that a CLOUD Act request must be tied to specific criminal investigations, target specific accounts or individuals, and meet strict judicial review. All the major cloud providers publish Annual Transparency Reports that prove compliance with these requirements, showing that they accept only narrow, case-specific requests, maintain high rejection or narrowing rates, and do not offer generalized access to public-sector or citizen data.
So no, the U.S. CLOUD Act does not allow general surveillance; it is limited to specific criminal investigation-based requests.
Myth #3: “European data stored in U.S. cloud services is automatically exposed to U.S. authorities.”
Reality:
Automatic access to cloud servers is impossible. When the CLOUD Act was enacted in 2018, the U.S. federal government did not receive the keys to all data centers. Authorities are not simply roaming server halls pulling information at will. The CLOUD Act doesn’t grant U.S. authorities automatic access to European data stored within U.S. cloud providers; instead, it establishes a legally binding process for requesting data. Requests must be narrow in scope and accompanied by proof of serious criminal activity. The cloud providers themselves then retrieve the relevant data and present it to U.S. authorities.
Customer-managed encryption keys (CMEK) can provide an additional layer of protection for the most sensitive data. CMEK works by ensuring the software provider cannot access your encrypted data because you control the key, not them.
The U.S. CLOUD Act explicitly does not require providers to decrypt data. It only requires them to provide data they possess control over, and with CMEK, they do not have control over the data. Essentially, while the CLOUD Act allows access to data under the U.S. jurisdictions, encryption with customer-held keys effectively bypasses this requirement, as the provider doesn’t have the key to unlock it.
Cloud Provider Protections
The major cloud providers, Microsoft, AWS, and Google Cloud all provide their own versions of Cloud Provider Protections and CMEKs.
- Microsoft offers customer keys and double-key encryption, stored in Azure Key Vault, allowing organizations to encrypt sensitive data across Microsoft services.
- AWS offers customer-managed KMS (Key Management Service) keys backed by a AWS CloudHSM cluster. Giving the organization full key customer and a local-only key store.
- Google Cloud offers CMEKs through Cloud KMS Autokey or options for External Key Managers (EKM), giving full customer key sovereignty.
So, European data stored in U.S. cloud services is NOT automatically exposed to U.S. authorities, and the request framework, along with CMEKs, help safeguard this exposure.
Myth #4: “U.S. cloud providers are inherently risky for EU public sector and organizations.”
Reality:
The myth that organizations incur a great risk by using U.S. cloud providers rather than EU cloud providers is founded on the fear that U.S. cloud providers are exempt from EU compliance frameworks. This is false. Any U.S. Cloud provider operating in the EU is required to comply with strict EU compliance frameworks including:
- EU Data Privacy Framework (for transatlantic data transfers)
Practical Safeguards Available:
Beyond the EU compliance frameworks, many of the major U.S. Cloud providers offer practical safeguards their customers can implement to further protect their data.
- Data Localization: Cloud providers are increasingly offering options to keep EU data within the region. For example, Microsoft introduced a feature in 2023 that allows customers to store and process all their customer data exclusively within the EU Data Boundary.
- Contractual Protections: Organizations can implement Standard Contractual Clauses (SCCs), which are pre-approved legal templates that ensure personal data transferred outside the European Economic Area (EEA) meets GDPR’s strict data protection requirements.
- Technical Protections: Below is a list of security measures customers can implement to safeguard data:
- End-to-end encryption
- Zero standing access policies
- Confidential computing
- Audit logs & monitoring
- Customer-managed keys.
How the CLOUD Act Is Misrepresented in EMEA Media
Common misrepresentations & why these narratives persist
The CLOUD Act has been widely misunderstood, leading to headlines claiming U.S. authorities can “reach into EU data centers” or that U.S. cloud companies “cannot protect EU customer data.” As discussed earlier, the CLOUD Act does not grant direct access into EU data centers, and U.S. cloud providers can protect EU customer data through multiple safeguards. Headlines like these oversimplify and misrepresent that Act’s actual scope and purpose.
Rising nationalism and geopolitical tensions have fueled political debates that wrongly portray the CLOUD Act as a surveillance law. Critics often conflate it with FISA, the Patriot Act, and other espionage laws. When, in fact, it has little to do with surveillance and more to do with streamlining criminal investigations through proper legal channels.
Non-U.S. service providers are capitalizing on this misinformation for their own competitive gain, using the fear and confusion about the CLOUD Act to promote “EU-only” cloud solutions as supposedly safer alternatives.
What Actually Happens When Law Enforcement Requests Data
Since misinformation is sowing the seeds of chaos and panic is growing in the cloud, let’s set the record straight. What actually happens when law enforcement requests data under the CLOUD Act?
Standard Process
- A U.S. law enforcement agency seeks data for a specific criminal investigation.
- They apply to a U.S. court for a warrant based on probable cause.
- The cloud provider receives the request.
- The cloud provider can:
- Accept the request
- Challenge it
- Seek clarification
- Reject it if it conflicts with EU law
- If accepted, only the specific requested data is disclosed, not entire systems.
- The acceptance rate is generally very low. According to Microsoft, in 2024, only 4.94% of law enforcement requests resulted in the disclosure of content.
The Role of Encryption and European Sovereignty Controls
While the U.S. CLOUD Act includes some built-in safeguards, encryption and European Sovereignty Controls can provide an additional layer of protection. Organizations can implement these measures in several ways:
- Customer-managed encryption keys (CMEK): As discussed previously, CMEKs allow customers to retain control of their data, preventing cloud providers from being able to decrypt their data in response to CLOUD Act requests.
- Geo-fenced data residency: Geo-fencing creates a virtual perimeter to enforce data residency laws and regulations. It ensures that data is stored, processed, and accessed within specified physical and virtual boundaries, helping organizations comply with data localization mandates like the GDPR.
- No provider access to plaintext data: This approach ensures that data is encrypted before the provider can access it, meaning the provider cannot read the actual content. This is typically achieved through end-to-end encryption (E2EE) or zero-access encryption, ensuring that only the customer with the encryption key or password can view the original, readable data.
- Digital Sovereignty Features: Cloud providers have invested in these features, providing EU-only support teams and sovereign cloud solutions. These solutions are designed to keep data and operations within a specific nation, ensuring they remain subject to local laws and regulations while being shielded from foreign jurisdiction and access requests.
How Major Cloud Providers Implement These Protections:
- Microsoft EU Data Boundary: Since 2023, Microsoft has offered customers the ability to keep their data in the EU and has kept most of its EU support operations inside the region.
- Google Cloud Sovereign Controls: Google offers a Sovereign cloud solution with EU-delivered support and local key management.
- AWS Nitro Architecture: AWS offers a hardware-based security system that creates strong physical and logical boundaries to enforce access restrictions. This architecture ensures that no one, including AWS employees, can access customer data, even when responding to law enforcement requests under the CLOUD Act.
Practical Recommendations for Government Agencies
Now that we’ve addressed some of the myths and fears surrounding the CLOUD Act, it’s important to acknowledge the broader concern driving this fear: data security itself. As data volumes grow exponentially, so do the associated security risks. Government agencies can take practical steps to strengthen data security and address these growing concerns through both technical and security measures, and governance and compliance actions.
Technical & Security Measures
Government agencies can enact the following technical and security measures when working with cloud providers:
- Use customer-managed encryption or external key-management solutions.
- Enforce EU-only data localization for regulated workloads.
- Disable provider access through zero-standing access models.
- Implement confidential computing for sensitive workloads.
Governance & Compliance
Government agencies can use scrutiny when partnering with cloud providers, looking for the following qualities:
- Review cloud provider transparency and audit reports annually.
- Ensure GDPR compliance through Standard Contractual Clauses (SCCs) and Data Protection Impact Assessment (DPIAs) for high-risk workloads.
- Conduct thorough vendor and sovereignty assessments focusing on:
- Access-control architecture
- Encryption posture
- Data residency options
- Incident response
- Legal interoperability
- Support and operator-access restrictions
Conclusion
The CLOUD Act is a narrowly focused criminal-investigation law, not a tool for mass surveillance or global data access. Much of the fear that’s risen around this in the EMEA region stems from misinformation rather than technical or legal realities. European government agencies and organization can safely use U.S. cloud providers when employing proper legal and technical safeguards. With transparency, encryption, and sovereignty controls, U.S. cloud platforms remain legally compliant and secure for EU workloads.
