CLOUD Act
1 min
The CLOUD Act allows US law enforcement to compel US-based technology companies to provide data stored on their servers regardless of physical location. Storing data in an EU datacenter operated by Microsoft, Amazon, or Google does not shield it from US government access. The law was passed in response to the Microsoft Ireland case where Microsoft refused to hand over emails stored in Ireland. It creates legal conflicts with GDPR: US companies face an impossible choice between complying with US law (disclose data) or EU law (protect data). For humanitarian organizations and enterprises handling sensitive data, CLOUD Act exposure is a critical sovereignty concern. Mitigations include using non-US providers, client-side encryption with self-managed keys, and zero-knowledge architectures. The EU-US Data Privacy Framework does not eliminate CLOUD Act powers; US companies remain subject to disclosure orders.