Key Takeaways
The US CLOUD Act lets authorities request data from providers under US jurisdiction, even when it’s stored overseas. Regulated teams worry about sovereignty, GDPR conflicts, and limited notice. The fix is governance, customer-managed encryption, and careful workload placement. Claromentis supports this with granular controls and flexible deployment options: on-premises, private, sovereign, or SaaS.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) became law in 2018. It permits the US government, and approved foreign partners, to retrieve electronic data from US-based providers no matter where that data sits.
In 2025, concerns were ignited in Europe when Microsoft admitted that they “cannot guarantee data sovereignty” for EU customers. Since then security teams across the continent have started to worry about data sovereignty when their providers are subject to US jurisdiction.
Particularly for regulated industries, the fact that jurisdiction now follows corporate control rather than data location means they have less control over who can access their sensitive data.
What problem is the CLOUD Act trying to solve?
Before 2018, investigators typically relied on Mutual Legal Assistance Treaties (MLATs) to obtain evidence held abroad. MLATs are lawful but slow, and modern cloud architectures complicate “where” data lives at any moment. The CLOUD Act was designed to reduce that friction so serious-crime cases can move forward without months of paperwork.
How the CLOUD Act works
The CLOUD Act is split into two key parts.
CLOUD Act Part 1: Executive agreements
The Act allows the US to enter bilateral agreements with countries that meet rule-of-law and rights safeguards. These agreements require cloud providers to respond directly to qualifying orders from the partner country, rather than routing everything through MLATs.
CLOUD Act Part 2: Data disclosure requirements
The Act clarifies that a company under US jurisdiction can be required to produce data it controls, regardless of storage location. In practice, access follows corporate control, not geography.
These executive agreements and data disclosures come with guardrails: targeted orders, independent review, no bulk collection, restrictions regarding US persons, and periodic joint oversight. The intent is to speed up legitimate investigations without creating a free-for-all.
The CLOUD Act in practice: the US / UK agreement
As an example of a bilateral executive agreement, see the US / UK Cloud Act agreement, signed on Oct 3rd 2019. Entering into force in 2022, the agreement sets out how data disclosures and the sharing of information in sensitive scenarios is handled by each party.
Does the CLOUD Act only apply to the US?
Not exclusively. The act itself is American, but lawful access to electronic evidence is common across the globe. So many countries have the legal tools to compel access to evidence both within their jurisdictions and internationally. And all of those countries have agreed to a principle of reciprocity when it comes to the sharing of this sensitive data. This is enshrined in the Budapest Convention, which aligns national laws and facilitates international co-operation.
Why is the CLOUD Act a concern for businesses?
Recent concerns have risen due to Microsoft's admission that it “cannot guarantee data sovereignty” for customers within the EU should the Trump administration demand access to data stored in their servers.
This has prompted organizations across the globe to worry about the security of their sensitive data. These concerns revolve around three key themes:
- Data sovereignty risk. If your cloud provider is a US entity (or operates in the US), requests can reach data stored in other regions. Even if such requests are rare, this theoretical exposure matters to highly regulated industries.
- Privacy and GDPR tension. Because CLOUD Act orders can compel disclosure outside the EU, providers may face conflict-of-laws risks under GDPR (Article 48) when asked to respond directly to a U.S. order without an applicable international agreement.
- Customer notification limits. Non-disclosure obligations can prevent providers from telling customers about certain requests, at least for a time, which undermines transparency and trust, and complicates incident response timelines.
What can organizations do to ensure data privacy and compliance?
Your first steps should be to research and better understand both national and international laws around the sharing of data evidence, including but not limited to the CLOUD Act.
That being said, there are a few practical things you can do now to ensure data security, privacy and compliance.
1. Understand your data sovereignty risk
Map all your locations, activities, and access requests. Then investigate which of your vendors and suppliers are subject to US jurisdiction. Remember, this can include businesses that are a subsidiary of a US company, or a business that has significant operations within the USA.
Once you understand all of this, you can analyze your risk and take action to mitigate against it.
2. Increase clarity and governance
Although lawful requests must be adhered to, effective data governance helps you understand how much of your data and processes you need to share to comply. This isn’t about dodging the requests, more that you only want to hand over enough and not too much.
Adopting a policy of least privilege, role-based access, complete audit trails and accurate documentation ensure that you understand how to respond effectively to any request.
3. Use strong encryption to control who can access your data.
If you manage your own encryption, you don’t have to worry about third party access without your consent. This means that your cloud service provider can’t go behind your back in response to a legitimate request for evidence data. They need to engage with you, meaning that you have much more control over what is provided to the authorities.
4. Store your data strategically
Where appropriate, place your most sensitive workloads away from multi-tenant SaaS deployments controlled by US entities. Use sovereign cloud, private cloud, or on-premises for well-defined, sensitive datasets and processes, while keeping more general collaboration and communication in the public cloud.
5. Prepare a government-request playbook
Document who triages government requests, how you verify authority and narrow scope, what to do if a gag order applies, and how you maintain a full chain of custody. Cloud providers run this playbook, so you should as well.
Balancing collaboration and co-operation with sovereignty
Handling regulated or highly-sensitive data? Treat the CLOUD Act as one input to your wider sovereignty plan. Use encryption you control, keep data governance and logging accurate and accessible, and place the right workloads in on-prem, private, or sovereign environments.
Claromentis gives you that flexibility - granular permissions, encryption in transit, and secure applications for intranet, learning, policy, and workflows - so you can better balance collaboration and compliance,
Want to talk it through? Book a quick call and we’ll map your security needs to the right deployment for your regulated digital workplace.
CLOUD Act FAQs for regulated teams
What does the CLOUD Act actually do?
It lets U.S. authorities request electronic data from providers under U.S. jurisdiction—even if that data is stored outside the U.S.—based on who controls it, not just where it sits.
Does it override the GDPR?
No. Laws don’t override each other across borders. Conflicts can arise (e.g., GDPR Art. 48). Plan for conflict-of-laws and respond narrowly with counsel.
Does data location still matter?
Less than before. Location helps, but corporate control and jurisdiction often matter more. Treat this as a workload-by-workload risk decision.
Will we be told if our data is accessed?
Not always. Some orders include non-disclosure. Design for that reality: logging, key governance, and a counsel-led request workflow.
Do customer-managed keys (BYOK/HYOK) help?
Yes. If you hold the keys, a provider may be compelled to produce data, but it can’t read contents without your cooperation—keeping disclosure documented and proportionate.
How does Claromentis support sovereignty-minded deployments?
Claromentis offers on-premises, private cloud, and dedicated sovereign cloud options. You can also choose where your standard SaaS deployment resides. Pair that with granular permissions, audit trails, and customer-managed encryption to align each workload to the right control level - so you can collaborate confidently while meeting legal obligations.
