US Cloud Act vs. GDPR: Who Really Controls Your Data?

The CLOUD Act allows US authorities to access European data, conflicting with the GDPR. Learn how companies can protect themselves technically and legally.

A Law with Explosive Potential for European Companies

In March 2018, the US government passed the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). What initially seems like technocratic legislation is, in reality, a geopolitical reach into your corporate data—even if stored on European servers. The key factor is not the location of the servers but who controls them.

According to the CLOUD Act, US authorities can access data if it is owned or controlled by a US company. This completely overturns the argument for local storage. It no longer matters whether your data is in Frankfurt, Dublin, or Paris—Microsoft, Google & Co. must hand it over upon request.

GDPR: European Data Protection Law Under Pressure

Here begins the legal dilemma. The GDPR, specifically Article 48, stipulates that data access by foreign authorities must occur within the framework of international agreements. Such requests must go through national authorities—not directly to the cloud provider. However, the CLOUD Act allows exactly that.

Companies that transmit personal data without this legal basis potentially commit a GDPR violation, punishable by fines of up to 20 million euros or 4% of annual turnover. Whether the bilateral agreements envisaged in the CLOUD Act will be considered “international agreements” under the GDPR is unclear—a legal risk with an open outcome.

Strategies for Risk Minimization

Microsoft responded with its own model: “Office 365 Germany” was operated with Deutsche Telekom as a data trustee. Advantage: The data was not under Microsoft’s direct control. However, the service has since been discontinued. Other providers consistently rely on a model that creates genuine technical barriers—operator-secure cloud services.

These services operate on the principle: What we can’t see, we can’t hand over. Through complete hardware isolation and end-to-end encryption, providers have no access to customer data—not even under court order. Access by US or other authorities? Technically impossible.

What Companies Should Consider Now

Those using cloud services and wishing to remain GDPR-compliant should check the following criteria:

Certifications like the Trusted Cloud Data Protection Profile (TCDP) provide legal guidance and enhance compliance security. They help companies identify responsible providers who not only advertise compliance with GDPR requirements but also implement them technically and organizationally.

ayedo: We Support Your Sovereign Journey to the Cloud

At ayedo, we do not believe in compromises when it comes to data protection, IT security, and digital sovereignty. Our solutions combine European technology with maximum transparency and compliance. For those who want to use the cloud not only securely but also strategically wisely.

With ayedo, you build your digital infrastructure on a foundation of trust, control, and independence. This way, digitalization does not become a security gap—but a strength.