US Access to Cloud Data:

Why Control is More Important than Server Location

Introduction

Cloud computing is far more than just an infrastructure topic. For many companies, the cloud today forms the foundation of their digital value creation—from software development to data-driven business models and AI applications. At the same time, with the outsourcing to external platforms, a central question increasingly comes to the forefront: Who has access to this data if necessary?

A legal opinion from the University of Cologne in March 2025, commissioned by the Federal Ministry of the Interior, provides a sobering answer. A detailed analysis of the results can be found at https://datenrecht.ch/us-zugriffsbefugnisse-auf-daten-in-der-cloud-gutachten-uni-koeln-vom-maerz-2025/ and served as the substantive basis for this article. It shows that many common assumptions about data protection, data location, and technical isolation prove to be deceptive in practice.

For IT decision-makers, this means: The cloud is not just a technological issue but increasingly a geopolitical and regulatory one.

Access Without Classic Control: How US Law Actually Works

A central misconception in the cloud debate is the assumption that state access is always tied to clear legal procedures and individual reviews. US surveillance law paints a different picture.

Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows US intelligence agencies to collect data from non-US persons outside the United States. The crucial factor is not the individual case but the system: Programs are approved, not specific targets. A classic judicial review in the sense of an individual search warrant does not occur.

For companies, this results in a hard-to-grasp reality. Data can become part of large-scale surveillance measures without those affected knowing or being able to effectively defend themselves. At the same time, cloud providers are obliged to cooperate in such measures.

Access goes even further in the context of the Stored Communications Act (SCA) and the CLOUD Act. These regulations require providers to release stored data—regardless of where it is physically located. The much-cited “data location in Europe” thus loses significant importance.

What appears on paper as a clearly defined legal instrument unfolds a global reach in practice. For non-American companies, legal protection remains limited and often dependent on political agreements that only exist with selected states.

RISAA 2024: When Special Cases Become Infrastructure

With the Reforming Intelligence and Securing America Act (RISAA), the situation has further intensified. What initially appears to be a technical adjustment has far-reaching structural consequences.

The definition of obligated service providers has been expanded so that it no longer only includes classic telecommunications or cloud providers. Instead, access to technical infrastructure used for communication is sufficient.

This fundamentally shifts the logic. It is no longer just about specialized providers but about a broad ecosystem of digital services. In a connected economy where almost every company operates IT systems, this definition quickly becomes all-encompassing.

For IT strategies, this means: The question of whether a provider is a “classic cloud provider” loses significance. What matters more is whether there is access to relevant systems somewhere in the value chain.

The Underestimated Factor: The Market for Data

In addition to legal access rights, there is a second mechanism that often receives less attention but is at least as relevant: the commercial trade in data.

US authorities can purchase so-called “Commercially Available Information”—data collected and sold by private companies. This includes, among other things, location data, usage profiles, or aggregated behavioral analyses.

The problem lies less in the individual data set than in the combination. Modern data ecosystems make it possible to link supposedly anonymous information and thus precisely identify individuals or organizations.

For companies, this creates a blind spot. Even if direct access is restricted by regulations, similar insights can be gained indirectly. Classic compliance models often fall short in such scenarios.

Control Trumps Location: The Core Message of the Opinion

Perhaps the most important insight from the opinion can be summed up in a simple statement: It is not the location of the data that is decisive, but the control over it.

This control is broadly defined in US law. It is often sufficient that a company is organizationally or technically capable of accessing data or facilitating its release.

In practice, this leads to a paradigm shift. A European data center does not offer automatic protection if the operator or its parent company is subject to US law. Even complex corporate structures cannot reliably prevent this access.

This is particularly relevant for internationally active companies. Economic activities in the USA—such as customer relationships or an accessible web presence—can be enough to fall within the scope of US jurisdiction.

The often-communicated strategy “data stays in Europe” thus falls short. It addresses an infrastructural problem, while the real challenge lies at the level of control and jurisdiction.

Technical Protective Measures: Between Aspiration and Reality

In many discussions, there is hope that the problem can be solved through technical measures—such as encryption or so-called zero-access architectures.

The opinion meets this assumption with skepticism. The reason lies less in the technology itself than in the legal framework. Providers are required to keep relevant data available and accessible if necessary. A complete exclusion of one’s own access can thus conflict with legal obligations.

For companies, this means an uncomfortable truth: Technical measures are necessary but not sufficient. They can reduce risks but not eliminate them.

What This Means for Your Cloud Strategy

The consequences of these developments are profound. They affect not only highly regulated industries but increasingly all organizations that work with sensitive data.

A modern cloud strategy must therefore consider several levels simultaneously. In addition to performance, scalability, and costs, questions of jurisdiction, provider structure, and actual access possibilities come to the forefront.

Digital sovereignty thus becomes a strategic factor. It does not necessarily mean completely foregoing international providers, but rather a conscious architectural decision. This includes the targeted selection of providers, the segmentation of data, and the use of open-source technologies where sensible.

Multi-cloud approaches are also gaining importance in this context. They allow dependencies to be reduced and sensitive workloads to be deliberately moved to controllable environments.

However, what is crucial is a change in perspective: Away from purely technical optimization towards a holistic view of risk, control, and compliance.

Conclusion: The Cloud is No Longer a Neutral Space

The opinion from the University of Cologne makes clear what many companies have underestimated: The cloud is not a neutral, purely technical space. It is embedded in national legal systems, economic interests, and geopolitical dynamics.

Anyone using cloud infrastructures today is also making a decision about access rights, control possibilities, and legal dependencies.

For IT decision-makers, this means a new responsibility. It is no longer enough to choose the best technical solution. What is needed is an architecture that is also viable under regulatory and political considerations.

The central question is therefore no longer: Where is my data located?

But rather: Who can access it—and under what conditions?