Many companies believe a server in Frankfurt reliably shields their data from US access. The CLOUD Act shows why that is wrong: what matters is not where the servers stand, but who controls the provider. Understand that, and you make better decisions when picking tools.
Stop worrying about US data access. Switch to EU scheduling.
Stop worrying about US data access. Switch to EU scheduling.
Key takeaways
- The CLOUD Act is a 2018 US law that obliges US providers to hand stored data to US authorities, worldwide.
- It applies regardless of server location. A data centre in the EU offers no protection if the provider has a US parent company.
- The CLOUD Act conflicts with the GDPR and was one of the reasons behind the Schrems II ruling.
- European companies reduce their exposure by choosing providers with no US ties, EU hosting and an EU headquarters.
- The fewer US services in your stack, the smaller the surface.
What is the CLOUD Act?
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US law from 2018. It obliges US providers to hand over stored data on official request to US authorities, even when that data sits outside the United States.
The law grew out of a legal dispute between Microsoft and the US government over data stored in Ireland. Before the CLOUD Act it was unclear whether US authorities could reach data held abroad. Since then the answer is clear: yes, when the provider is subject to US law. The CLOUD Act entry summarises the details.
The key point is its reach: the CLOUD Act attaches to the provider, not the storage location. So any company with a US connection falls under it, from the parent corporation to a US subsidiary.
Who does the CLOUD Act affect?
Any provider subject to US law, meaning US companies and their subsidiaries worldwide. For your data that means: as soon as you use a service whose parent sits in the US, the CLOUD Act can apply, even if your contract is with a European branch and the servers stand in Europe.
This covers most large cloud and software vendors. A European branch or an EU data centre changes nothing as long as the parent corporation answers to US law. That exact setup makes the server location worthless as a single criterion. The deeper question of who really controls your data is the heart of data sovereignty.
Not affected are providers with no US ties: a company headquartered in the EU, with no US parent and no US subsidiary, cannot be compelled to hand over data under the CLOUD Act.
CLOUD Act, GDPR and Schrems II: where is the conflict?
The CLOUD Act collides directly with the GDPR. The GDPR forbids transferring personal data to third countries without an adequate level of protection. The CLOUD Act demands exactly that transfer once a US authority orders it. A provider under US law can therefore end up in a position where it breaches either the GDPR or US law.
This conflict is not a side issue. With the Schrems II ruling the Court of Justice of the EU sharply restricted data transfers to the US in 2020, precisely because US laws like the CLOUD Act guarantee no equivalent protection. For companies this creates a concrete liability and documentation risk.
What does the CLOUD Act mean for European businesses?
For European companies the CLOUD Act means that data held with US services is never fully under their own control. This matters most for sectors with high requirements, such as healthcare, law firms, public bodies and financial services, where third-party data access can be a deal-breaker.
In practice the topic now shows up in tenders, audits and supplier questionnaires. Entering "US provider, no restrictions" risks being dropped from procurement. Initiatives such as Gaia-X and the European Commission show how broadly the demand for European alternatives has arrived.
How do I reduce CLOUD Act exposure?
By selecting providers on their legal and corporate structure, not just on server location. The main checkpoints:
| Checkpoint | The sovereign answer |
|---|---|
Corporate structure | Provider with no US parent or US subsidiary? |
CheckpointCorporate structure The sovereign answerProvider with no US parent or US subsidiary? | |
Server location | Data demonstrably in the EU? |
CheckpointServer location The sovereign answerData demonstrably in the EU? | |
Data processing agreement | GDPR-compliant DPA in place? |
CheckpointData processing agreement The sovereign answerGDPR-compliant DPA in place? | |
Sub-processors | Are US services wired in behind the scenes? |
CheckpointSub-processors The sovereign answerAre US services wired in behind the scenes? | |
Number of tools | Can the stack be consolidated? |
CheckpointNumber of tools The sovereign answerCan the stack be consolidated? | |
One practical lever is the number of services in use. Every extra US tool is another route by which data falls under the CLOUD Act. Consolidating functions shrinks that surface. What a bundled, GDPR-compliant software stack from one vendor looks like is covered in our overview. How widespread US tools can be replaced is shown in our guides to GDPR-compliant alternatives to Zoom, Microsoft Teams and Calendly.
The CLOUD Act in practice: the meetergo example
What a provider with no CLOUD Act exposure looks like, we show on our own platform. At meetergo we deliberately chose a structure the CLOUD Act does not reach.
meetergo is a GmbH headquartered in Germany, with no US parent and no US subsidiary, and is therefore not subject to the CLOUD Act. We host exclusively with Hetzner in Germany, with servers in Frankfurt and Nuremberg, and sign a data processing agreement with every customer. Because appointment scheduling, e-signatures and a CRM all run in one platform, we do not have to wire in extra external services that would bring the risk back. You can start on a free Basic plan, with paid tiers from 7 € per month (pricing).
Frequently asked questions
What is the CLOUD Act in simple terms?
The CLOUD Act is a 2018 US law that obliges US providers to hand stored data to US authorities, even when the data sits abroad. What matters is the provider, not the storage location.
Does a server in Europe protect against the CLOUD Act?
No, not on its own. If the European server belongs to a provider with a US parent, the CLOUD Act can still apply. What also counts is who legally controls the provider.
Does the CLOUD Act conflict with the GDPR?
Yes. The GDPR forbids transfers without an adequate level of protection, while the CLOUD Act can compel exactly that transfer. This conflict was a central point in the Schrems II ruling.
How do I find providers that are not subject to the CLOUD Act?
Check the company headquarters and corporate structure: a provider based in the EU, with no US parent and no US subsidiary, plus EU hosting and a DPA.
Check your own stack
Run through your most important tools and note each provider's corporate seat, server location and sub-processors. Where the CLOUD Act applies, a European alternative is worth a look. To see what a Germany-hosted stack looks like, try the free Basic plan from meetergo.
