<- All articles

28 May 20264 min readCLOUD ActGDPRCompliance

CLOUD Act and GDPR: Why US cloud services are a compliance risk for German companies

This article is also available in German. Read the German version

When an IT lead has to explain to management why using US cloud services is a risk that must be documented, what's usually missing is a text that summarizes the topic factually and without panic. This article is exactly that: an assessment of the legal situation, the actual risks and the options for action. It does not replace legal advice — but it asks the right questions.

What the CLOUD Act actually regulates

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) obliges US companies to give US authorities access, upon a lawful order, to data in their "possession, custody, or control" — regardless of where that data is physically stored.

This is the decisive point that sales conversations like to blur: a data center in Frankfurt, an "EU cloud region", a German subsidiary — none of it changes the fact that the parent company is subject to US law. If Microsoft, Google or Amazon receive a lawful US order, the storage location of the data is secondary.

The conflict with the GDPR

The GDPR requires a legal basis under European law for transferring personal data to authorities of a third country (Art. 48 GDPR). A CLOUD Act order is precisely not that — it is a US legal basis. The result is a situation in which a provider cannot fully comply with both legal systems at the same time.

Three milestones mark the development:

  1. Schrems II (CJEU, 2020). The European Court of Justice struck down the Privacy Shield agreement — reasoning that US surveillance laws do not provide a level of protection equivalent to the EU's.
  2. EU-US Data Privacy Framework (2023). The successor creates a new transfer basis. Legally, however, it stands on the same foundation as its two failed predecessors — and is already being challenged in court. Companies that build their compliance on it alone are building on a decision the CJEU will examine for the third time.
  3. The political dimension. Adequacy decisions can be revoked by the EU Commission or devalued by geopolitical developments. Anyone who has ever had to restructure their data flows on short notice knows what that means operationally.

"But we have a DPA" — why that is not enough

The most common objection: there is a data processing agreement with the provider, standard contractual clauses are signed, so everything is covered. That falls short:

  • Contracts do not bind authorities. Standard contractual clauses oblige the provider — they do not prevent a US authority from issuing an order under US law.
  • The transfer impact assessment is mandatory. Since Schrems II, controllers must assess and document whether third-country law undermines the contractual protection. With the CLOUD Act, that is exactly the case — it has to be stated in the assessment and answered with technical measures.
  • Encryption only helps if the provider doesn't hold the keys. "Encryption at rest" with the same provider that also manages the keys offers no protection against a disclosure order. Only encryption with keys exclusively in your hands is effective — which technically rules out many SaaS features.

The questions auditors and customers ask today

The risk has long stopped being theoretical. It materializes in concrete situations:

SituationTypical question
ISO 27001 / TISAX audit"Where is personal data stored, and who can legally access it?"
Public-sector tender"Demonstrate that data is subject exclusively to EU law."
Customer audit (automotive, healthcare, finance)"Present your transfer impact assessment."
Cyber insurance"Which third-country transfers exist, and how are they safeguarded?"

Without a documented answer, you lose time at best — and the contract at worst.

The options — viewed soberly

Nobody has to switch off all US services tomorrow. A professional way of handling the risk looks like this:

  1. Inventory. Which services process which personal data? Which of them are subject to US jurisdiction — including the EU subsidiaries of US corporations?
  2. Risk assessment per system. Not every system is equally critical. The marketing tool with newsletter addresses and the HR system with health data belong in different risk classes.
  3. Prioritized migration of the critical systems. Mature European or self-hosted alternatives exist for most categories: Nextcloud for file collaboration, Keycloak for identity management, Metabase for BI, n8n for automation.
  4. A documented decision for the rest. Deliberately staying with a US service can be defensible — if the assessment is documented and technical safeguards are in place. Compliance does not mean "zero US services", it means demonstrably assessed risks.

Conclusion: the risk is manageable — but only if documented

The CLOUD Act creates a structural conflict that no contract and no marketing promise resolves. For German companies this does not mean alarmism, it means a work order: know where the data is; assess what is critical; migrate what has to be migrated; document what stays.

These four steps are exactly what we deliver with the Sovereignty Check: a complete inventory of your cloud stack, a CLOUD Act and GDPR risk assessment per system, and a prioritized roadmap with effort estimates — at a fixed price, within one to two weeks. So when the next auditor asks, you have an answer that holds.