"My data is in Europe, so the Cloud Act doesn't apply." This is one of the most common misconceptions about cloud sovereignty, and it's wrong. The Cloud Act applies to corporate parents, not to data locations — meaning data physically stored in Frankfurt or Dublin can still be compelled out by US legal process if the cloud provider's parent is US-domiciled. This post explains the legal mechanics in detail.
What the Cloud Act actually says
The full title is "Clarifying Lawful Overseas Use of Data Act," passed in March 2018. The operative section is Title II, which amends the Stored Communications Act to read (paraphrased): a US-headquartered provider must produce data within its "possession, custody, or control" when served with a US warrant — regardless of where that data is stored.
The triggering language is "possession, custody, or control" — terms with established legal meaning in US law. Custody and control extend beyond your physical office walls to data stored by your subsidiaries, affiliates, contractors, and effectively anyone you can compel. The fact that the data physically resides in a Frankfurt datacenter operated by a German subsidiary doesn't change the parent's control over it.
The case that confirmed this: Microsoft Ireland
In 2014, US prosecutors served Microsoft with a warrant for emails stored in its Dublin datacenter. Microsoft refused, arguing US warrants didn't reach foreign-stored data. The case went to the Supreme Court, which was about to rule when Congress passed the Cloud Act, mooting the case. The legislative intent was explicitly to confirm: yes, US warrants reach data stored abroad by US-headquartered providers.
Microsoft and other major US cloud providers (Amazon, Google) have been clear in their public statements: they will comply with valid US legal process for data, regardless of where that data is stored.
What "EU regions" actually mean
When AWS offers an "EU (Frankfurt)" region, what does that label tell you?
- The physical servers are in Frankfurt — yes, true
- The data physically resides on those servers — yes, true
- The data is governed by German/EU law — partially true, GDPR applies
- The data cannot be accessed by US legal process — false
An EU region is a geographic location for compute and storage, not a legal sovereignty boundary. AWS, Microsoft Azure, and Google Cloud are all subject to the Cloud Act because their parent corporations are US-incorporated.
The Schrems II angle
Schrems II, the 2020 CJEU ruling, found this exact problem incompatible with GDPR. The court reasoned: GDPR requires that personal data of EU residents transferred outside the EU enjoy "essentially equivalent" protection. US surveillance laws (FISA Section 702 and EO 12333) don't provide that — and US providers are subject to those laws even for data stored in their EU regions.
The ruling didn't say "you can never use US providers." It said "you must do additional due diligence and possibly add supplementary measures." In practice, that's a significant compliance burden for any company subject to GDPR — which is essentially every business with EU customers.
What about the Data Privacy Framework?
The 2023 EU-US Data Privacy Framework (DPF) was negotiated to address Schrems II. The US made some commitments around proportionality of surveillance and added a redress mechanism (the Data Protection Review Court). The European Commission issued an adequacy decision based on these commitments.
Several legal scholars and Max Schrems himself have argued DPF doesn't actually solve the underlying problem — Section 702 still allows bulk collection of foreign communications, and the redress mechanism has limited remedy capabilities. There are pending challenges to DPF in EU courts. As of early 2026, DPF is still in force, but the prospect of "Schrems III" overturning it is real.
For risk-averse compliance teams, the calculation is: even if DPF stands, the political and legal volatility around US-EU data transfers is itself a risk. If a 2027 ruling invalidates DPF, you're scrambling to migrate. Building on EU-only infrastructure avoids the whipsaw entirely.
The "encryption with customer-held keys" argument
One technical defense some US providers offer: "We can't read your data because you hold the encryption keys." This is partially true and partially marketing.
What's true: if you encrypt data on the client side and the provider only stores ciphertext, the provider compelled to hand over data hands over unreadable bytes.
What's not so true in practice: most cloud workloads don't operate exclusively on encrypted data. Databases need to query data. Web apps need to display it. Search needs to index it. The moment data is decrypted to be useful, it exists in cleartext somewhere — typically in the provider's RAM, briefly. US legal process can target that cleartext window.
Customer-managed key services (AWS KMS, Azure Key Vault) help, but the keys themselves are managed within the US provider's infrastructure. The legal compulsion can extend to the keys.
For the very highest sensitivity workloads, you can architect end-to-end encryption with keys held outside US-provider infrastructure — but this dramatically constrains what the cloud can do for you. For most use cases, the simpler answer is: use a non-US-controlled provider.
The practical comparison
| Property | AWS EU region | EU sovereign provider |
|---|---|---|
| Data physically in EU | Yes | Yes |
| GDPR compliant | Yes (with DPA) | Yes (with DPA) |
| Cloud Act applies | Yes | No |
| Subject to US National Security Letters | Yes | No |
| EU-only legal compulsion paths | No | Yes |
What this means in practice
For most workloads, the Cloud Act exposure of US providers is a theoretical risk rather than a daily concern. US legal process specifically targeting EU companies' data is rare. The compliance theater of documenting Schrems II analyses is more common than the underlying risk materializing.
However, three categories of workload should not be on US-controlled providers:
- Government and public sector data, especially anything related to defense, intelligence, or critical infrastructure
- Sector-regulated data: healthcare records (HDS), financial transactions (some categories), legal communications
- Strategic competitive data: trade secrets, M&A data, R&D — anywhere foreign government access could create competitive harm
For these categories, the small probability × catastrophic consequence calculation makes EU-sovereign hosting the obvious choice. For everything else, it's a procurement decision based on customer expectations and risk tolerance.