Most organisations take comfort in a simple idea: if their data is stored in Europe, it falls under European law and benefits from GDPR protections.
It’s a reassuring assumption. It’s also not entirely true.
In a cloud-driven world, data can sit in the EU and still be accessed under foreign laws. At the centre of this is the US CLOUD Act - a law that quietly reshapes how jurisdiction works and introduces a risk many businesses haven’t fully accounted for.
Understanding that risk means shifting focus away from where data is stored to something more important: who can legally access it.
The CLOUD Act, passed in the US in 2018, allows law enforcement to compel US-based companies to provide data under a valid legal order - even if that data is stored outside the United States.
So if a cloud provider is headquartered in the US, it can be required to hand over data held in a European data centre.
That’s the key shift:
| Jurisdiction follows the company, not the server
GDPR was designed with a different goal: protecting individuals’ personal data and ensuring it isn’t accessed or transferred outside the EU without proper safeguards.
In practice, that means:
At a high level, GDPR aims to limit exactly the kind of external access the CLOUD Act can enable.
Now bring the two together.
A European company uses a US cloud provider.
The data is stored in the EU.
From a GDPR perspective, everything looks compliant.
But under the CLOUD Act, that same provider could be required to disclose the data to US authorities.
This creates a difficult reality:
And the organisation using the service may have limited visibility or control when those situations arise.
The root of the issue is a widely held belief:
| "If my data stays in Europe, I’m safe."
That idea made sense when infrastructure and jurisdiction were tightly linked. Cloud computing has broken that connection.
Today, three separate factors are in play:
When those don’t align, risk emerges.
This is where the conversation shifts.
Data residency focuses on location - keeping data within a geographic boundary.
Data sovereignty focuses on control - who has legal authority over that data.
They are not the same thing.
You can have data residency in Europe while still being exposed to non-European laws if the provider falls under a different jurisdiction.
A simple way to think about it:
| It’s not just where your data lives - it’s who holds the keys, and who can demand them.
This isn’t just a legal nuance. It has real implications.
First, there’s compliance risk. Organisations may find themselves navigating conflicting obligations without a clear-cut answer.
Second, there’s operational risk. Data access could happen through legal channels that don’t involve the organisation directly.
And third, there’s trust. Customers increasingly expect clarity around how their data is protected - and assumptions about “EU storage = EU protection” don’t always hold.
Yes - but it’s no longer straightforward.
Using a US-based provider doesn’t automatically mean you’re in breach of GDPR. However, it does mean you need to take additional steps to understand and mitigate risk.
Regulators have made it clear that foreign government requests alone are not a valid basis for transferring personal data under GDPR. That puts the responsibility on organisations to assess exposure and apply safeguards.
In other words:
| Compliance is no longer just about configuration - it’s about informed decision-making.
There’s no perfect solution, but there are practical ways to strengthen your position.
Start with visibility. Know where your providers are headquartered and which laws apply to them. “EU region” doesn’t necessarily mean EU jurisdiction.
Then look at architecture. Segment sensitive data and minimise unnecessary exposure so that not everything is equally accessible.
Layer in legal safeguards, such as Standard Contractual Clauses and Transfer Impact Assessments, to formally assess and document risk.
Finally, focus on technical control. Encryption - especially where you retain control of the keys - can significantly reduce the impact of external access requests.
The goal isn’t to eliminate the CLOUD Act. That’s not possible.
The goal is to reduce how much it can affect you.
For years, data protection strategies have centred on location.
That’s no longer enough.
The more useful question is:
| Who can access my data—and under which legal authority?
Organisations that can answer that clearly are in a far stronger position than those relying on geography alone.
The CLOUD Act doesn’t override GDPR, and GDPR doesn’t neutralise the CLOUD Act. Both exist, and both can apply at the same time.
That overlap is where the real risk sits.
Businesses that recognise this early - and design for control, not just location - will be better equipped to navigate an increasingly complex data landscape.