Skip to content

30 Jun 2025

US CLOUD Act – Responding to direct demands for access to data from US Authorities

Share:

Background

In 2018, the US president signed into law the US CLOUD Act (Clarifying Lawful Overseas Use of Data).  The Act expands US and foreign law enforcement’s ability to target and access individual’s data across international borders and provides that such information must be disclosed regardless of where it is stored. 

The introduction of the CLOUD Act has added to the legal complexity especially for communication service providers that process and store electronic data. Adapting to this environment is proving to be a significant challenge for them and in responding to such demands, they must consider legal and ethical responsibilities, particularly in striking a balance between a citizen’s right to privacy and law enforcements right to seek information for the prevention and prosecution of crime.

WHAT information does the Act apply to?

It applies only to the contents of electronic communications, documents stored in the cloud, and to certain types of transmission and account information.

WHO does the CLOUD act apply to?

It applies to all electronic communication service providers or remote computing service providers that operate in the US (such as email and cloud service providers), whether those providers are established in the US or another country.

Potential Conflict between the US CLOUD Act and the EU GDPR

The General Data Protection Regulation (GDPR) places high priority on individual privacy rights, making data controllers accountable for processing activities and ensuring that certain conditions are met before disclosure to law enforcement agencies can occur.  One of the fundamental requirements of the GDPR is that the data controller must have a lawful basis for processing the data and such processing includes disclosure to law enforcement authorities.

What does the European Data Protection Board (EDPB) say about the CLOUD Act?

On 10 July 2019, the EDPB - together with the European Data Protection Supervisor (EDPS) - published a joint legal assessment on the CLOUD Act and the EU legal framework for data protection.  The assessment states that a request from a foreign authority for the transfer of data does not, in and of itself, constitute a legal ground for transfer for the purpose of the GDPR. Under Article 48 of the GDPR, any judgment of a foreign court or tribunal requiring the transfer or disclosure of personal data, as a third country, can only be recognised or enforceable where it is based on an international agreement, such as a MLAT, in force between that third country and the Member State, unless other grounds for transfer under the GDPR apply.

The EDPB assessment stresses that there are 2 key elements to consider in relation to the legality of a transfer of personal data in response to a request made under the US CLOUD Act:

  1. there must be a legal basis for processing under Article 6 and 

  2. there must be a permitted basis for engaging in the transfer under Chapter V of the GDPR

While the assessment is detailed and needs to be considered in its totality, its main conclusion is that the CLOUD Act does not contain a sufficient legal basis under GDPR to justify personal data transfers to the US and the most suitable method of protection for the GDPR provisions is an international agreement that encompasses all necessary safeguards. 

In particular, the assessment concludes that “unless a US CLOUD Act warrant is recognised or made enforceable on the basis of an international agreement, and therefore can be recognised as a legal obligation, as per Article 6(1)(c) GDPR, the lawfulness of such processing cannot be ascertained”.

This EDPB guidance will present organisations, who are subject to the GDPR and who are served with warrants under the Act, with a conflict in terms of compliance.  In practice this means that any service provider using US based tech public cloud services, responding to a CLOUD Act (stored communications act order), runs a risk of breaching the GDPR, with the prospect of fines of up to €20 million or 4% of annual worldwide turnover.

HOW can we help?

With over 40 years combined experience handling legal requests for disclosure of data to law enforcement and recognising the challenges involved in responding to these requests our founders created an ethical decision-making framework comprising of six-principles and implemented it within a legal software application that standardises and streamlines decision-making.

iTrust 6A™ empowers and enables organisations to navigate these challenges with confidence and clarity and reduces the risk of non-compliance, fines, sanctions and reputation damage.

To find out more please contact our expert team at info@itrust6a.com

Share:

Related News

You're never wrong to do the right thing

While protecting user data and mitigating the risk of fines and sanctions, using iTrust 6A™ will also infuse an ethical mindset of doing what is right within your organisation

Find Out More