What is the Cloud Act ?

The Cloud Act, an American security law that worries

The Cloud Act, the security law of the United States, is a cause for concern for the authorities, companies and citizens of the European Union. What is this text and why is it to be feared ?

The Cloud Act (an acronym for “Clarifying Lawful Overseas Use of Data Act”) is a US federal law enacted on March 23, 2018. It primarily amends Chapter 121 of Title 18 of the United States Code, known as the Stored Communications Act, by allowing U.S. law enforcement or intelligence agencies to obtain information stored on their servers from telecom operators and cloud service providers… Whether that data is located in the United States or abroad.


Service providers must disclose “the contents of electronic communications and any records or other information relating to a customer or subscriber that are in their possession or custody or control, whether such communications, records, or other information are located inside or outside the United States.” These U.S. authorities can obtain personal, content and other data without the knowledge of the “targeted” individual or the country where the data is stored.

The Cloud Act put an end to a legal battle between Microsoft and the U.S. government, the former refusing to disclose information about an individual because it was stored in Ireland, i.e. outside the United States. The U.S. Congress passed the Cloud Act without debate and on the sly to “clarify” the legal framework during the federal budget review.


The second part of the Cloud Act allows the U.S. executive branch to sign bilateral agreements with foreign governments, unless Congress objects. These will allow the respective authorities of the signatory countries to obtain information from service providers, without resorting to lengthy legal procedures such as mutual legal assistance treaties or international letters rogatory.

Only countries that meet a number of criteria detailed in the Cloud Act will be able to sign a bilateral agreement. The major American technology companies welcomed the enactment of the Cloud Act, satisfied that they would benefit from the legal certainty provided by this law. However, there are many criticisms to be made of this law.

First of all, the scope of the requests from the American government agencies is very broad. First, they concern criminal investigations, including (but not limited to) those related to terrorism. However, in section 2 of the bill that was passed, the U.S. Senate specifies that access to data held by service providers is an essential element to also “protect public order”, a much broader notion…

Second, the service provider receiving a request from a U.S. authority is a company under U.S. law, i.e., a company incorporated in the United States but also companies controlled by it. Third, service providers must disclose information stored in the United States or abroad, as long as the information is in their possession, custody or control.


Moreover, the Cloud Act seems to contradict Article 48 of the European Data Protection Regulation (GDPR), which came into force on May 25. Indeed, the latter stipulates that “Any decision by a court or administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or given effect to in any way if it is based on an international agreement […]”.

It is true that the Cloud Act allows a service provider receiving a subpoena to bring a case before the U.S. judicial authority if its targeted customer is not a citizen, a legal permanent resident or a company based in the United States, and if it believes that the disclosure of information would violate the laws of a foreign state. However, it is impossible to predict what the judicial decision will be in a country where numerous generalized surveillance programs have been implemented, supposedly in the name of the fight against terrorism.

The Cloud Act reinforces the powers of American surveillance agencies, by facilitating their access to data stored in data centers belonging to American companies, regardless of whether it is in France, Europe or the United States. It is therefore more prudent for French companies to have their corporate or personal data hosted by service providers under French law, who obey only French and European law and store the data exclusively on the territory of the European Union.

Do you have a cloud project?