The US CLOUD Act, FISA 702 and your data: what European companies need to know

By the EU Alternatives team Published

The short version: a US-owned provider can be legally compelled to hand over data it controls, even when that data sits in a European data centre. The CLOUD Act covers law enforcement requests, FISA 702 covers intelligence collection, and neither stops at the EU border. Whether this matters for your company depends on what data you process and which tools touch it. This guide explains both laws in plain terms and what to do about them.

What the CLOUD Act actually says

The Clarifying Lawful Overseas Use of Data Act became US law in March 2018. It settled a long-running court battle in which Microsoft argued that a US warrant could not reach emails stored on its servers in Dublin. Congress answered that question directly: providers subject to US jurisdiction must disclose data in their “possession, custody, or control” regardless of where in the world it is stored.

Three things are worth understanding about it:

  • It is targeted, not bulk. CLOUD Act requests concern specific accounts in criminal investigations, and a warrant or court order is still required for content.
  • It follows ownership, not geography. A subsidiary of a US parent company is within reach, and so is the data that subsidiary holds in Frankfurt, Paris or Dublin. An “EU region” checkbox does not change the legal position.
  • You may never know. Requests routinely come with non-disclosure orders, so the provider cannot tell you your data was handed over.

What FISA 702 actually says

Section 702 of the Foreign Intelligence Surveillance Act works differently. It allows US intelligence agencies to direct “electronic communication service providers” to assist in collecting the communications of non-US persons located outside the United States, for foreign intelligence purposes. There is no individual warrant per target. Instead, the FISA Court approves broad annual certifications, and the agencies select targets under them.

If you are a European reading this, note the wording: non-US persons outside the United States is precisely you. Section 702 has been renewed repeatedly, most recently in 2024, when the definition of a covered provider was also widened. It was the centrepiece of the surveillance programmes revealed in 2013, and it is the main reason EU courts keep striking down transfer arrangements.

CLOUD ActFISA 702
Who uses itUS law enforcementUS intelligence agencies
PurposeCriminal investigationsForeign intelligence
TargetSpecific accounts, with a warrant or court orderNon-US persons outside the US
OversightOrdinary courts, case by caseAnnual programme approval by the FISA Court
ReachAny data a US provider controls, anywhereCommunications handled by US providers
Will you be told?Usually not, gag orders are commonNo

Schrems II, and where transfers stand today

In July 2020 the Court of Justice of the EU decided Schrems II. It invalidated the EU-US Privacy Shield, the framework thousands of companies relied on for transatlantic data transfers, precisely because Section 702 and related programmes gave Europeans no effective redress. Standard contractual clauses survived, but with a condition: you must assess, case by case, whether the destination country’s laws undermine the protections in the contract.

Since July 2023 there is a successor, the EU-US Data Privacy Framework. Transfers to certified US companies are currently lawful under it, and it survived its first challenge before the EU General Court in 2025. But its two predecessors, Safe Harbor and Privacy Shield, were both struck down, and further legal challenges are expected. That history is why many European organisations treat the framework as a bridge rather than a foundation.

What a transfer impact assessment is

When you rely on standard contractual clauses, GDPR Article 46 and the EDPB’s Recommendations 01/2020 require a transfer impact assessment, usually shortened to TIA. In practice it is a documented analysis covering:

  • what personal data flows to the provider, and how sensitive it is
  • the laws of the destination country, including CLOUD Act and FISA 702 exposure
  • whether the contractual protections hold up against those laws in practice
  • supplementary measures you apply, such as encryption where the provider never holds the keys
  • a reasoned conclusion that the transfer is acceptable, reviewed periodically

This is real work, per vendor, and it needs updating when laws or providers change. The quiet advantage of European providers is that none of it applies: no transfer outside the EU means no TIA at all.

When US-owned tools are a problem, and when they are not

Blanket avoidance is not the honest position. US-owned tools are largely unproblematic when:

  • no personal data is involved, for example a build service compiling open-source code
  • the data is already public, such as monitoring of your public marketing site
  • encryption is end to end and you alone hold the keys, which makes compelled disclosure yield ciphertext

They deserve real scrutiny when:

  • personal data flows at scale, the classic case being web analytics, which is why so many teams have replaced Google Analytics since the Schrems II wave of regulator decisions
  • communication content is involved, meaning your email and messaging stack
  • you operate in a regulated sector such as health, finance or the public sector, where EU data handling is often a hard requirement
  • the tool is core infrastructure, because migrating cloud hosting later is far harder than choosing well now, which is the argument for weighing European alternatives to AWS before workloads accumulate

The recurring trap is confusing server location with jurisdiction. A US provider’s EU region keeps latency low and may satisfy a residency checkbox, but the CLOUD Act follows the company, not the data centre.

Practical steps

  1. Map your vendors. List every tool that processes personal data, from CRM to error tracking.
  2. Check the ownership chain, not the marketing page. A .eu domain or an EU sales entity says nothing about the parent company.
  3. Prioritise the big flows. Analytics, email and hosting usually move the most personal data, so fix those first.
  4. Do TIAs for what remains. Where a US tool stays, document why, and apply supplementary measures where you can.
  5. Prefer European providers where switching is cheap. For many categories the functional gap is now small, and the paperwork saving is immediate.

Frequently asked questions

Does using the EU region of a US cloud provider protect me from the CLOUD Act?

No. The CLOUD Act reaches data in a provider’s possession, custody or control wherever it is stored. An EU region helps with latency and residency requirements, but it does not remove US jurisdiction over the company operating it.

Is it illegal for a European company to use US tools?

No. Transfers to US companies certified under the Data Privacy Framework are currently lawful, and standard contractual clauses remain available with a transfer impact assessment. The question is one of risk, paperwork and sector rules, not blanket legality.

What is the practical difference between the CLOUD Act and FISA 702?

The CLOUD Act is a law enforcement tool: targeted, warrant-based and tied to criminal investigations. FISA 702 is an intelligence tool: programmatic, aimed at non-US persons abroad, and without individual warrants. For a European company, 702 is the harder one to reason about because you cannot see it operating.

Do these laws matter if my data is encrypted?

It depends who holds the keys. If your provider can decrypt the data, compelled disclosure produces readable data. Encryption only neutralises these laws when the keys never leave your control.