The US CLOUD Act explained: how to keep your data safe and GDPR-compliant
One of the most talked-about laws affecting US cloud providers is the CLOUD Act. It compels American companies to hand over data to the US government no matter where that data is physically stored. What does that mean for European businesses? In this blog, we explain it in plain language.
TL;DR: why the CLOUD Act is a risk for your data
The CLOUD Act is a US law that obliges companies to share data with the government even if that data is hosted in Europe. For European organisations, that’s a risk: it can clash with the GDPR, create compliance issues, and lead to unwanted access to sensitive information. The solution? Choose European cloud providers like Combell, offering local, GDPR-compliant data centres.
US cloud providers: popular, but not without risk
US cloud providers have been popular among European companies for years. Their technology is advanced, scalable, and easy to adopt. But behind those benefits lies an important risk that’s often overlooked: US legislation with a direct impact on the privacy of your data even when that data is hosted in Europe.
One of the biggest risks when you choose American cloud services? The US CLOUD Act. Imagine hosting your data in a Belgian data centre, but via a US cloud provider. The US government can still demand access to that data. Providers like AWS, Microsoft Azure, or Google Cloud may look attractive on paper, but they operate in a legal minefield.
If you look beyond the price tag and the technical specs, it quickly becomes clear: blindly trusting providers from the States is unwise.
If your data is hosted by an American company, the US government can request it—yes, even without your knowledge, and even if you aren’t active in the US.
Siegfried Deleyn, Senior Solutions Sales Expert at Combell
Explained: what is the US CLOUD Act?
The 'Clarifying Lawful Overseas Use of Data Act' - the CLOUD Act - is a US law from 2018.
It requires American technology companies to hand over data to the US government even if that data is physically outside the US, for example in a European data centre.
“Many companies don’t realise that data in a Belgian data centre can still fall under US law as soon as it’s managed by a US party,” says Siegfried Deleyn, Senior Solutions Sales Expert at Combell.
“If your data is hosted by an American company, the US government can request it. Yes, even without your knowledge and even if your company itself isn’t active in the US.”
Did you know...
…the CLOUD Act has nothing to do with “the cloud”? The name suggests it only targets cloud providers, but it doesn’t. CLOUD stands for Clarifying Lawful Overseas Use of Data, and the law covers all US technology companies that have access to data—even outside the US.
That means not only hyperscalers like AWS or Azure fall under this law, but also many other tools and services you use every day: from email platforms and accounting software to project-management tools or CRMs. Even freelancers storing client data in a US SaaS tool can - unknowingly - end up violating the GDPR. The impact of the CLOUD Act is much broader than often assumed. It’s not about “the cloud”; it’s about access to your data wherever it lives.
GDPR and the CLOUD Act don’t get along
This puts European companies in a tight spot. The GDPR, our European privacy law, imposes strict requirements on how and where personal data is processed and protected. The CLOUD Act can run counter to those requirements.
You could face:
The CLOUD Act put Microsoft in a tight spot
A striking example is the case where the US government demanded that Microsoft hand over emails stored in an Irish data centre. Microsoft refused at first, but the CLOUD Act ultimately clarified that such data can be made accessible to the US.
The case created a precedent with lasting impact: even if your data sits on European soil, that’s no guarantee against foreign interference. The CLOUD Act applies as long as a US party is involved.
Download the full report from team.blue
Geopolitical tensions and evolving regulations are pushing companies to rethink where they host their data. This report from team.blue reveals how over 2,000 European organisations are navigating data storage in today’s shifting landscape.
What about your company’s data?
If your organisation uses US cloud services, you risk that:
It’s not just a legal risk, it’s a reputational one. Transparency about how you manage data is increasingly essential, especially in sectors dealing with privacy-sensitive information.
Siegfried adds: “As an organisation, it’s important to have both a strong and a transparent relationship with your hosting partner. Choosing a European hosting partner such as Combell is not only safer; it also sends a clear signal to your customers that you take their privacy seriously.”
Local hosting on European soil as the answer
Fortunately, there are alternatives that keep your data squarely within European privacy boundaries. Consider:
Choosing a European hosting partner is not only safer; it also sends a clear signal to your customers that you take their privacy seriously.
Siegfried Deleyn, Senior Solutions Sales Expert at Combell
Practical tips: how to protect your business data
✅ Audit your current cloud partners
Many companies use multiple SaaS or infrastructure partners without knowing exactly where data is stored or which laws apply. Check whether you (directly or through third parties) work with US providers, and determine which legislation covers their services.
✅ Ask explicitly about data residency
Do you know exactly where your data is hosted? Have this recorded explicitly in your contracts. It avoids legal uncertainty and helps you justify your choices to customers, auditors, and regulators.
✅ Work with European partners where possible
Especially for (privacy-)sensitive data like personal or business-critical information, opt for a local, European hosting partner. You’ll be better protected against conflicting laws like the CLOUD Act. Read more on our blog about why choosing a local cloud provider makes sense.
✅ Secure your data with encryption, back-ups, and SSL certificates
Legal safeguards are essential, but technical security matters just as much. Encryption, SSL, regular back-ups, and access management ensure your data is not only compliant but actually secure.
Tip
Choose managed hosting and leave maintenance, including back-ups, to Combell’s experts.
✅ Document every choice
Be able to demonstrate why you chose certain cloud providers, security measures, or contractual terms. Clear documentation helps with internal follow-up and strengthens your position during audits or compliance reviews.
Choose Combell: your data safe in Europe
With Combell, you can count on managed hosting, private cloud, and security solutions that remain entirely within the EU. Our data centres are located in the Benelux and meet the strictest GDPR standards.
Want to make sure your data doesn’t end up in a legal grey area?
Related posts
