You use Google Drive, OneDrive or Dropbox. You’ve heard something about the CLOUD Act β and you’re wondering whether it’s something to be concerned about.
Short answer: yes, the risk is real. US legislation makes it possible, in certain circumstances, for your files to be requested β even if you store them with a provider that uses European servers. But there’s no need to panic. You can make a deliberate choice to use services that fall outside its scope.
In this article, we explain how that works and what to look out for.
The CLOUD Act β short for the Clarifying Lawful Overseas Use of Data Act β is a US law that came into effect in 2018. It gives American government authorities the right to demand data from US technology companies via a court order. This applies even if that data is physically located outside the United States.
In practice: an authorised government body β such as the FBI, the Department of Justice (DOJ) or the DEA β can apply to a court for an order. If that order is granted, the American company is legally required to comply, regardless of whether the server sits in Virginia or Amsterdam.
Before 2018, American technology companies faced genuine legal uncertainty about what to do when US authorities requested data stored on servers abroad. Were they bound by the local law of the country where the server was located, or by US law?
Microsoft tested that boundary: it refused to comply with a government request for emails stored on servers in Ireland, arguing that Irish law applied. The case dragged through the courts for years.
The US Congress resolved that uncertainty by introducing the CLOUD Act. The law states clearly: if the company is American, the US can request the data β regardless of where that data is stored.
The CLOUD Act applies to companies that fall under US jurisdiction. That includes:
Is the company purely European, with no American owner or legal entity? Then it falls outside the CLOUD Act.
Yes β and that is precisely the point. Server location is not what the CLOUD Act is about. What matters is who runs the company.
Google has data centres in the Netherlands and Ireland. Microsoft has servers in Amsterdam. None of that changes their legal status: both are American companies, and both fall fully under the CLOUD Act. A court order from Washington applies, even if your files sit on a server in Amsterdam.
A company is “American” in this context if it was incorporated under US law, or if a US parent company holds control over it. Stock exchange listing in the US, a holding company in Delaware, a majority stake held by a US concern, all of these place a company within the reach of the CLOUD Act.
In principle, yes. If a European entity is a subsidiary of an American company, and the US parent company is technically capable of producing the data, then the CLOUD Act applies. The rule is straightforward: if the company has a US parent or is itself American, it falls under the CLOUD Act β regardless of whether the European branch is separately registered.
| Provider | Parent company | Incorporated | Under CLOUD Act? |
|---|---|---|---|
| Google Drive | Alphabet Inc. | US | Yes |
| Microsoft OneDrive | Microsoft Corp. | US | Yes |
| Dropbox | Dropbox Inc. | US | Yes |
| Apple iCloud | Apple Inc. | US | Yes |
| Box | Box Inc. | US | Yes |
| Amazon S3 / AWS | Amazon.com Inc. | US | Yes |
| Proton Drive | Proton AG | Switzerland | No |
| Internxt | Internxt Cloud S.L. | Spain | No |
| The Good Cloud | Dutch company | Netherlands | No |
That is the core of the question. Not: is the server in Europe? But: is the company American?
No β not if the company itself is American.
This is the most common misconception. Providers like Google and Microsoft communicate prominently about their European data centres, GDPR compliance, and “data stored in the EU”. Those are genuine guarantees about data location β but they change nothing about legal exposure under the CLOUD Act.
A court order is not directed at the server. It is directed at the company. Take Google as an example: Google Amsterdam is part of Alphabet Inc., an American company registered in Delaware. When the US issues an order to Alphabet, Alphabet is legally required to comply, including data on servers outside the US.
Many cloud providers communicate prominently about GDPR compliance and European servers. Those promises are not inaccurate in themselves: they relate to how data is processed and stored under the GDPR. But they say nothing about the CLOUD Act, and that distinction is one many users miss.
The CLOUD Act sits outside the GDPR framework. It is US legislation about who can access your data, not European legislation about how that data is stored. Both laws exist in parallel, but they cover different parts of the question.
More and more providers use digital sovereignty primarily as a marketing term. Read more on Sovereignty washing: how Big Tech pretends to go European
The simplest answer: choose a provider whose parent company is not American. Consider European providers such as Proton Drive (Switzerland), Internxt (Spain) or The Good Cloud (Netherlands). What they have in common: no US parent company, no US legal entity in their ownership structure.
A purely European company β with European ownership, a European legal entity, and no American shareholder calling the shots β simply falls outside the CLOUD Act. There is no legal basis for a US court order. There is no parent company in the US that can be compelled to act.
This distinction is at the heart of the matter:
Take The Good Cloud as an example: it is a Dutch company. It runs Nextcloud on servers that The Good Cloud manages itself in the Netherlands. There is no US parent company, no American holding, no US legal entity in the ownership structure. A US court order has no point of entry.
More on why more and more people are switching to European alternatives: Switching to European tech: why people are making the move
It means there is no company in the US that can be ordered to hand over data from your provider. The legal chain does not run through the US. This is not a contractual arrangement, not an opt-out, not a technical workaround β it is a structural fact based on ownership and legal entity.
The GDPR prohibits the transfer of personal data outside the EU without adequate safeguards. The CLOUD Act requires American companies to cooperate with government requests β even when that data is in Europe.
For an American company with European customers, this creates a legal bind. On one side: the CLOUD Act requires cooperation if US authorities request data. On the other: the GDPR prohibits transferring personal data outside the EU without the right safeguards. The company cannot comply with both laws simultaneously. A provider may attempt to resist or pursue legal challenges, but that is never a guarantee.
European data protection authorities (the EDPB and EDPS) have addressed this directly: the combination of the CLOUD Act and the GDPR creates a structural conflict for organisations processing personal data via American providers.
In brief:
There are three routes, depending on your situation.
The most direct solution: use a provider that does not fall under the CLOUD Act because it is not an American company. When switching, check:
For those who need collaboration β shared folders, document editing, teams β there are European alternatives to Google Drive or OneDrive. The Good Cloud offers managed Nextcloud from the Netherlands. For straightforward storage without collaboration, Proton Drive or Internxt are solid options.
Browse a comparison of European Cloud Storage Alternatives.
If switching is not an option β because your organisation depends on Microsoft 365 or another American suite β BYOK (Bring Your Own Key) provides a technical layer of protection. You manage your own encryption keys, meaning the provider cannot read your data and therefore cannot hand it over.
This is an enterprise solution that requires technical setup. It protects the content of files but not metadata or access patterns.
If you only store your own files and no personal data belonging to others, the CLOUD Act is less immediately relevant. The chance that US authorities have any interest in your personal photos or notes is, in practice, minimal.
However, once you store client data, medical information, legal documents or commercially sensitive material β particularly if you process it on behalf of others β choosing a provider that falls outside the CLOUD Act becomes a concrete consideration.
Yes. Microsoft Corporation is an American company, incorporated in the state of Washington. OneDrive, SharePoint and Microsoft 365 fall fully under the CLOUD Act, even if your data is stored in a European Microsoft data centre.
In theory, yes β via a court order under the CLOUD Act. In practice, the threshold is high: a judicial order is required, and Google can challenge it in certain circumstances. But the legal possibility exists β and choosing a provider that falls outside the law removes it structurally.
The GDPR is European legislation that regulates how personal data must be processed and protected. The CLOUD Act is US legislation that requires American companies to cooperate with government requests for data access. The two laws operate in parallel and create a legal conflict for American companies operating in Europe.
Not automatically. Server location determines where data is physically held β not who can legally demand access to it. If your provider is an American company or a subsidiary of one, the CLOUD Act applies regardless of where the server is located.
The CLOUD Act makes no distinction based on the type of user. What matters is the company managing the data, not who stored it. For freelancers and self-employed professionals who process client data, the combination of the CLOUD Act and GDPR obligations is an additional reason to choose a European provider.
No β if the company has purely European ownership, no US parent company, and does not fall under US law, the CLOUD Act does not apply. There is no legal point of entry for a US court order.
Now that you understand how the CLOUD Act works, the next step is straightforward: choose a provider that falls structurally outside it.
The Good Cloud offers managed Nextcloud from the Netherlands β European ownership, no US parent company, and the same functionality as Google Drive or OneDrive.
