The US CLOUD Act explained: why your data centre location doesn’t mean your data is safe

In a French Senate hearing, a Microsoft executive was asked whether data belonging to French citizens could be transmitted to the US government without French consent. His answer was revealing: he could not guarantee it would not happen.

This was not evasion. It was honesty. Under the US CLOUD Act, he is legally unable to make that guarantee. And the implications extend far beyond France.

What the CLOUD Act says

The Clarifying Lawful Overseas Use of Data Act was passed in 2018. Its core provision is straightforward: if a company is under US jurisdiction, it can be compelled to hand over data in its possession, custody, or control—regardless of where that data is physically stored.

Not where the server sits. Not which country’s flag flies outside the data centre. Not which regional subsidiary technically operates the service. What matters is corporate control. If a US-headquartered parent company controls the entity that holds your data, the CLOUD Act applies.

This covers Microsoft, Google, Amazon Web Services, and every downstream service built on their infrastructure. It also covers any company incorporated in the United States, or any foreign company with sufficient contacts with the US to establish jurisdiction.

The Canadian precedent

A CMS white paper documented a case where Canadian courts compelled OVHcloud—a French-headquartered cloud provider—to hand over data stored in France, the UK, and Australia. The legal mechanism was different from the CLOUD Act, but the principle was identical: corporate jurisdiction, not server location, determines who can access your data.

The lesson is that "hosted in Europe" is not a compliance statement. It is a marketing statement. The question that matters is: which government has legal authority over the entity that controls the data?

The UK-US Data Access Agreement

In July 2022, the UK and US signed a bilateral Data Access Agreement. It became operational in October 2022. Under this agreement, UK and US law enforcement agencies can serve warrants directly on service providers in each other’s jurisdictions, bypassing the traditional mutual legal assistance treaty process.

For UK firms using US cloud providers, this creates a bilateral framework that makes cross-border data access routine rather than exceptional. A US warrant can now reach data held by a US provider on behalf of a UK law firm, and the provider is legally obligated to comply.

The agreement includes safeguards—orders must relate to serious crime and must target specific accounts rather than bulk surveillance. But the fundamental reality is that data held by US-controlled entities is accessible to US authorities through a streamlined process, regardless of where it is stored.

What this means for UK law firms

Rule 6.3 of the SRA Code of Conduct requires solicitors to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law, or the client consents. The SRA has been clear that this obligation applies regardless of the technology used to handle client information.

The Information Commissioner’s Office has investigated Microsoft 365 Copilot deployments in the UK, examining whether the data processing arrangements meet UK GDPR requirements. The ICO’s position is that organisations using US cloud services must conduct a transfer impact assessment and implement supplementary measures where standard contractual clauses alone are insufficient.

For law firms, the exposure is compounded. Legal professional privilege is not merely a contractual obligation—it is a fundamental right. A US warrant served on a US cloud provider holding privileged material creates a direct conflict between US legal process and UK privilege protections. The cloud provider is caught between two legal systems, and the firm may never know that the conflict occurred.

The only complete mitigation

The only way to fully eliminate CLOUD Act exposure is to use providers that are not subject to US jurisdiction. This means the corporate entity controlling the data—not just the physical server, not just the regional subsidiary, but the ultimate parent company—must sit outside US legal reach.

European-incorporated hosting providers on European-owned infrastructure, such as Hetzner (Germany), OVHcloud (France), or Scaleway (France), are not US persons and cannot be compelled under the CLOUD Act. When the entire chain of custody—from the company that owns the server to the company that operates the service—is European, the US has no legal mechanism to compel production.

At PrivateNode, every component of the stack runs on European-owned infrastructure under European jurisdiction. No US entity appears anywhere in the chain of control. For firms that take client confidentiality seriously, this is not a feature. It is the foundation.