The Clarifying Lawful Overseas Use of Data Act — the CLOUD Act — was signed into law in 2018. It does something simple: it gives US law enforcement the legal authority to compel any US-based technology company to hand over data stored on its servers, regardless of where in the world those servers are physically located.
If your organization uses Google Workspace, Microsoft 365, AWS, or any US-headquartered cloud provider, the CLOUD Act applies to your data. It does not matter that your office is in Berlin, that your servers are in Frankfurt, or that your contract specifies EU data residency. The legal jurisdiction follows the company, not the data center.
This is not a theoretical risk.
What the CLOUD Act actually says
Before 2018, US law enforcement needed a Mutual Legal Assistance Treaty (MLAT) to request data stored outside the US. The process was slow, involved foreign governments, and had oversight. The CLOUD Act bypassed this entirely. A US court can now issue a warrant directly to Microsoft, Google, or Amazon, and the company must comply — even if the data is stored in Ireland, Germany, or Singapore.
The justification was efficiency: criminal investigations were being delayed by the MLAT process. The consequence is that every byte of data stored by a US provider is within reach of US authorities, with no notification to the data subject or their government.
Why this matters for organizations
For most consumer users, this is background noise. For organizations handling sensitive data — legal documents, beneficiary records, medical research, human rights testimony, financial data — it is an operational reality with concrete consequences:
-
GDPR conflict. The CLOUD Act creates a direct conflict with the EU's General Data Protection Regulation. An organization cannot simultaneously comply with a US warrant demanding data and an EU regulation prohibiting the transfer of that data without adequate safeguards. There is no resolution to this conflict. It is structural.
-
No safe harbor. The EU-US Privacy Shield was invalidated by the Schrems II ruling in 2020. Its replacement, the EU-US Data Privacy Framework, faces the same legal challenges. Organizations relying on "adequacy decisions" are building on sand.
-
AI makes it worse. Every document you upload to a US-hosted AI service — ChatGPT, Gemini, Copilot, NotebookLM — is processed on US infrastructure by a US company. The CLOUD Act applies. For organizations that cannot risk data exposure, this means the most powerful tools available are off-limits.
The structural problem
The CLOUD Act is not the disease. It is a symptom of a deeper structural reality: when your data lives on someone else's infrastructure, you do not control it. You rent access to it. The terms of that access are set by the provider and the provider's government, not by you.
This is not solved by switching from Google to Microsoft, or from AWS to Azure. The jurisdiction follows the company. It is solved by changing where the data lives and where it is processed. Local-first architecture — where data stays on hardware you own, where computation happens on your device, where the network is optional and encrypted — is not a philosophical preference. It is the only architecture that makes data sovereignty real rather than contractual.
The organizations that need this most are exactly the ones least served by the current market: NGOs handling beneficiary data, research institutions working with human subjects, legal teams managing privileged communications, civil society organizations operating in politically contested environments. These are not edge cases. They are the organizations doing the most consequential work.
What comes next
The regulatory environment is tightening. The EU AI Act requires organizations to know where AI systems process their data. European governments are beginning to mandate sovereign cloud infrastructure for public administration. Germany's federal agency ZenDiS is actively working on alternatives to US-based software dependencies.
The question is not whether the shift will happen. It is whether the alternatives will be ready when organizations need them. The current market offers a false choice: capability or sovereignty. Cloud AI or no AI. The work we are doing is to prove that this is a false dilemma — that intelligence can run on infrastructure you own.