Skip to content
· 7 min read

GDPR Article 48 vs the CLOUD Act: The Legal Collision Nobody Resolved

By LumaVista Team

Imagine you’re the general counsel of a mid-size US tech company with European customers. It’s Tuesday morning. A CLOUD Act warrant lands on your desk. The Department of Justice wants the account data of a German customer — emails, files, usage logs. You have 14 days to comply or face contempt of court.

You call your EU privacy counsel. She tells you that handing over a German citizen’s personal data to a foreign government without an international agreement violates GDPR Article 48. The fine? Up to 4% of your company’s global annual turnover.

So you have two options. Comply with the warrant and violate European law. Or refuse the warrant and violate American law. There isn’t a third door. And nobody — not the US Congress, not the European Commission, not any court on either side of the Atlantic — has given you one.

What GDPR Article 48 actually says

Article 48 of the General Data Protection Regulation is short enough to fit in a tweet. Here’s the key sentence:

Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

In plain English: if a non-EU government orders a company to hand over personal data held in the EU, that order isn’t enforceable under EU law unless there’s a treaty backing it up. A US court order, on its own, doesn’t qualify. A Chinese government demand doesn’t qualify. A UK court order didn’t qualify either — until the UK signed a specific agreement.

The logic behind Article 48 is straightforward. The EU treats personal data as a fundamental right (it’s in Article 8 of the EU Charter of Fundamental Rights). Allowing foreign governments to reach into EU jurisdiction and extract that data through their own courts — without any oversight from EU institutions — would hollow out that right entirely.

Article 48 is the lock on the door. It says: you need our permission, in the form of a treaty, before you can take data out.

What the CLOUD Act says

The Clarifying Lawful Overseas Use of Data Act, signed into US law on March 23, 2018, says something very different. Under 18 U.S.C. § 2713, a provider of electronic communications or remote computing services “shall comply” with any obligation to preserve, backup, or disclose data “regardless of whether such communication, record, or other information is located within or outside of the United States.”

That’s the whole mechanism. If you’re a company subject to US jurisdiction — incorporated in the US, headquartered there, or with substantial US business operations — you must hand over data when served with a valid warrant. The server’s physical location is irrelevant. Frankfurt, Dublin, Singapore — doesn’t matter. If the company is American, the data is reachable.

We covered the CLOUD Act’s full history and mechanics in The CLOUD Act and Your AI Research, including how it grew out of the United States v. Microsoft case over emails stored in Ireland. The short version: Congress passed the CLOUD Act specifically to make sure “the data is overseas” would never be a defense again.

General counsel caught between a CLOUD Act warrant and GDPR Article 48 — two laws requiring opposite actions

Congress passed the CLOUD Act specifically to ensure that the data is overseas would never be a valid defense again. Location of servers is irrelevant — corporate jurisdiction is everything.

The direct collision

Here’s the thing. Both laws are in force right now. Neither one defers to the other. And they directly contradict each other.

GDPR Article 48 says: a US court order isn’t sufficient basis to transfer EU personal data — you need an international agreement.

The CLOUD Act says: a US court order is all that’s needed — hand it over, regardless of where it’s stored.

A US company operating in both jurisdictions can’t obey both. Full stop. Comply with the CLOUD Act warrant, and you’ve made an unauthorized transfer of personal data under GDPR. Refuse the warrant to comply with GDPR, and you’re in contempt of a US federal court. Both outcomes carry serious consequences.

On the GDPR side, we’re not talking about a wrist-slap. The maximum penalty is €20 million or 4% of global annual turnover, whichever is higher. On the US side, contempt of court can mean daily fines, sanctions, and — in extreme cases — criminal prosecution of officers.

This isn’t a theoretical edge case that lives in law review articles. It’s the daily operational reality for every US tech company that processes European personal data.

The motion-to-quash defense (and why it usually fails)

The CLOUD Act does include a safety valve — sort of. Under 18 U.S.C. § 2703(h), a company can file a motion to quash or modify a CLOUD Act order within 14 days. But the conditions are stacked:

  1. The customer must not be a US person and must not reside in the US. If the target is a US citizen or permanent resident — or anyone living in the US — you can’t use this defense at all.
  2. Compliance must create a material risk of violating the law of a qualifying foreign government. Not just any foreign government — one that has signed a CLOUD Act executive agreement with the US.
  3. The court must find that foreign interests outweigh US interests based on a multi-factor “comity analysis.”

Here’s the problem with condition two. As of early 2026, only the United Kingdom and Australia have signed CLOUD Act executive agreements with the US. No EU member state has one. Not Germany. Not France. Not Ireland, where half of Silicon Valley’s European subsidiaries are headquartered.

That means for any EU customer’s data, the motion-to-quash path is effectively closed. You can still try — citing GDPR as a conflicting legal obligation — but without a qualifying executive agreement, courts have little statutory basis to grant the motion. You’re asking a US judge to prioritize a foreign regulation over a US warrant, with no treaty framework backing up the request.

The CLOUD Act’s safety valve exists on paper. In practice, it doesn’t work for Europe.

CLOUD Act motion-to-quash as a narrow escape hatch with restrictive conditions — no EU keys available

What providers actually do

So what happens when a US company gets a CLOUD Act warrant for EU data? The honest answer is: they usually comply.

Most CLOUD Act warrants come with non-disclosure provisions — gag orders that prevent the company from telling the customer their data was accessed. The company hands over the data, doesn’t tell anyone, and hopes that no European data protection authority ever finds out.

This isn’t speculation. It’s the rational strategy under the current legal framework. The CLOUD Act penalty for non-compliance is immediate and certain (contempt of court, with a specific judge issuing specific sanctions). The GDPR penalty for unauthorized transfer is probabilistic — a DPA has to learn about the transfer, investigate it, and decide to act. Most companies calculate that the certain penalty outweighs the probabilistic one.

The problem with this strategy is that “probabilistic” doesn’t mean “zero.”

Most companies calculate that a certain US contempt penalty outweighs a probabilistic EU fine. But probabilistic does not mean zero — and enforcement is getting more aggressive.

The Meta precedent

In May 2023, the Irish Data Protection Commission fined Meta Platforms Ireland €1.2 billion — the largest GDPR fine ever issued — for transferring EU personal data to the US without adequate legal basis. The DPC also ordered Meta to stop the transfers entirely within six months and to delete any unlawfully transferred data.

The fine wasn’t specifically about the CLOUD Act. It was about Meta’s continued use of Standard Contractual Clauses after the CJEU’s Schrems II decision had effectively undermined them. But the underlying problem is the same: EU personal data flowing to a jurisdiction where US government access isn’t constrained by EU standards.

If you’ve been following The Schrems Cycle, you’ll recognize the pattern. Each EU-US data transfer framework gets struck down because the underlying US surveillance authorities — FISA 702, Executive Order 12333, and yes, the CLOUD Act — haven’t changed. The frameworks are diplomatic patches over a structural incompatibility.

The Meta fine shows that EU enforcement is real, substantial, and getting more aggressive. The “comply quietly and hope nobody notices” strategy has an expiration date.

Why this hasn’t been resolved

You’d think that a direct legal collision between two of the world’s largest economies — affecting every tech company that operates in both — would have been resolved by now. It hasn’t. Here’s why.

The Data Privacy Framework isn’t the answer. The current EU-US Data Privacy Framework, adopted in July 2023, addresses a different problem. It’s about creating a legal basis for routine commercial data transfers — replacing the invalidated Privacy Shield. It doesn’t address what happens when a US court orders a specific company to hand over specific data under the CLOUD Act. Article 48 isn’t resolved by the DPF because the DPF isn’t an “international agreement” of the kind Article 48 requires for recognizing foreign court orders.

CLOUD Act executive agreements could be the answer — but don’t exist for Europe. The CLOUD Act explicitly contemplated bilateral agreements between the US and foreign governments. These agreements would create a framework for cross-border data requests that both sides recognize. The UK signed one. Australia signed one. The EU hasn’t, and negotiations aren’t publicly progressing. Without such an agreement, the Article 48 conflict remains completely unresolved.

Neither side has an incentive to blink first. The US isn’t going to amend the CLOUD Act to exempt EU data — that would create a massive gap in law enforcement capability. The EU isn’t going to amend Article 48 to recognize US court orders — that would undermine the fundamental rights framework that GDPR is built on. And as long as companies keep quietly complying with warrants without public consequences, there’s no political crisis forcing a resolution.

So the collision sits there. Unresolved. Both laws fully in force. Every US tech company with European customers operating in the gap between them.

Unresolvable legal deadlock between US surveillance authority and EU fundamental rights, with failed frameworks between them

No EU member state has signed a CLOUD Act executive agreement with the US. The motion-to-quash safety valve exists on paper but is effectively closed for European data.

What this means for you

If your organization stores data with a US-headquartered cloud or AI provider, you’re in this collision zone whether you know it or not. Your data is EU-resident but not EU-sovereign — it lives in a Frankfurt data center, but the company that operates that data center answers to US courts.

Here’s what you can do:

  1. Understand your exposure. Map which of your service providers are subject to US jurisdiction. This isn’t just US-headquartered companies — it includes any company with substantial US operations, which covers most major cloud and AI providers.

  2. Read the fine print on “EU data residency.” Residency promises mean your data is stored on EU hardware. They don’t mean it’s protected from US legal process. Ask your provider directly: “If you receive a CLOUD Act warrant for our data, what do you do?”

  3. Evaluate EU-sovereign alternatives. For sensitive workloads — legal, medical, financial, research — consider providers that are structured entirely outside US jurisdiction. LumaVista, for example, processes AI workloads entirely within EU jurisdiction, with no US parent company and no US subsidiary. There’s no entity for a US court to serve.

  4. Don’t rely on the Data Privacy Framework alone. The DPF may address routine commercial transfers, but it doesn’t resolve the Article 48/CLOUD Act collision for compelled disclosures. Treat it as a floor, not a ceiling.

  5. Watch for CLOUD Act executive agreement negotiations. If the EU and US ever sign a bilateral CLOUD Act agreement, it would significantly change the landscape. Until then, the collision is live.

  6. Talk to your legal counsel about conflicting-law scenarios. Most privacy compliance programs are built for steady-state compliance. Few have a playbook for “two governments are simultaneously ordering us to do opposite things.” That playbook needs to exist.

The uncomfortable truth is that this legal collision doesn’t have a clean answer right now. Two laws, both legitimate within their own jurisdictions, directly contradicting each other. The only real protection isn’t legal — it’s structural. If your data is processed by an entity that’s outside US jurisdiction entirely, the CLOUD Act simply doesn’t reach it. No collision, no impossible choice.

Until someone actually resolves this — through treaty, through legislation, through a landmark court ruling — that structural approach is the only one that works.