Skip to content
· 8 min read

How the CLOUD Act–GDPR Standoff Actually Ends

By LumaVista Team

Here’s a question we get asked a lot: the CLOUD Act says US authorities can reach data held by US companies anywhere in the world. GDPR Article 48 says they can’t — not without a treaty, and there is no treaty. Both laws are fully in force. So which one wins?

The honest answer is that the question is built on a false premise. It assumes there’s a showdown coming — some landmark case where a judge finally rules which law trumps the other. That showdown has had eight years to happen. It hasn’t. And once you understand why it never will, you can see where the conflict is actually being resolved: not in courtrooms, but in procurement decisions.

We’ve covered the two halves of this collision before — what Article 48 and the CLOUD Act each demand, and why every EU-US transfer framework keeps getting struck down. This post is about the third act: how it ends.

Why there’s no courtroom showdown coming

Start with what happens to a US provider that gets served. The penalty for refusing a US warrant is contempt of federal court — specific judge, specific sanctions, specific timeline, often measured in days. The penalty for complying, on the EU side, is theoretical exposure to a GDPR fine that requires a data protection authority to first learn about the disclosure (most warrants come with gag orders), then investigate, then act.

One side of the conflict has an enforcement mechanism that bites next week. The other has one that has — as far as the public record shows — never bitten at all. We’re not aware of a single published GDPR enforcement action against a provider specifically for complying with a CLOUD Act warrant. The big transfer fines exist, but they’re about something else: the €1.2 billion Meta decision punished routine commercial transfers under Standard Contractual Clauses, not compliance with a US disclosure order.

This isn’t because EU regulators think compliance is fine. The EDPB and EDPS said the opposite in their July 2019 joint assessment: unless an international agreement exists, a CLOUD Act order gives a provider essentially no lawful basis to disclose — they walked through every GDPR derogation and found that only the narrow “vital interests” exception could ever fit. The legal position is clear. The enforcement follow-through is absent.

The US side has no such hesitation. The Supreme Court settled the principle back in 1987 in Aérospatiale: a foreign blocking statute doesn’t deprive a US court of the power to order a party under its jurisdiction to produce evidence, even when the act of production violates that foreign law. Courts run a comity balancing test — and US law-enforcement interests tend to weigh heavily in it. The CLOUD Act’s own built-in escape hatch, the motion to quash under § 2703(h), only applies when the conflicting law belongs to a “qualifying foreign government” — and no EU member state has signed the executive agreement that status requires.

So when a provider weighs a certain, immediate US penalty against an unprecedented, probabilistic EU one, the math does itself. Providers comply. The GDPR violation sits on the books, unenforced. That’s the de facto resolution, and it’s been stable for eight years.

An old balance scale tipped hard to one side by a heavy iron weight, while the other pan holds only a faint wisp of golden mist — the enforcement asymmetry between US contempt power and theoretical GDPR fines

The numbers nobody quotes

Now, before this sounds like the US government is rummaging freely through European corporate data: the empirical reality is much smaller than the legal exposure, and it’s worth being precise about both halves.

CLOUD Act demands are criminal warrants against specific accounts — fraud, drugs, child exploitation cases. They overwhelmingly target individuals, not companies. Microsoft’s published figures for the first half of 2023: 172 law-enforcement requests worldwide aimed at enterprise cloud customers, out of which it disclosed actual content in 28 cases — 22 of them for US law enforcement. That’s across Microsoft’s entire global enterprise customer base, in six months. Microsoft also says it tries to redirect authorities to the customer itself and notifies the customer unless a court forbids it.

So the nightmare scenario — bulk extraction of an EU company’s cloud tenant — is legally possible and empirically rare. Anyone selling you sovereignty solutions on the claim that this happens constantly is overstating the evidence.

But here’s the other half, and it’s just as well-documented. In June 2025, the director of public and legal affairs at Microsoft France was asked under oath, in a French Senate hearing, whether he could guarantee that French citizens’ data would never be handed to US authorities without French approval. His answer: “No, I cannot guarantee that.” That’s the entire conflict compressed into one sentence of sworn testimony. The risk is small in frequency. It is not zero, it is not contractible away, and the providers themselves admit it when placed under oath.

For a regulated European organization — legal, medical, financial, public sector — “rare but unguaranteeable” is exactly the kind of risk that procurement rules and professional duties don’t let you wave through.

Brussels is building the same weapon

If you’re waiting for the EU to force this to a crisis, here’s the twist: the EU just built its own CLOUD Act.

The e-Evidence Regulation (EU) 2023/1543 — which applies from 18 August 2026 — lets a judicial authority in one member state order any service provider offering services in the EU to produce electronic evidence, regardless of where the data is stored and regardless of where the provider is headquartered. Sound familiar? It’s the same extraterritorial logic the EU has spent eight years objecting to, with the geography flipped.

That tells you where this lands politically. Both sides now want the same tool; neither has clean hands; and the obvious endgame is the one the CLOUD Act was designed for from day one — a bilateral agreement. EU-US negotiations on an e-evidence agreement opened in 2019, stalled for years, and resumed in 2023 after the EU finished its internal framework. The UK already signed one. When the EU version eventually lands, it gives Article 48 the international agreement it’s been demanding — and legalizes a narrow law-enforcement channel that exists in practice anyway.

Notice what a treaty would and wouldn’t fix. It would resolve the Article 48 collision for criminal warrants. It would do nothing about the Schrems problem — intelligence surveillance under FISA 702, which is a separate statute, a separate fight, and the reason transfer frameworks keep dying. The two issues share a root cause: US law grants non-US persons essentially no enforceable rights, and only Congress can durably change that.

Two mirrored bridge halves extending toward each other across a dark river, golden scaffolding around the unfinished gap — the EU and US converging on the same extraterritorial tool

The market isn’t waiting — procurement is the courtroom

While the diplomats negotiate, the actual resolution is happening in RFPs. European customers with regulated workloads have spent the last few years voting with their infrastructure budgets, and the providers’ product roadmaps show it.

Microsoft completed its EU Data Boundary in February 2025 — EU customer data stored and processed within the EU. AWS went further and launched a separately-governed European Sovereign Cloud in January 2026, with German-incorporated subsidiaries, an EU-resident managing director, and an EU-citizen advisory board. These offerings exist because enough customers asked the CLOUD Act question that answering it became a product category.

But look closely at what each one actually solves. The CLOUD Act’s hook is possession, custody, or control by a company subject to US jurisdiction — not where the server sits. Residency guarantees, like the EU Data Boundary, don’t touch that at all; that’s the gap the French Senate testimony exposed, and it’s the distinction we unpacked in Data Sovereignty Is Not Data Residency. Even the AWS sovereign cloud, for all its genuine governance engineering, remains a wholly-owned subsidiary of Amazon.com, Inc. — which is precisely the corporate-control question a US court would probe. We tore down what each vendor’s “sovereign” actually promises in our sovereign cloud teardown.

Strip away the marketing and there are exactly two structural escapes:

EU legal control. If the entity that controls the data has no US parent and no US nexus, there’s nothing for a US court to serve. Not “EU region,” not “EU staff” — EU ownership of the legal entity that holds the data. This is the only configuration where the CLOUD Act analysis ends before it starts.

Encryption where the provider never holds the key. A warrant compels a provider to produce what it possesses. If what it possesses is ciphertext and the keys live only with you, the warrant is satisfied with ciphertext. The CLOUD Act is deliberately encryption-neutral — its executive-agreement provisions explicitly bar creating any obligation that providers be capable of decrypting data, and the statute creates no new decryption-compulsion authority. End-to-end encryption converts the legal question into a mathematical one.

Do both and the unresolved treaty situation stops being your problem. That’s the posture we built LumaVista around: EU-owned infrastructure with no US entity in the chain, and end-to-end encryption where the platform never holds user keys. Not because we expect a warrant — the numbers above say we shouldn’t — but because “I cannot guarantee that” is not an answer we’d want to give under oath.

What to do now

  1. Stop waiting for legal clarity. The collision has been stable for eight years and the incentives that keep it unresolved haven’t moved. Plan on today’s ambiguity persisting.

  2. Map your providers by corporate control, not server location. Follow each vendor’s chain to its ultimate parent. US-incorporated parent means CLOUD Act exposure, whatever the region selector says.

  3. Ask vendors the Senate question. “Can you guarantee our data will never be disclosed to a non-EU authority without our consent?” Watch what they do with the word guarantee. An honest US-owned vendor can’t say yes — Microsoft’s own counsel didn’t.

  4. Treat residency claims as marketing until proven otherwise. Data boundaries and EU regions solve latency and residency compliance. They don’t change who a US court can compel.

  5. Put your most sensitive workloads behind one of the two real escapes. EU-controlled entities, or end-to-end encryption with customer-held keys. Ideally both. Everything else is risk acceptance, which is fine — as long as it’s documented and deliberate.

  6. Diarize 18 August 2026. The e-Evidence Regulation starts applying. If you’re a service provider offering services in the EU, you’re about to be on the receiving end of the same extraterritorial logic — from EU authorities this time.

  7. Watch for an EU-US e-evidence agreement. When it lands, the Article 48 conflict narrows substantially for criminal warrants. The FISA 702 problem — and the next Schrems case — will still be there.

The CLOUD Act–GDPR standoff doesn’t end with a gavel. It ends the way it’s already ending: a treaty eventually legalizes the narrow channel, the surveillance fight rolls on through the Schrems cycle, and in the meantime every organization that can’t tolerate “I cannot guarantee that” quietly moves its sensitive work to architectures where no guarantee is needed. The verdict is being written one procurement decision at a time.