What is CLOUD Act?
A US law that allows federal law enforcement to compel US-based technology companies to provide data stored on servers regardless of where the data is physically located.
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) extended US government reach to data stored anywhere in the world by US companies.
What It Does
- US law enforcement can compel US companies to hand over data regardless of where it's stored
- Creates a framework for bilateral agreements with other countries
- Partner countries can directly request data from US companies
Impact
- A US company storing data in Germany must still comply with US warrants
- Even non-US citizens' data is accessible if stored by a US company
- Bilateral agreements can override local privacy laws
Protection
- Use services from non-US companies (Proton in Switzerland, Tutanota in Germany)
- Use end-to-end encryption — even if the company must comply, they can't decrypt your data
- Self-host sensitive services on infrastructure outside US jurisdiction
Related Terms
Data Sovereignty
The principle that data is subject to the laws and regulations of the country where it is stored or processed.
Five Eyes
An intelligence alliance between the United States, United Kingdom, Canada, Australia, and New Zealand that shares surveillance data and signals intelligence. Privacy advocates consider Five Eyes countries higher risk for hosting privacy-focused services.
Subpoena
A legal order requiring a person or company to provide testimony, documents, or other evidence in legal proceedings. Service providers may receive subpoenas demanding user data, which is why privacy-focused services minimize data collection.
Have more questions?
Use our guided flow to get the right next privacy step for CLOUD Act.
Open Guided Flow