How does the US CLOUD Act conflict with EU data protection law under CADA?

Summary The US CLOUD Act compels providers subject to US jurisdiction to disclose data "regardless of" where it sits (18 U.S.C. § 2713). EU data protection law restricts disclosures to third-country authorities: GDPR Article 48 makes a third-country court or authority decision requiring transfer or disclosure enforceable only where based on an international agreement such as a mutual legal assistance treaty. A provider that obeys a CLOUD Act order without such a basis risks breaching the GDPR — a conflict of laws. The proposed Cloud and AI Development Act (CADA) treats this as a sovereignty problem rather than purely a data-protection one: recital 46 lists "vulnerabilities arising from the extraterritorial application of third-country laws", and CADA's higher Union assurance levels (Article 16) would require freedom from coercive third-country control. CADA is a proposal and not yet in force.

Detail

The conflict turns on the gap between the extraterritorial reach of the US CLOUD Act and the protections of the EU General Data Protection Regulation (GDPR).

The two regimes

Under the CLOUD Act, 18 U.S.C. § 2713 requires a provider of electronic communication service or remote computing service to "comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States." So a provider subject to US jurisdiction can be ordered to produce data held on servers in Frankfurt, Dublin or Paris.

On the EU side, GDPR Article 48 provides that a judgment of a court or a decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data is recognised or enforceable "only if based on an international agreement, such as a mutual legal assistance treaty" in force between the requesting country and the Union or a Member State — without prejudice to other transfer grounds under the GDPR. A provider that discloses personal data in response to a CLOUD Act order, absent such a basis, risks an unlawful transfer or processing under the GDPR. Principles such as purpose limitation are also strained where data collected for one purpose is accessed for another, such as national-security or law-enforcement use abroad.

The two regimes therefore push in opposite directions for the same provider holding the same data. US law (§ 2713) commands disclosure regardless of location; EU law restricts disclosure to third-country authorities to cases grounded in an international agreement. The CLOUD Act's own "comity" mechanism (18 U.S.C. § 2703(h)) offers only a partial and discretionary release valve: it lets a provider move to quash where the subscriber is not a US person and disclosure would create "a material risk that the provider would violate the laws of a qualifying foreign government", but it is available only where a qualifying executive agreement under § 2523 is in force, and the court still weighs the United States' investigative interests against the foreign interest. Where no such agreement covers the situation, the provider is left squarely between conflicting commands — the conflict-of-laws problem CADA seeks to design out for sensitive public-sector workloads.

How CADA frames the problem

The CADA proposal (COM(2026) 502 final) treats this as a sovereignty issue. Recital 46 states that the Union "remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries", which exposes it to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws", and to "reduced control and oversight over personal and non-personal data and infrastructure". The explanatory memorandum is more pointed still, noting that large incumbents "are subject to third-country jurisdictions where laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks."

CADA would mitigate this through a Union cloud computing sovereignty framework of four assurance levels (Article 16), with criteria in Annex II. The framework is meant to preserve public order by "maintaining control and agency by public-sector bodies" (recital 52). Levels run from level 1 (establishment and infrastructure in the Union) to level 4 (the provider and subcontractors not subject to third-country control).

The level 3 and 4 criteria bear most directly on the CLOUD Act conflict. At level 2, where a provider is under third-country control, it must demonstrate legal, technical and organisational measures preventing that control from restricting the service, preventing third-country access to customer data, and preventing service disruption (Annex II, 2.1(g)). At level 3, the provider and subcontractors must in principle not be under third-country control, with a derogation only where the Commission has designated an associated third country (Article 18). At level 4 there is no such derogation (Annex II, 4.1(g)). By excluding providers that could be compelled by a third country's law, the higher levels are designed to remove the situation in which a CLOUD Act order and the GDPR pull in opposite directions.

The associated-third-country test in Article 18 is itself partly a data-protection test. Among its cumulative conditions, a country must be covered by "a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679" and must have "no measures in place that enable it to exercise control over the cloud computing service provider in a way that would conflict with the requirements for lawful access to non-personal data" under Article 32 of the Data Act, nor measures to compel service disruption. Recital 61 adds that, in assessing adequacy, the Commission should examine "whether the adequacy decision applies generally to the third country as a whole or is limited to specific sectors or certified organisations" and whether its scope extends to the actual processing activities involved. In other words, a sectoral or partial adequacy mechanism would not automatically satisfy the level 3 route — a stricter posture than data-protection adequacy alone implies.

Procurement consequences

Article 29 would require Member States and Union entities to run risk assessments determining the appropriate level. Where an activity contributes to public order — NIS2 sectors, national security, defence, justice — Article 30(3) would require services recognised at levels 2, 3 or 4, effectively keeping standard US-hyperscaler offerings out of the most sensitive public-sector workloads, where CLOUD Act exposure is judged unacceptable.

Recital 64 ties this to the EU's broader public-order rationale and its international-trade posture. It records that the Union maintains "an open and non-discriminatory framework for market access", including under the WTO Government Procurement Agreement and bilateral agreements, but that it "retains the right ... to adopt or maintain measures necessary to protect public morals, order or safety", allowing "necessary and proportionate restrictions on access to public procurement procedures." Identifying and addressing risks such as "unauthorised access to Union data, technology leakage, sabotage and espionage by third-country actors" is, the recital says, "fundamental for preserving Union public order." The conflict between the CLOUD Act and EU data-protection law is thus presented not merely as a private compliance headache but as a public-order concern that justifies procurement-level safeguards — while CADA also commits to a baseline of level 1 across the Union to reduce public-sector exposure to "third country access to Union data and disruption of services."

What this means for you

For in-house counsel and compliance officers:

1. Procurement obligations. A public body or Union entity would run risk assessments (Article 29) and, for public-order activities, procure only services recognised at levels 2, 3 or 4 (Article 30) — verifying status in the Commission's central repository (Article 22) rather than choosing on price alone.

2. Verify sovereignty status. Level 1 rests on a self-assessed EU statement of conformity (Article 19); levels 2–4 require an independent audit (Article 20). Request the evidence. If your provider is a US hyperscaler, ask whether an EU entity exists that is genuinely separated from US control and at what level it is recognised. Reaching level 4 is hard for a provider subject to the CLOUD Act unless it can prove complete legal and operational separation from its US parent.

3. Contractual safeguards and transparency. Contract clauses cannot override § 2713, but they can govern notice and remedies. Providers must give transparency on subcontractors (Annex II, 1.1(f)) and, at higher levels, demonstrate controls to block remote features that could tamper with the service (Annex II, 2.1(i)). Monitor for material changes, which providers must report (Article 23).

4. Transition. Where a risk assessment requires a different service, Article 29(6) allows up to 12 months to migrate.

5. Penalties. Member States would set penalties for provider infringements of the sovereignty framework (Article 24); they must be effective, proportionate and dissuasive. Train procurement teams so a buyer's own procurement obligations are met.

Common misconceptions

The EU–US Data Privacy Framework solves the CLOUD Act conflict. The Data Privacy Framework provides a basis for transfers of personal data to certified US organisations for commercial purposes. It does not override a CLOUD Act disclosure order or remove government-access risk. (Note: CADA does not, in its recitals, name the Data Privacy Framework; the broader point is that CADA's sovereignty levels address operational autonomy and control, which an adequacy-type mechanism does not.)

Data localisation alone ensures sovereignty. The CLOUD Act reaches data in a provider's "possession, custody, or control" regardless of location. CADA's levels go beyond localisation to address legal and operational control; levels 3 and 4 require measures preventing third-country access and disruption.

CADA would ban all US providers. It would not. It is a tiered system. US providers could qualify at lower levels — for instance a US-linked provider established in the EU at level 1 — but levels 3 and 4 are difficult given the strict third-country-control criteria.

CADA would replace the GDPR. It would complement it, alongside instruments such as the Data Act and NIS2. CADA adds sovereignty and resilience requirements for cloud services, particularly in the public sector; it does not substitute for GDPR compliance.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How CADA cloud sovereignty interacts with the EU Data Act
• Why data residency is not enough for cloud sovereignty under CADA
• Why the EU-US Data Privacy Framework doesn't solve CADA sovereignty
• Which CADA sovereignty tier protects against the US CLOUD Act?
• What is the US CLOUD Act and how does CADA respond to it?

This is general information about a draft EU regulation, not legal advice.