What is the US CLOUD Act and how does CADA respond to it?

Summary The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) compels providers subject to US jurisdiction to produce stored communications and records on valid US legal process, "regardless of whether" the data is located inside or outside the United States (18 U.S.C. § 2713). For EU buyers, that means a US-controlled provider can be obliged to hand over data held in an EU data centre. The proposed Cloud and AI Development Act (CADA) is, in part, a response to this kind of extraterritorial reach: recital 48 says vendor "sovereign" editions do not solve it, and CADA's higher Union assurance levels (Article 16) would require freedom from coercive third-country control. CADA is a proposal and not yet in force.

Detail

The US CLOUD Act (officially the Clarifying Lawful Overseas Use of Data Act) was enacted in 2018 as Division V of the Consolidated Appropriations Act, 2018 (Pub. L. 115-141). It amends the Stored Communications Act (chapter 121 of title 18, U.S. Code) to resolve long-standing disputes over cross-border access to data.

Core obligation on providers

The central provision is 18 U.S.C. § 2713: "A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

In other words, where a provider is subject to US jurisdiction — typically by being incorporated there or having a sufficient US presence — it must respond to US legal process even if the data sits on servers in Frankfurt, Dublin or elsewhere in the EU. The physical location of the data does not, by itself, defeat the US obligation.

The Act was passed against a specific backdrop. Its congressional findings record that US law-enforcement efforts "are being impeded by the inability to access data stored outside the United States that is in the custody, control, or possession" of providers subject to US jurisdiction, and that providers "face potential conflicting legal obligations" when a foreign government orders production of data that US law may forbid them to disclose (and vice versa). Section 2713 resolves that uncertainty in favour of disclosure obligations attaching to the provider regardless of storage location — which is precisely what makes it an extraterritorial measure from the EU's perspective.

Comity analysis and executive agreements

The Act also created a "comity analysis" mechanism, inserted as 18 U.S.C. § 2703(h). A provider may move to quash or modify legal process where it "reasonably believes" that the customer or subscriber is not a US person and does not reside in the US, and that disclosure would create "a material risk that the provider would violate the laws of a qualifying foreign government". A court may modify or quash only where it finds that disclosure would cause the provider to violate that government's laws, that the interests of justice so dictate, and that the subscriber is not a US person and does not reside in the US.

A "qualifying foreign government" is one with which the US has an executive agreement in force under 18 U.S.C. § 2523. Such agreements require the foreign government to afford "robust substantive and procedural protections for privacy and civil liberties", to adhere to international human-rights commitments, and to subject orders to independent review or oversight, among other conditions. The agreements run on a reciprocal basis and are reviewed at least every five years.

Two limits of the comity mechanism are important for EU buyers. First, the right to move to quash on conflict-of-law grounds is, by the statute's own terms, "the sole basis for moving to quash on the grounds of a conflict of law related to a qualifying foreign government" — and it is only available where a qualifying executive agreement exists. Where the EU or the relevant Member State has no such agreement in force, that route is unavailable. Second, even where it applies, the court weighs a list of comity factors — including "the interests of the United States, including the investigative interests of the governmental entity", "the nature and extent of the provider's ties to and presence in the United States", and "the importance to the investigation of the information" — so the outcome is discretionary, not a guaranteed shield. The structural exposure under § 2713 therefore remains, which is the heart of the EU's concern.

Link to CADA

The EU's proposed Cloud and AI Development Act (CADA) is, in part, a legislative response to risks of this kind. Recital 48 identifies the problem: "Cloud computing service providers have launched tailored versions of their service offerings in response to the Union's growing concerns over sovereignty. However, those versions do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service. Consequently, the Union will not ensure autonomy or control over its data, assets and digital infrastructure."

To counter this, Article 16 establishes a Union cloud computing sovereignty framework of four Union assurance levels, with criteria in Annex II. The criteria are intended to ensure that recognised services cannot be compelled by third-country laws to give access or to disrupt continuity. At Union assurance levels 3 and 4, the provider and its relevant subcontractors must in principle not be subject to the control of a third country or of a legal entity established in a third country (Annex II, 3.1(g), 4.1(g)). The level 3 criteria allow a narrow derogation only where the Commission has designated an associated third country (Article 18); level 4 allows none.

Because a provider subject to US jurisdiction is exposed to the § 2713 mandate, it would, under CADA's framework as proposed, find it difficult to reach the highest assurance levels unless it could demonstrate effective legal and technical separation from its US-controlling entity — a demanding test given the statute's extraterritorial design. For an EU-incorporated subsidiary of a US group, Annex II points 2.1(k) and 3.1(k) would additionally require demonstrating "effective legal, technical and organisational separation" between the Union parent or operations and any third-country subsidiary, reinforcing that corporate form alone does not sever the controlling jurisdiction's reach.

It is also worth noting what CADA does not do: it does not, and could not, repeal or override § 2713. The proposal works on the EU side of the relationship — by defining which services Union public bodies may procure — rather than by changing US law. Recognition is conferred by a national competent authority (Article 17) and recorded in a central repository (Article 22), so a buyer can check a provider's verified status instead of relying on assurances about how a US order might play out.

What this means for you

For in-house counsel and compliance officers:

1. Identify US-jurisdiction exposure. Determine whether your providers are subject to US jurisdiction. If so, they are bound by § 2713 to disclose data on valid US legal process, even for data held in the EU.
2. Prepare for CADA's requirements. As proposed, public bodies and NIS2-scope entities would run risk assessments (Article 29) to set the required level; public-order activities would require levels 2, 3 or 4 (Article 30).
3. Evaluate associated third countries. Article 18 lets the Commission designate third countries whose providers may be audited for level 3, but only where the country meets cumulative conditions including a GDPR adequacy decision and the absence of measures enabling control that conflicts with lawful-access rules or compels disruption. The criteria are stringent.
4. Mind the limits of contractual safeguards. Contract clauses cannot override a statutory disclosure mandate. Under CADA, for higher levels, structural and legal separation from third-country control — not contract language — is what counts.
5. Track designations and changes. If the Commission designates an associated third country for level 3, it must repeal, amend or suspend that designation should the country stop meeting the conditions (Article 18(2)), and providers must report material changes affecting their recognition (Article 23). Treat a provider's sovereignty status as something to monitor, not a one-off check at procurement.

Common misconceptions

• "If we store data in the EU, US authorities cannot reach it." Under § 2713, the data's location is irrelevant where the provider is subject to US jurisdiction.
• "GDPR compliance blocks CLOUD Act requests." The two can conflict; the CLOUD Act compels disclosure while EU law restricts third-country transfers and access. That tension is exactly why CADA pursues sovereignty as something distinct from data-protection compliance.
• "CADA would ban all US providers." It would not. It sets a tiered framework. US providers could serve EU customers at lower levels, but reaching levels 2–4 — and especially 3 and 4 — would require demonstrating separation from US jurisdictional reach, which is difficult under current US law.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Which CADA sovereignty tier protects against the US CLOUD Act?
• CLOUD Act vs FISA 702: the difference and what CADA does about it
• How does the US CLOUD Act conflict with EU data protection law under CADA?
• How CADA cloud sovereignty interacts with the EU Data Act
• Why is cloud sovereignty important for critical infrastructure? CADA

This is general information about a draft EU regulation, not legal advice.