European laws and american laws are conflicting in a way that makes practically illegal for european companies to use american services to store sensitive data. Europe seems to put the rights of the individuals as the core principle behind its laws whereas the United States of America seems to put intelligence above all else. Creating an impossible situation for european actors while they are using services with significant participation from an US company even when hosted in Europe.

If your European company uses Microsoft 365, Amazon Web Services, Google Cloud, or most other popular cloud services, you may be violating the EU’s General Data Protection Regulation (GDPR)—even if you’ve done everything your cloud provider told you to do.

This isn’t hyperbole or fear-mongering. It’s the reality created by a fundamental conflict between American surveillance laws and European privacy protections—a conflict that puts European businesses in an impossible position.

Over 75% of European companies rely on American cloud services for critical business functions: email and productivity tools, customer databases, accounting systems, file storage, and much more. These services are convenient, feature-rich, and often industry standard.

But there’s a catch—a legal trap that most businesses don’t see until it’s too late.

The United States CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018, gives American law enforcement agencies the power to compel U.S.-based tech companies to hand over data stored anywhere in the world. The law was Congress’s direct response to the “Microsoft Ireland” case, where Microsoft fought a warrant for emails stored in a Dublin datacenter—and initially won. Rather than accept that data location mattered, Congress simply changed the law to assert jurisdiction over any data controlled by U.S. companies, regardless of where it physically resides. That means even if your data is physically stored in a European datacenter, if an American company controls it, U.S. authorities can access it.

But the CLOUD Act is just one piece of the puzzle. Section 702 of the Foreign Intelligence Surveillance Act (FISA), originally part of the PATRIOT Act and reauthorized multiple times since, authorizes U.S. intelligence agencies like the NSA to conduct mass surveillance of non-U.S. persons’ communications without individualized warrants. This means that if you’re a European citizen or business, your data can be collected and analyzed by U.S. intelligence agencies simply because it passes through systems controlled by American companies—no suspicion of wrongdoing required.

Even more concerning is Executive Order 12333, a Reagan-era directive that operates entirely outside FISA’s already-limited oversight framework. EO 12333 authorizes U.S. intelligence agencies to collect signals intelligence on non-U.S. persons abroad with virtually no judicial review or meaningful limitations. Unlike FISA Section 702, which at least involves the Foreign Intelligence Surveillance Court, EO 12333 surveillance is conducted under executive authority alone.

These surveillance programs aren’t theoretical constructs—they’re operational systems with codenames you may recognize from the 2013 Snowden revelations: PRISM (direct collection from tech companies’ servers) and UPSTREAM (interception of internet traffic at network backbone level). Together, these programs enable bulk collection of communications data, sweeping up everything from business emails to file transfers, not through targeted warrants but through systematic mass surveillance.

The implications are profound: your customer emails, financial records, and business communications stored in Microsoft 365 or AWS can be swept up in these intelligence collection programs. U.S. law explicitly provides weaker protections for non-U.S. persons than for American citizens, and companies are often prohibited from disclosing these surveillance requests through gag orders.

The physical location of your data is irrelevant under U.S. law—what matters is who controls the company.

The European Union’s GDPR, in effect since 2018, takes the opposite approach. It treats data protection as a fundamental right and strictly controls when personal data can be transferred outside the EU or accessed by foreign governments.

Here’s where the conflict becomes irreconcilable:

• The CLOUD Act says: U.S. companies must disclose data to U.S. authorities regardless of where it’s stored
• GDPR Article 48 says: Foreign government orders should go through international agreements, not direct orders to companies
• U.S. law imposes: Gag orders preventing companies from telling customers their data was accessed
• GDPR requires: Transparency about who accesses data and notification to data subjects

These aren’t minor technical differences. They’re fundamentally opposed legal principles. No contract can resolve this conflict because contracts can’t override statutory law.

To understand the current legal landscape, we need to briefly look back. In 2013, Edward Snowden’s revelations exposed the scope of U.S. surveillance programs (PRISM, UPSTREAM, and others), shocking the world and particularly alarming European privacy advocates. Two years later, in Schrems I (2015), the EU’s highest court invalidated the “Safe Harbor” framework that had facilitated EU-US data transfers for 15 years, finding that U.S. surveillance laws didn’t adequately protect Europeans’ rights.

Companies scrambled to rely on Standard Contractual Clauses (SCCs) instead. But that solution proved temporary.

In July 2020, the Court of Justice of the European Union issued a landmark ruling known as “Schrems II” (named after Austrian privacy activist Max Schrems, who had challenged Facebook’s data transfers for over a decade).

The Court invalidated the “Privacy Shield” framework—Safe Harbor’s replacement—that thousands of companies had relied on for EU-US data transfers. More significantly, it ruled that even Standard Contractual Clauses—the backup mechanism companies now use—are insufficient when the recipient country’s laws allow government access that undermines GDPR protections.

Translation: The Court said U.S. surveillance laws (including the CLOUD Act and PATRIOT Act) don’t meet European privacy standards, making data transfers to the U.S. illegal without additional safeguards—safeguards that often don’t exist or aren’t effective.

This isn’t a theoretical concern. European data protection authorities are actively enforcing against companies using U.S. cloud services:

• Austria’s DPA ruled that using Google Analytics violates GDPR due to U.S. government access risks [https://www.schoenherr.eu/content/landmark-decision-in-austria-use-of-google-analytics-found-to-breach-gdpr]
• France’s CNIL reached a similar conclusion and is investigating Microsoft 365 [https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989]
• Hamburg’s DPA ordered a company to stop using Mailchimp [https://www.eyeonprivacy.com/2021/04/bavarian-dpa-sccs-email-service/] [https://www.edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf]
• Multiple authorities are scrutinizing AWS, Azure, and other major U.S. cloud providers [https://www.ciodive.com/news/eu-regulators-launch-cloud-market-probes/805841/] [https://www.techrepublic.com/article/news-europe-cloud-market-investigations/]

The financial stakes are severe:

• GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher
• Amazon received a €746 million fine (though for different GDPR violations)
• Smaller companies have been fined six-figure sums that threaten their survival
• Litigation from data subjects is increasing, with class actions emerging

Beyond fines, companies risk:

• Orders to suspend data processing (which could shut down operations)
• Reputational damage as privacy-conscious customers choose competitors
• Lost business when procurement requires GDPR compliance
• Reduced valuation when investors or acquirers conduct due diligence

If you’re thinking “this doesn’t apply to us,” think again. The scope is broader than most realize:

Affected services include:

• Microsoft 365 / Office 365
• Google Workspace (formerly G Suite)
• Amazon Web Services (AWS)
• Microsoft Azure
• Google Cloud Platform
• Salesforce
• Slack
• Zoom
• Dropbox
• Datadog
• Okta/Auth0
• Most popular SaaS applications

Affected data includes:

• Customer names, addresses, and contact information
• Employee HR records and performance reviews
• Email and internal communications
• Financial records and transactions
• Health information (especially risky)
• Any personal data processed through these systems

Affected organizations include:

• Companies of all sizes (SMEs to large enterprises)
• Every sector (though healthcare and finance face heightened risks)
• Even companies that selected “EU datacenters” for data residency
• Organizations that signed Standard Contractual Clauses
• Businesses that completed “privacy impact assessments”

The critical point: If an American company controls the service, U.S. law applies to the data—no matter where the servers are located.

In July 2023, the European Commission adopted a new “EU-US Data Privacy Framework” to replace the invalidated Privacy Shield. To understand what this means, you need to know that under GDPR, transferring personal data to countries outside the EU is restricted unless the destination country receives an “adequacy decision”—the Commission’s determination that the country provides data protection “essentially equivalent” to EU standards. An adequacy decision allows data to flow freely without additional safeguards, making it highly valuable for businesses.

The new framework represents the Commission’s third attempt at such a decision for the United States (after Safe Harbor and Privacy Shield). Doesn’t that solve the problem?

Not likely. Privacy advocates, including Max Schrems, have already filed challenges arguing that the new framework suffers from the same fundamental flaws as its predecessors:

• U.S. surveillance authorities (Section 702 of FISA, Executive Order 12333) remain largely unchanged
• Protections for non-U.S. persons are still weaker than for Americans
• The new redress mechanism (Data Protection Review Court) may not meet EU standards
• Executive orders can be revised or reversed by future administrations

Most legal experts expect this framework to eventually be invalidated too—potentially creating “Schrems III.” Until then, using the framework involves accepting legal risk.

Many companies believe they’ve solved the problem by choosing cloud providers that store data in European datacenters. Marketing materials emphasize “data sovereignty” and “EU-only regions.”

This is misleading.

Data location addresses where data is stored. But GDPR’s concern is who can access it and under what legal framework. The CLOUD Act makes clear that U.S. jurisdiction follows the company, not the data.

Example: Microsoft’s “EU Data Boundary” initiative keeps data within Europe for certain services. Impressive from a technical standpoint. But Microsoft is still a U.S. company subject to CLOUD Act orders. The boundary addresses data residency but not legal jurisdiction.

The situation is challenging, but not hopeless. Here are practical steps:

1. Inventory your cloud services - List every cloud and SaaS provider you use
2. Identify U.S.-jurisdictional providers - Check where each company is headquartered and who the parent company is
3. Classify your data - Determine which data is most sensitive (health data, financial info, employee records)
4. Understand your exposure - Calculate potential fines (4% of global turnover)

5. Conduct Transfer Impact Assessments - GDPR requires evaluating each data transfer to third countries
6. Document everything - Even if you can’t immediately fix issues, documentation demonstrates due diligence
7. Evaluate alternatives - Research European cloud providers (OVHcloud, Hetzner, Scaleway, Clever Cloud, etc.)
8. Implement supplementary measures - Encryption, pseudonymization, access controls (though these have limitations)

9. Develop a migration plan - Prioritize migrating your most sensitive data first
10. Consider hybrid architecture - Use EU providers for critical data, U.S. services for lower-risk processing
11. Update contracts - Ensure you have the latest Standard Contractual Clauses (2021 version)
12. Train your team - Make sure decision-makers understand the risks

13. Build compliance into procurement - Establish vendor selection criteria that prioritize GDPR compliance
14. Stay informed - Monitor enforcement trends and legal developments
15. Consider competitive advantage - Being truly GDPR-compliant can differentiate you from competitors

Here’s what many compliance consultants won’t tell you: There is currently no fully compliant way to use most American cloud services for processing significant amounts of European personal data—unless you implement end-to-end encryption where the provider has no access to the plaintext data.

Standard Contractual Clauses, while legally required, don’t change U.S. law. “Supplementary measures” help around the edges but can’t prevent a government with legal authority from compelling disclosure.

Your options are essentially:

• A) Migrate to non-U.S. providers - Increasingly the only truly compliant path
• B) Use technical measures that prevent provider access - End-to-end encryption, but this limits functionality
• C) Accept the legal risk - Document your assessment and hope enforcement doesn’t reach you
• D) Wait for political solution - May take years, and previous frameworks were invalidated

Most businesses currently follow option C, often without realizing it. But data protection authorities are becoming more active, and “everyone’s doing it” isn’t a legal defense.

This is about more than avoiding fines. It’s about:

• Trust: Customers entrust you with their personal data
• Values: Whether European businesses can maintain European standards
• Sovereignty: Europe’s ability to protect its residents’ privacy rights
• Competition: Not being locked into providers who create legal risk

This article barely scratches the surface. The issues are complex, the stakes are high, and the “right” answer depends on your specific situation.

We are working on a comprehensive guide that covers:

• Detailed explanation of U.S. surveillance laws
• Chapter-by-chapter GDPR requirements
• Risk assessment frameworks for your business
• Comparison of alternative cloud providers
• Step-by-step compliance checklists
• Templates for Transfer Impact Assessments
• Migration strategies and timelines

Fill the form to be notified when the guide is released

This guide is developed by analyzing the full text of the CLOUD Act, PATRIOT Act, GDPR, and related court decisions. It’s intended as educational material to help European businesses understand their legal obligations and risks.

Important disclaimer: This article and the accompanying guide provide general information and do not constitute legal advice. For decisions involving significant legal or financial risk, consult qualified legal counsel familiar with data protection law in your jurisdiction.

✓ The CLOUD Act gives U.S. authorities access to data controlled by U.S. companies regardless of location
✓ This fundamentally conflicts with GDPR’s requirements for protecting European personal data
✓ The Schrems II decision established that current transfer mechanisms are often insufficient
✓ Data protection authorities are actively enforcing, with fines up to 4% of global turnover
✓ “Data localization” in European datacenters doesn’t solve the jurisdiction problem
✓ Most European businesses using U.S. cloud services face compliance gaps
✓ Migration to European alternatives is increasingly necessary for true compliance
✓ The new EU-US Data Privacy Framework faces legal challenges and may not survive

The bottom line: If you’re a European business using American cloud services to process personal data, you need to understand these issues now—before an enforcement action forces you to address them in a crisis.

For media inquiries, speaking engagements, or to request personalized support, contact: contact@please-open.it

Share this article: Help other European businesses understand these critical compliance issues.

Last updated: January 2026