Lexicon > Cloud Act

IT Lexicon

Cloud Act

The Cloud Act, or Clarifying Lawful Overseas Use of Data Act, is a U.S. federal law passed on March 23, 2018, allowing U.S. authorities to conduct investigations by ordering electronic communication service providers and cloud service providers to collect, retain, and disclose the content of electronic messages and any other personal data or metadata relating to a customer or subscriber in their possession.

The Cloud Act is intended to apply extraterritorially, regardless of whether the information sought by U.S. authorities is hosted inside or outside the United States.

This text may therefore be in direct conflict with the application of the GDPR, especially in the territory of the European Union.

Indeed, the GDPR expressly provides that any decision of a court or administrative authority requiring a controller or processor subject to the GDPR that it transfers or discloses personal data can only be recognized or enforced if it is based on an international agreement, which is not the case for requests resulting from the application of the Cloud Act by the American authorities.

Furthermore, the infringements of the privacy of the data subjects whose data are processed by the companies following a request from the authorities based on the Cloud Act are disproportionate to the requirements of the European Charter of Fundamental Rights. In particular, the remedies, including judicial remedies, available to data subjects in relation to the processing of their data are insufficient.

Accordingly, the application of the Cloud Act by controllers or processors falling within the scope of the GDPR may constitute a violation of the GDPR.

GDPR Point


Timely access to electronic data held by communications service providers is a critical component of the government’s efforts to protect public safety and combat serious crime, including terrorism.

These U.S. government efforts are hampered by the inability to access data stored outside the United States that is in the custody, control, or possession of communication service providers subject to U.S. jurisdiction.”

Cloud Act, Section 2. 1. to 2.2.

Point of jurisprudence

The Administrative Court of Wiesbaden (Germany) was able to consider that ” under the Cloud Act, U.S. government agencies could request personal data from U.S. companies unilaterally, without a court order and without a mutual legal assistance agreement. This is in contradiction with Articles 7, 8, 11 and 52 (1) of the Charter of Fundamental Rights of the European Union and the interpretation of these norms by the ECJ, according to which official access to traffic data is only allowed in case of suspicion of a serious crime and is subject to the reservation of a judge or an independent authority The American legal situation, on the other hand, allows for the initial suspicion of any crime. Thus, the Respondent, as a controller, exposed the Petitioner’s personal data to the risk of unauthorized access, which constituted a breach of confidentiality within the meaning of Article 32(1)(b) of the GDPR. “.

Verwaltungsgericht Wiesbaden, 1er December 2021, No. 6 L 738/21.WI

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.