CLOUD Act: what is it, and how does it affect cybersecurity?

Sara Ana Cemazar
December 19, 2023
min read

The conflict between privacy rights and state access to information has become a focal point of legal and ethical arguments in an era when data is important.

The Clarifying Lawful Overseas Use of Data, or CLOUD Act, a law with far-reaching repercussions for persons and organizations, is a crucial factor in this ongoing debate. 

This law changes the game for how data is handled across borders, impacting our privacy and cybersecurity.

In this blog post, let's explore what the CLOUD Act is, what it allows or restricts, and why it clashes with another big player, the GDPR. We'll also look into the details to see how this affects everyone, especially those in the EU who use US-based tools. 

What is the CLOUD Act?

The CLOUD Act revises the Electronic Communications Privacy Act (ECPA), which governs how law enforcement agencies in the United States may request information kept by certain technological businesses, including cloud service providers.

The CLOUD Act, enacted in 2018, was introduced in response to the difficulties law enforcement experienced in accessing data kept abroad, particularly in the context of modern cloud computing. The Act authorizes any U.S. law enforcement order filed under the Stored Communications Act (SCA) to access specified data located in other countries.


At a time when existing law enforcement tools and privacy laws are clearly limited in responding to requests for evidence in the age of cloud computing, the CLOUD Act establishes a set of processes and procedures. It aims to provide tools for US law enforcement to work with different nations when it comes to sharing electronic information-based evidence.

Therefore, the CLOUD Act allows the US government to access personal data located in data centers all over the world. However, there is a caveat: the law only applies to companies established in the United States. It must be followed by all web giants, including their European branches. 

Owing to its characters, this act has raised concerns about the extraterritorial reach of US law and its potential conflicts with the data protection laws of other countries.

What is and isn’t permitted under the US CLOUD Act

Let's assess the reach of the CLOUD Act:

What is permitted:

  • Only for criminal investigations: The act restricts the use of collected data to criminal investigations, stressing its usage in law enforcement scenarios.
  • Warrants: Any data request must be supported by a comprehensive warrant that describes the information sought. An impartial court must approve the warrant, assuring a comprehensive review of probable cause relating to a specific offense.
  • Preservation of provider rights: Providers have the ability to dispute orders under common law through "comity challenges" if the request violates the laws of another country.
  • Prosecutor advice: The Act instructs prosecutors to obtain data directly from company customers wherever possible and without jeopardizing investigations.
  • Bilateral agreements: Under the CLOUD Act, certain foreign countries may enter into bilateral agreements with the United States. This condition allows these governments to make direct law enforcement requests to the United States, eliminating the necessity for a mutual legal aid treaty. 

What's not permitted:

  • No new legal authority: The act does not offer new legal authority to US law enforcement to acquire data; instead, it emphasizes the preservation of existing legal frameworks.
  • Limitations on jurisdiction: It does not enhance US courts' jurisdiction over corporations or change the need for the US to have personal jurisdiction over a firm in order to request data.
  • Preservation of fundamental requirements: The CLOUD Act preserves the core constitutional and statutory conditions that US law enforcement must follow.
  • Warrant scope restriction: The Act does not alter or expand the historical scope of warrants issued under US law. It expressly forbids indiscriminate or mass data collecting.
  • National security considerations: Government access to data is allowed only when necessary to advance legitimate national security objectives. Such access must not disproportionately impact the protection of individual privacy and civil liberties.

What’s all the fuss about CLOUD vs. GDPR

The conflict between the US CLOUD Act and the European General Data Protection Regulation (GDPR) has caused considerable controversy, particularly among US-based firms working in the European Union. 

The basis of the issue is the conflicting demands placed on the handling of client data by these two regulations.

  • The CLOUD Act places US-based firms operating in the EU in a bind. The law requires them to submit consumer data to US authorities if requested, even if it means breaking the GDPR, which exists to defend individuals' privacy and control over their data. 

On the other hand, GDPR puts stringent restrictions on enterprises in terms of personal data processing, storage, and transfer. The clash intensifies as the CLOUD Act, driven by US interests, places these interests above foreign laws, including the robust safeguards outlined in the GDPR.

  • As stated in Article 6 of the GDPR, each data transfer must have a legitimate reason in accordance with GDPR principles.

In contrast, the CLOUD Act departs from this requirement by allowing the transmission of personal data without the need for a Mutual Legal Assistance Treaty (MLAT), which is deemed essential under the GDPR.


The primary contention raised by the disagreement between the CLOUD Act and the GDPR is those related to data storage and accountability.

With the CLOUD Act allowing US authorities to access data kept globally by US-based service providers, EU residents' data may be vulnerable to monitoring without their explicit agreement, violating GDPR principles. 

This disagreement has serious consequences for businesses that rely on cloud services for data storage, communication, and collaboration

Who does the CLOUD Act affect in Europe?

The impact of the CLOUD Act is not limited to a specific industry or sector. Instead, it affects every organization using US-based communication tools for internal or customer communication. As these tools often rely on cloud infrastructure, the potential for cross-border data access under the CLOUD Act introduces uncertainties and risks.

Compliance with the GDPR is not just a legal requirement but a responsibility toward customers. Companies persisting in the use of cloud services from US providers find it challenging to ensure GDPR compliance, raising both legal and trust-related concerns. 

This dilemma may prompt organizations to reconsider their data management practices, seeking alternatives that prioritize data protection, sovereignty, and compliance with European regulations.

However, one thing is clear: businesses must adopt solutions that not only meet communication needs but also align with the robust data protection standards outlined by the GDPR. 

As the digital landscape evolves, a strategic shift towards European software becomes paramount for organizations intent on safeguarding customer trust and navigating the complexities of global data governance.

Staying compliant with GDPR

In light of the challenges posed by the CLOUD Act and its clash with GDPR, organizations must take proactive measures to safeguard data privacy and maintain compliance.

Rocket.Chat, an open-source team communication platform, offers a solution for organizations seeking GDPR-compliant communication tools. By self-hosting Rocket.Chat, organizations gain greater control over their data and can ensure that it adheres to the principles of GDPR. This strategy enables enterprises to manage their communication infrastructure in accordance with EU data protection rules.

Self-hosting allows enterprises to create and implement their own security protocols, ensuring that data remains within GDPR guidelines. While this solution necessitates a larger initial investment in infrastructure and upkeep, it provides a level of control and assurance that may exceed the risks involved with depending on third-party cloud services.

Get started with Rocket.Chat’s secure collaboration platform

Talk to sales

Frequently asked questions about <anything>

Sara is an SEO Strategist at Rocket.Chat. She is passionate about topics around digital transformation, workplace experience, open source, and data privacy and security.
Sara Ana Cemazar
Related Article:
Team collaboration: 5 reasons to improve it and 6 ways to master it
Want to collaborate securely with your team?
Deploy Rocket.Chat on-premise or in the cloud and keep your conversations private.
  • Digital sovereignty
  • Federation capabilities
  • Scalable and white-labeled
Talk to sales
Looking for a HIPAA-ready communications platform?
Enable patients and healthcare providers to securely communicate without exposing their data.
  • Highly scalable and secure
  • Full patient conversation history
  • HIPAA-ready
Talk to sales
The #1 communications platform for government
Deploy Rocket.Chat on-premise, in the cloud, or air-gapped environment.
  • Secure data governance and digital sovereignty
  • Trusted by State, Local, and Federal agencies across the world
  • Matrix federation capabilities for cross-agency communication
Talk to sales
Want to customize Rocket.Chat according to your own preferences?
See behind the engine and change the code how you see fit.
  • Open source code
  • Highly secure and scalable
  • Unmatched flexibility
Talk to sales
Looking for a secure collaboration platform?
Keep your conversations private while enjoying a seamless collaboration experience with Rocket.Chat.
  • End-to-end encryption
  • Cloud or on-prem deployment
  • Supports compliance with HIPAA, GDPR, FINRA, and more
Talk to sales
Want to build a highly secure in-app chat experience?
Use Rocket.Chat’s APIs, frameworks, and managed backend to build a secure in-app or live chat experience for your customers.
  • Supports compliance with HIPAA, GDPR, FINRA, and more
  • Highly secure and flexible
  • On-prem or cloud deployment
Talk to sales

Our best content, once a week

Share this on:

Get your free, personalized demo now!

Build the most secure chat experience for your team or customers

Book demo