The operation of the CLOUD Act in data storage in Europe

The operation of the CLOUD Act in data storage in Europe

GreenbergTraurig has assessed the scope of the US CLOUD Act on commission by the Dutch government. The CLOUD Act applies to EU entities that process data outside of the US, even if the EU entities are located outside of the US. To completely avoid being subject to the CLOUD Act, an EU entity would need to process data using a non-U.S. entity, which either does not have a corporate relation to any company with a presence in the US (such as a U.S. subsidiary) or if it does have a corporate relationship with a company based in the US, the US company must not have possession, custody, or control over the data that is stored in the EU.

the CLOUD Act may also reach data via sub-contractors/providers of hardware and software from/to cloud providers. As an example, if Microsoft uses Cisco routers and Cisco has access to data from EU customers/data subjects via these routers, this will also need to be adressed.

Read the Dutch blogpost on the matter.

https://www.ncsc.nl/documenten/publicaties/2022/augustus/16/cloud-act-memo