The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US law enacted in March 2018 that requires US-based technology companies to produce data they hold for US legal process, regardless of where the data is physically stored. Resolved the legal ambiguity that produced United States v. Microsoft Corp. (the “Microsoft Ireland” case) by codifying that the storage location is irrelevant to the obligation if the company is US-incorporated.
What it means in practice
The CLOUD Act has two operational consequences. First, US providers (Apple, Google, Microsoft, Amazon, Meta, plus all the smaller US-incorporated services) cannot use “the data is stored in Ireland” as a defense against US subpoenas; the data comes back regardless. Second, the bilateral framework provisions allow the US to negotiate “executive agreements” with partner countries letting their law enforcement request data from US providers directly, bypassing the slow MLAT process. The UK signed in 2019 (in force 2022); Australia signed in 2021; the EU framework negotiations have been on and off since 2019. For non-US persons abroad, the bilateral agreements are the more concrete change: foreign police can now reach US-held data on you directly.
Who it affects, and how
Anyone whose data sits with a US-incorporated provider, anywhere on Earth. That is most of the consumer internet: Gmail, iCloud, Microsoft 365, Dropbox, Slack, Zoom, GitHub, AWS-hosted services. The CLOUD Act does not change US legal standards for issuing the subpoena (still warrant-required for content, subpoena-sufficient for metadata). It changes whether the request reaches the data. For a journalist with a foreign source whose communications transit Gmail, the CLOUD Act means a US warrant served on Google retrieves content stored on a German Google data center. For an EU citizen using iCloud, the CLOUD Act means US legal process reaches that data without going through European data-protection authorities first.
What you can change today
The structural answer is jurisdiction selection. For sensitive content, choose providers incorporated outside the United States: Proton (Switzerland), Tutanota (Germany), Mailbox.org (Germany), Olvid (France), Tresorit (Switzerland), Mega (New Zealand). The CLOUD Act does not extend US legal authority over Swiss-incorporated Proton or German-incorporated Tutanota. They have their own jurisdictional exposures (Swiss MLAT, German Telecommunications Act), but the legal pathway is different and slower than a US subpoena. For metadata that must transit US infrastructure, route through end-to-end encrypted layers so the producible content is ciphertext.
