CLOUD Act and FISA 702

The CLOUD Act and FISA 702 are U.S. laws that can create data protection and privacy risks when European organizations use U.S. cloud services.

This text is automatically translated for your convenience. You can read the text in:

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) and FISA 702 (Foreign Intelligence Surveillance Act, Section 702) are U.S. laws that can create data protection and privacy risks when using U.S. cloud services.

Both laws can affect companies and organizations outside the United States, including European organizations that handle sensitive data such as personal data and patient data.

In practice, this can mean that a European organization using U.S. cloud services may be exposed to requests or surveillance from U.S. authorities. That can create legal uncertainty and potential conflicts with GDPR, especially when data is sensitive or when the organization needs to demonstrate control over where data is processed and who can access it.

By using a Swedish or European cloud provider, organizations can reduce their dependence on U.S. jurisdiction and improve their ability to meet requirements for data protection, compliance and digital sovereignty.

CLOUD Act

The CLOUD Act gives U.S. law enforcement authorities a way to require access to cloud data, regardless of where the data center is located. This means that if a European company uses a U.S. cloud service provider, the provider may in some situations be required to disclose customer data to U.S. authorities, even if the data is stored within the EU.

This can create conflicts with EU data protection rules, such as GDPR, which are intended to protect individuals’ right to privacy and the security of personal data.

FISA 702

FISA 702 allows U.S. intelligence agencies to monitor and collect communications from non-U.S. persons outside the United States when the purpose is foreign intelligence gathering. This means that communications and data stored or transferred through U.S. cloud services may become subject to surveillance.

For European companies, public authorities and organizations, this can be a risk to privacy, data security and compliance. Legal control, the provider’s jurisdiction and the actual operating location should therefore be part of any cloud platform decision.