Does the CLOUD Act really apply to a Microsoft cloud hosted in Frankfurt?

Yes. The Clarifying Lawful Overseas Use of Data Act of 2018 targets electronic communication service providers under US jurisdiction, regardless of physical storage location. Microsoft Corporation, a US parent company, is legally compellable by a US federal warrant and must deliver its European customers' data hosted in Frankfurt, Amsterdam or Dublin. The European subsidiary does not create a watertight wall: effective control flows back to the Redmond headquarters.

Doesn't GDPR protect against this extraterritoriality?

GDPR in principle prohibits the transfer of personal data to a third country without equivalent guarantees (Article 44). The Schrems II ruling (CJEU, 16 July 2020) invalidated the Privacy Shield precisely because US law allows intelligence access (FISA 702, EO 12333) incompatible with GDPR. But in practice, businesses continue to use AWS and Microsoft 365 under Standard Contractual Clauses (SCCs) and supplementary commitments — a grey zone untested by the CJEU since 2020.

Does the Data Privacy Framework (2023) settle the issue?

Partially and provisionally. The DPF replaced Privacy Shield in July 2023 with strengthened guardrails (Civil Liberties Protection Officer, Data Protection Review Court). Max Schrems and NOYB filed an appeal with the CJEU in September 2023, considering the DPF inadequate. Schrems III is expected by 2026-2027; in case of invalidation, EU-US transfers collapse legally again. In 2026, the DPF holds, but informed businesses no longer rely on it as a long-term plan.

Concretely, does my business risk a GDPR fine if I stay on AWS?

The risk depends on data category and which supervisory authority has jurisdiction. The French CNIL and the Irish DPC have imposed GDPR fines on European businesses using Google Analytics (CNIL 2022, several hundred thousand euros) or Meta (DPC 2023, 1.2 billion euros). For corporate cloud, case law is rarer but exists: using a US cloud for health data, HR data or sensitive customer records exposes you to fines up to 4% of global turnover. For non-sensitive operational data, the risk is low but not nil.

What are the credible alternatives to AWS / Azure / Google Cloud in 2026?

Three families of alternatives: (1) European sovereign infrastructure cloud — OVHcloud (France), Scaleway (France), Hetzner (Germany), IONOS (Germany). These actors are GDPR-bound and CLOUD Act-free, but sit in 9 or 14 Eyes territory. (2) Swiss cloud — Infomaniak, Exoscale, Proton Business — outside EU and outside 14 Eyes, protective LRens jurisdiction. (3) Specialised privacy cloud for collaboration and storage — Tresorit Business, Proton Drive Business, pCloud Business — zero-knowledge by construction. The choice depends on use case: heavy compute = OVH or Hetzner; sensitive document collaboration = Tresorit or Proton.

What about the Gaia-X / EUCS project? Does it change anything?

Gaia-X is a European cloud federation initiative launched in 2020 with sovereign ambitions. In 2026, industrial adoption remains limited and the EUCS (European Cybersecurity Certification Scheme) label still has not settled the question of immunity from extra-European laws — France and Germany have been at odds since 2023 on this point, with the US-cloud industry lobbying for American hyperscalers to remain eligible at the highest level. As long as this question stays open, Gaia-X brings no new jurisdictional guarantee. In the meantime, better to choose directly an actor whose jurisdiction is clear (Swiss, German, French depending on your case).

CLOUD Act vs GDPR: can your business really keep its cloud in Europe in 2026?

The essentials

Seven years after their near-simultaneous entry into force in 2018, the US CLOUD Act and the European GDPR continue to coexist without any formal reconciliation procedure. For any European business hosting its data with Microsoft, Google, AWS, Oracle, Salesforce or Apple, both texts apply at once — one authorises US access, the other prohibits it in practice. This contradiction has been known since 2018, documented by the CNIL and the EDPB, and is still unresolved in 2026.

For a director or Data Protection Officer in 2026, the question is no longer "are the CLOUD Act and GDPR in tension?" (yes, openly), but: "what is my concrete risk if I keep using a US cloud for personal or sensitive data?" The answer depends on four variables: the data category processed, the competent supervisory authority, the robustness of your Standard Contractual Clauses, and your ability to demonstrate effective supplementary safeguards.

This article maps the legal conflict in 2026, the Schrems rulings history, the real status of the Data Privacy Framework, and the credible cloud alternatives you can activate — without falling into the "sovereign cloud" marketing that deliberately blurs the jurisdictional question.

The CLOUD Act came into force on 23 March 2018, signed by President Trump. Its stated aim: settle the United States v. Microsoft litigation (the famous Dublin Email Warrant case) that had pitted the Department of Justice against Microsoft since 2013, the latter refusing to hand over emails stored in Dublin based on a US federal warrant. The Supreme Court was about to rule when Congress legislated urgently to clarify: yes, a US warrant can reach data stored abroad by a US service provider.

The GDPR entered into force on 25 May 2018, two months later. Its Article 48 provides that no judicial or administrative decision from a third country can justify a personal data transfer, unless based on an international agreement in force (such as MLAT). The CLOUD Act relies on no such agreement: it is self-declared extraterritorial.

The collision is therefore cryptal: two fundamental laws, two opposing extraterritorialities, zero resolution mechanism. Lawyers spoke as early as 2018 of an unsettled "conflict of laws" — a situation where the receiving entity must choose which of the two laws to violate, accepting the corresponding criminal or administrative risk.

What the CLOUD Act technically authorises

The CLOUD Act gives US judicial authority two powers:

Extended subpoena — require the production of data held, controlled or maintained by an electronic communication service provider, wherever stored worldwide, as long as the provider is under US jurisdiction (headquarters, significant subsidiary, operational presence).
Bilateral executive agreements — allow a qualifying foreign country to directly request from a US operator the data of one of its citizens, without going through MLAT, after an inter-governmental agreement. The United Kingdom signed such an agreement in 2019, Australia in 2021. The European Union has not signed.

The second power is interesting: in theory, it would let a European state recover its own data through a US-EU executive agreement — but this agreement has never been concluded, precisely because it would acknowledge the inversion of normal sovereignty.

Schrems II and the collapse of Privacy Shield

On 16 July 2020, the Court of Justice of the European Union issued ruling C-311/18 (Schrems II) — arguably the most structuring decision in European digital law of the past decade. Three key lessons:

The Privacy Shield (mechanism negotiated in 2016 to enable EU-US transfers after the invalidation of Safe Harbor in 2015) is invalidated because it does not sufficiently protect against US surveillance programmes (notably FISA 702 and Executive Order 12333).
Standard Contractual Clauses (SCCs) remain valid in principle but do not suffice on their own for transfers to the US: the exporter must assess case by case whether the destination country's law offers essentially equivalent protection, and complement with supplementary measures (encryption, pseudonymisation, strengthened contractual guarantees).
National supervisory authorities (CNIL, DPC, ICO post-Brexit) are required to intervene if they find a transfer fails to comply with GDPR — they cannot hide behind a Commission adequacy decision.

This ruling forced the entire industry to rework its contractual arrangements with US clouds. In practice, most businesses kept using AWS, Microsoft 365 and Google Workspace, relying on the new SCCs of June 2021 and on unilateral commitments by hyperscalers ("transparency reports", server-side encryption, oversight on requests). But the CNIL explicitly considers, in its 10 February 2022 deliberation on Google Analytics, that these guarantees are insufficient for European personal data.

A few concrete examples to measure real risk:

2022, CNIL vs French site operator using Google Analytics: data transfer to Google LLC (US) without sufficient guarantees, public formal notice, obligation to cease use.
2022, Austrian authority (DSB): similar decision, Google Analytics deemed incompatible with GDPR for US transfers.
2023, Irish DPC vs Meta: record fine of 1.2 billion euros for massive transfer of user data to Meta US without sufficient legal basis.
2024, CNIL vs several French SMEs: fines of 50,000 to 200,000 euros for use of Zoom and Microsoft Teams not configured in EU-only mode on sensitive data.

The rule is clear in 2026: the more sensitive the data (health, HR, identifiers, private communications), the more concrete the GDPR risk of using a US cloud. For non-personal operational data (technical logs, aggregated metrics), the risk remains theoretical.

The July 2023 Data Privacy Framework: fragile promise

The Data Privacy Framework (DPF) replaced Privacy Shield in July 2023 after three years of negotiation between Brussels and Washington. It introduces two new safeguards:

A Civil Liberties Protection Officer within the Office of the Director of National Intelligence, in charge of reviewing the proportionality of intelligence programmes targeting EU citizens.
A Data Protection Review Court independent in theory, that can be seized by any EU citizen who believes they are targeted by a US surveillance programme, with remediation power.

On paper, this is progress. In practice, Max Schrems and his NGO noyb filed an appeal with the CJEU in September 2023, arguing that the "Data Protection Review Court" is not a true independent tribunal in the European sense (judges appointed by the executive, non-public hearings, decisions not publicly reasoned, no right of appeal). The Schrems III ruling is expected by late 2026 or 2027.

If the CJEU invalidates the DPF — the majority prediction among specialised lawyers — EU-US transfers collapse legally again, and all businesses currently relying on the DPF find themselves in retroactive GDPR violation. The legal continuity risk on US clouds is therefore not only regulatory; it is also temporal.

Map of credible alternatives in 2026

For a European business that wants out of the CLOUD Act × GDPR conflict, three families of alternatives exist. None is perfect, but each solves at least US extraterritoriality.

Family 1: European infrastructure cloud

For compute, storage, serverless, managed databases, credible European actors in 2026 are:

Provider	Country	SIGINT status	Advantage	Limitation
OVHcloud	France	9 Eyes	Full catalogue, many certifications	French Intelligence Law applies
Scaleway	France	9 Eyes	Excellent price/perf ratio, dev ecosystem	Smaller catalogue, same legal framework
Hetzner	Germany	14 Eyes	Unbeatable pricing, solid infra	German BND-Gesetz applies
IONOS	Germany	14 Eyes	MS compatibility, good for SMBs	Limited catalogue outside classical EU
Infomaniak	Switzerland	Outside 14 Eyes	Protective LRens jurisdiction	Limited catalogue, higher prices
Exoscale	Switzerland	Outside 14 Eyes	More tech-friendly than Infomaniak	Fewer managed services

In this segment, Switzerland remains the most jurisdictionally protective option, but the catalogue is narrow. For heavy compute at best price, Hetzner or OVH remain competitive, with mastered jurisdictional risk (14 Eyes framework but strict GDPR).

Family 2: Collaboration and productivity

To replace Microsoft 365 and Google Workspace:

Proton Business (Switzerland) — Mail, Drive, Calendar, VPN. Zero-knowledge by construction. IMAP/SMTP compatible via Bridge. The most mature in 2026.
Tresorit Business (Switzerland) — Drive + collaboration + e-signature. Ernst & Young audit. Higher enterprise pricing.
Infomaniak kSuite Pro (Switzerland) — Mail, Drive, Meet, Calendar. Good price/quality ratio but less audited than Proton.
Nextcloud Hub (Germany, self-hosted or via partner SaaS) — Open source, full control possible if self-hosted, more usage friction.

Family 3: Specialised privacy cloud for cold storage

For encrypted archiving or long-term sensitive storage, outside the daily collaborative flow:

pCloud Business (Switzerland) — Affordable lifetime, Crypto add-on for zero-knowledge. See our pCloud 2026 review.
Filen Business (Germany) — Open source, AES-256, aggressive pricing. Younger than Proton/Tresorit.
Icedrive Business (UK) — Convenient but 5 Eyes jurisdiction — avoid for sensitive data.

The "sovereign cloud" marketing trap

Since 2022, several European and North American actors have been marketing offers labelled "sovereign" or "EU-only". Three typical cases to read carefully:

Microsoft Cloud for Sovereignty — announced in 2022, deployed via partners in France, Germany, Spain. Does not eliminate the CLOUD Act: Microsoft Corporation remains bound by US law, and a partner operator has no capacity to refuse a transfer requested by the parent company. Marketing talks about "isolation"; the legal reality remains that of a subsidiary of a US company.
Bleu (Capgemini × Orange × Microsoft) and S3NS (Thales × Google Cloud) — Franco-American joint ventures deploying Microsoft Azure and Google Cloud technologies on infrastructure operated by French personnel. Benefit from the SecNumCloud label issued by ANSSI, which includes an immunity requirement from extra-European laws. On paper, the question is resolved. In practice, source code and updates still come from Redmond and Mountain View — full operational autonomy is not publicly demonstrated.
AWS European Sovereign Cloud — announced late 2023, first operational region in Germany late 2025. Exclusively European staff, European technical support, but AWS Inc. remains the legal owner. The DOJ can theoretically subpoena AWS Inc. for European Sovereign Cloud data.

The only way to truly escape the CLOUD Act is to use an operator whose parent company is not American and has no significant US entity. This condition is met by OVH, Scaleway, Hetzner, Infomaniak, Proton, Tresorit, Mailfence — not by "sovereign" offerings from US hyperscalers.

Our 2026 decision matrix

For a European SMB or mid-cap in 2026, here is the simple framework to apply.

Non-personal operational data (technical logs, metrics, non-sensitive source code): AWS, Azure, GCP remain defensible, GDPR risk is low. Economic bonus if you are already committed.

Personal customer and employee data (CRM, HR, communications, customer support): exit US hyperscalers, choose European infrastructure cloud (OVH, Scaleway, Hetzner) + non-US collaborative suite (Proton, Infomaniak, Tresorit). Switching cost is real, but GDPR risk is also real.

Sensitive data, health data, strategic R&D: Swiss jurisdiction mandatory + client-side zero-knowledge encryption + native clients (no dynamic web app). See E2E vs zero-knowledge cloud storage for the technical grid.

Journalistic data, whistleblowers, activists: Switzerland + Tor + protected identity + redundant backups across two different non-14-Eyes jurisdictions. See 5/9/14 Eyes and your cloud privacy for the 2026 world map.