The CLOUD Act and Your AI Research

You’re a compliance officer at a European financial firm. You paste a summary of a client’s transaction history into ChatGPT and ask it to flag potential AML red flags. The AI gives you a useful analysis. But here’s what you didn’t think about: that query — including your client’s name, transaction details, and the fact that you’re investigating them — just landed on a server controlled by a US company. And under US law, the American government can demand access to it. Without telling you. Without telling your client. Without needing a European court’s permission.

This isn’t a theoretical risk. It’s the law. And it applies every time a European organization uses Perplexity, ChatGPT, Google’s Deep Research, or any AI tool hosted by a US company.

If you’ve been following our AI Safety Education series, you know that AI tools collect more data than most people realize. But the CLOUD Act adds a layer most people haven’t considered: it’s not just about what the AI company does with your data. It’s about what a foreign government can legally force them to hand over.

What is the CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act was signed into US law on March 23, 2018, as part of the Consolidated Appropriations Act. It was passed to resolve a specific problem: the US government wanted emails stored on Microsoft’s servers in Dublin, Ireland, and Microsoft said no.

The case — United States v. Microsoft Corp. — went all the way to the Supreme Court. While it was pending, Congress passed the CLOUD Act, which made the legal question moot. On April 17, 2018, the Supreme Court vacated the case. The new law simply declared: US companies must hand over data when served with a valid US warrant, regardless of where in the world the data is physically stored.

That’s it. That’s the whole thing. The physical location of the server doesn’t matter. What matters is whether the company is subject to US jurisdiction. If it is — if it’s incorporated in the US, has a subsidiary there, or even has significant business operations there — it must comply.

A company can file a motion to quash the order within 14 days under 18 U.S.C. § 2703(h), but the conditions are narrow: the customer must not be a US person and must not reside in the US, disclosure must create a material risk of violating the law of a qualifying foreign government that has a CLOUD Act executive agreement with the US, and the court must agree that foreign interests outweigh US interests. In practice, the bar is high — and as of 2026, only the UK and Australia have signed such agreements.

The physical location of the server is irrelevant. What matters is whether the company is subject to US jurisdiction.

What is FISA Section 702?

If the CLOUD Act is the front door, FISA Section 702 is the side entrance — and it’s wider.

Section 702 of the Foreign Intelligence Surveillance Act authorizes the US government to conduct warrantless surveillance of any non-US person reasonably believed to be outside the United States. It doesn’t require a specific warrant for each target. Instead, the Attorney General and Director of National Intelligence jointly approve annual certifications, and intelligence agencies then query the resulting data pools.

The scale is significant. Nearly 292,000 people were targeted under Section 702 in calendar year 2024, the ODNI’s Annual Statistical Transparency Report shows — up from roughly 269,000 the year before.

Section 702 operates through two collection methods. “Downstream” collection compels companies like Google, Microsoft, and Apple to hand over communications of targeted individuals. “Upstream” collection is even broader — it intercepts data flowing through the telecommunications backbone, including undersea cables.

Here’s the part that matters for European organizations: if your data passes through US infrastructure or is stored with a US-jurisdiction provider, it’s accessible under Section 702 without anyone needing to tell you about it.

Congress reauthorized Section 702 in April 2024 through the Reforming Intelligence and Securing America Act (RISAA), and actually expanded the definition of which companies can be compelled to assist in surveillance. The program’s authorization hit its April 2026 sunset without a long-term deal — Congress passed a short-term extension while it negotiates reauthorization. Historically, the program has always been renewed.

And then there’s Executive Order 12333

Beyond CLOUD Act warrants and FISA 702 surveillance, there’s a third authority most people have never heard of: Executive Order 12333.

Signed by President Reagan on December 4, 1981, EO 12333 authorizes US intelligence agencies to collect foreign signals intelligence with no judicial oversight whatsoever. No court approval. No warrant. No notification. The only checks are internal executive branch guidelines — policy documents, not laws.

This matters because EO 12333 is the legal basis for the NSA’s interception of data on undersea cables crossing the Atlantic. Any data flowing between European and US data centers — which includes every API call to a US AI provider — is potentially collected under this authority.

The Court of Justice of the European Union examined EO 12333 specifically in its Schrems II ruling (Case C-311/18, July 16, 2020), finding that surveillance under EO 12333 allowed NSA access to data in transit “without that access being subject to any judicial review” — and that this was incompatible with EU fundamental rights.

Nearly 292,000 individuals were targeted under FISA Section 702 in 2024 alone — and none of them were notified.

Why “EU region” doesn’t mean “EU sovereign”

Here’s where most organizations get tripped up. Your IT team tells you, “Don’t worry, we’re using the EU region on AWS.” And it sounds reassuring. The server is in Frankfurt. The data is in Europe. Problem solved, right?

Wrong. The CLOUD Act follows the corporate chain, not the data center address.

AWS launched its “European Sovereign Cloud” on January 14, 2026, operated by a new German subsidiary. It sounds impressive. But AWS European Sovereign Cloud GmbH is a 100% subsidiary of Amazon.com, Inc. — a US company. A US court order served to Amazon in Seattle can compel production of data from the German subsidiary’s servers. As Techzine’s analysis put it: “AWS and the AWS European Sovereign Cloud are part of the American company Amazon. That company therefore ultimately has to listen to what the US government expects, desires, and demands.”

Microsoft’s situation is similar. Microsoft’s director of public and legal affairs in France acknowledged under oath at a French Senate hearing that the company cannot guarantee EU data is safe from US access requests. Azure’s EU Data Boundary is a data residency commitment — it controls where data is stored, not who can legally demand it.

Google doesn’t even offer a standalone sovereign cloud. Instead, it partners with T-Systems and Thales to run sovereign infrastructure, but the underlying services still flow through Google’s corporate structure.

The pattern is consistent: operational separation (EU staff, EU data centers, EU subsidiary) doesn’t sever legal jurisdiction. As long as the ultimate parent company is US-incorporated, the CLOUD Act applies.

What this means for your AI research

Every time you send a query to an AI tool operated by a US company, you’re creating data that is legally accessible to US authorities. And with AI, the query is often more revealing than the answer.

Consider what a research query reveals:

• “What are the regulatory risks of [Client A]‘s acquisition of [Company B]?” — tells a reader exactly what deal you’re working on
• “Summarize the compliance implications of [these transaction records]” — reveals you’re investigating specific transactions
• “Draft a memo on the patent exposure of [this technology]” — reveals your IP strategy

These queries contain the kind of information that’s normally protected by attorney-client privilege, regulatory confidentiality, or trade secret law. But when they’re processed by a US-jurisdiction AI provider, they’re one CLOUD Act warrant away from disclosure — and you might never find out.

Both OpenAI and Anthropic retain API data for 30 days by default (for abuse monitoring purposes). During that window, a US court order can compel production. Both offer zero-data-retention agreements for enterprise customers, but the default applies to most users. Even after deletion, the metadata — who queried what, when — may persist.

With AI, the query is often more revealing than the answer. Your research questions expose strategy, deals, and investigations.

The Schrems cycle and what comes next

Europe has tried to solve the US surveillance problem three times. Each attempt has been struck down or is under threat:

Safe Harbor (2000-2015): Invalidated by the CJEU in Schrems I (Case C-362/14, October 6, 2015). The Court found it allowed unrestricted government interference with EU data protections.

Privacy Shield (2016-2020): Invalidated by the CJEU in Schrems II (Case C-311/18, July 16, 2020). The Court specifically cited FISA 702 and EO 12333 as incompatible with EU fundamental rights. The Irish DPC subsequently fined Meta EUR 1.2 billion — the largest GDPR fine in history — for continuing to transfer EU personal data to the US using Standard Contractual Clauses after Privacy Shield fell.

Data Privacy Framework (2023-present): The current arrangement survived its first court challenge in September 2025 (Latombe v. European Commission, Case T-553/23), but the General Court assessed the adequacy decision based on the facts in place when it was made in 2023 — it didn’t consider subsequent developments like the Trump administration’s dismissal of PCLOB board members on January 27, 2025.

The Privacy and Civil Liberties Oversight Board (PCLOB) was a cornerstone of the DPF’s adequacy finding. The European Commission cited it as a key safeguard ensuring US intelligence practices align with EU standards. With PCLOB effectively non-functional after three of its four sitting members were fired — the fifth seat was already vacant, leaving a single member and no quorum — the DPF’s legal foundation is weakened. An appeal of the Latombe decision to the CJEU is expected, and NOYB (Max Schrems’ organization) has indicated it will bring a separate, broader challenge.

The pattern is clear: every EU-US data transfer framework has eventually been invalidated. Organizations that build their AI infrastructure on US providers are betting this time will be different. History suggests otherwise.

EU regulators are already acting

This isn’t just legal theory. EU data protection authorities have already taken concrete action:

• France (CNIL): The Ministry of Education told school principals to stop deploying Microsoft Office 365 and Google solutions over CLOUD Act concerns. The national Health Data Hub was pressured to migrate off Microsoft Azure.
• Denmark: The DPA banned a municipality’s use of Google Workspace for Education and ordered suspension of data transfers to third countries.
• Germany (Hesse): Migrated school systems off Microsoft Office 365 to local cloud.
• EU institutions themselves: In March 2024, the European Data Protection Supervisor found that the European Commission’s own use of Microsoft 365 infringed data protection law for EU institutions.

If the EU’s own institutions can’t legally use Microsoft 365, what does that say about European organizations sending confidential research queries through US-hosted AI tools?

And as the EU AI Act keeps phasing in — most remaining obligations apply from August 2, 2026, with high-risk system requirements following from December 2027 under the Digital Omnibus deferral — organizations using AI for high-risk applications (legal research, financial compliance, medical analysis) will need to demonstrate they understand where their AI data goes and who can access it. “We use the EU region” won’t satisfy an auditor who understands how the CLOUD Act works.

Every EU-US data transfer framework has eventually been invalidated. Building your AI stack on US providers is a bet that this time will be different.

What to do now

1. Audit your AI tools. Make a list of every AI tool your organization uses. For each one, identify the parent company’s jurisdiction. If it’s US-headquartered, your data is CLOUD Act-accessible — regardless of server location.

2. Classify your research by sensitivity. Not every query needs sovereign infrastructure. Asking AI to summarize a public report is low-risk. Asking it to analyze client transaction records is high-risk. Know the difference.

3. Read the fine print on “EU sovereign” offerings. Check whether the provider’s ultimate parent company is US-incorporated. If it is, the CLOUD Act applies. “Operated by EU residents” and “data stored in EU” are irrelevant if the corporate chain leads to a US entity.

4. Brief your legal and compliance team. Most lawyers understand privilege. Most IT teams understand data residency. Few people understand that the CLOUD Act makes data residency irrelevant for jurisdictional purposes. Bridge that gap.

5. Evaluate EU-sovereign alternatives. Genuinely sovereign options do exist — European-headquartered cloud providers (Scaleway, OVHcloud, Hetzner) with no US parent company, and open-source AI models that can run on European infrastructure without any third-party API in the loop. LumaVista runs multiple open-source models on dedicated EU GPU servers — no US company anywhere in the data path. Your research queries never leave European jurisdiction.

6. Prepare for the EU AI Act. The next major deadline hits August 2, 2026, and high-risk system requirements follow from December 2027. Start documenting your AI data flows now, including which models process your data, where inference runs, and which jurisdictions have legal access. You’ll need this for compliance.

7. Watch the Schrems III timeline. If the CJEU invalidates the Data Privacy Framework — as it did with Safe Harbor and Privacy Shield — organizations relying on US-hosted AI will need to move fast. Having a sovereign alternative already evaluated (or deployed) is insurance.

8. Ask your AI vendor the question they don’t want to answer: “If a US court issues a CLOUD Act warrant for our data, can you refuse to comply?” If they can’t say yes — and no US-headquartered company can — you have your answer about the real level of protection.