US CLOUD Act and data sovereignty:
why choose European datacentres

What the CLOUD Act is and why it matters

The Clarifying Lawful Overseas Use of Data Act, signed in the United States on 23 March 2018, is a federal law that allows US authorities (Department of Justice, FBI, intelligence agencies) to request from any digital service provider subject to American jurisdiction the data it holds on users or companies, wherever that data is physically stored in the world.

US lawmakers intended to resolve a legal issue opened by the 2013 Microsoft Ireland case, in which Microsoft had refused to hand over emails stored in Dublin because the FBI warrant did not cover foreign territories. The CLOUD Act removes that obstacle: the criterion is no longer where the data is, but under whose jurisdiction the provider that manages it falls.

Why it affects Italian businesses too

The share of the European cloud market served by US providers — Amazon Web Services, Microsoft Azure, Google Cloud — now exceeds 70%. Even when an Italian company hosts its data in a datacentre in Ireland, the Netherlands or Germany, the contracting provider is almost always a US-incorporated company or one of its subsidiaries. This means that:

• The CLOUD Act trumps physical location — an EU datacentre does not in itself protect from the US authorities’ power to request.
• The European customer may never be informed — the US provider is often subject to a gag order preventing disclosure of the warrant to the data controller.
• It creates direct tension with GDPR — art. 48 of the European Regulation forbids the transfer of personal data to third-country authorities absent an international agreement. The CLOUD Act effectively bypasses that rule.
• Exposure is not limited to personal data — corporate documents, intellectual property, business communications and in-development projects may all be covered by a request.

Schrems II and the end of Privacy Shield

On 16 July 2020 the Court of Justice of the European Union (case C-311/18, known as Schrems II) invalidated the Privacy Shield, the agreement that since 2016 had governed personal data transfers to the United States. Reasoning: US surveillance laws — in particular the CLOUD Act and FISA 702 — do not offer a level of protection equivalent to GDPR, and European citizens have no effective means of redress against US government access to their data.

Since then, companies transferring personal data to the US can no longer rely exclusively on standard contractual clauses: they must assess risk case by case and, if necessary, adopt supplementary measures such as encryption with keys managed outside US jurisdiction, pseudonymisation, or stronger contractual data-residency guarantees.

Data Privacy Framework: a partial solution

In July 2023 the European Commission adopted a new adequacy decision, the EU-US Data Privacy Framework (DPF), allowing personal data transfer to US companies that voluntarily adhere to a set of privacy principles and accept Federal Trade Commission oversight.

The DPF simplifies the bureaucratic side of compliance but does not repeal the CLOUD Act: US authorities retain the power of extraterritorial request. Max Schrems has already announced a third challenge (Schrems III) and many experts consider a new invalidation likely. Building a cloud strategy on the indefinite life of the DPF is a gamble cautious companies try to avoid.

Microsoft EU Data Boundary: what it really guarantees

Microsoft announced in 2022 and completed in 2025 the EU Data Boundary for its commercial cloud services (Microsoft 365, Azure, Dynamics 365, Power Platform). The contractual commitment is that data of European customers and partners is stored and processed exclusively within the European Union, including operational logs and telemetry.

It is an important step but does not fully resolve the CLOUD Act question. Microsoft remains a US-incorporated company subject to US jurisdiction: the Data Boundary reduces the probability of American access but does not eliminate it entirely. For the most sensitive sectors (public administration, healthcare, finance, defence) the full solution requires a cloud provider incorporated under EU law, with European capital and a non-US chain of control.

Five criteria to choose a sovereign cloud

Digital sovereignty is not a binary attribute: it is a gradient. To concretely assess a cloud provider from the perspective of European data sovereignty, it is worth checking:

• 1EU-incorporated company — the contract must be signed with a European legal entity, not with a subsidiary of a US parent. This is the decisive criterion regarding the CLOUD Act.
• 2Contractually bound data residency — a promise is not enough, an explicit clause is required specifying EU storage regions and forbidding replication or migration outside European borders without consent.
• 3ISO/IEC 27018 certification — the specific international standard for the protection of personal data in public cloud. It sets requirements on consent, transparency, handling of access requests and notification obligations. Our certifications.
• 4Encryption key management — the provider should offer customer-managed keys or bring your own key options, so that access to cleartext data depends on keys controlled by the customer or an independent European third party.
• 5ACN qualification and Public Administration Cloud Catalogue — for organisations serving the Italian public administration, the qualification from the National Cybersecurity Agency (ACN) is an objective filter: QC1/QC2 qualified services must meet verified sovereignty and security criteria.

Where AtWorkStudio stands

AtWorkStudio has operated from Piacenza, Italy, since 2000 as an Italian-incorporated company. Our cloud services are hosted in European Microsoft Azure regions (Italy North and West Europe) with three Availability Zones per region, or in partnership with Italian datacentres for customers requiring full sovereignty. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, and we are ACN QC1 qualified for three services in the Italian Public Administration Cloud Catalogue (Secure Workspace, Email Security Gateway, Microsoft 365 Backup).

We are members of Clusit (Italian Association for Information Security) and associate members of Confindustria Piacenza in the RICT cluster. For Italian companies that want to adopt Microsoft 365 or build cloud infrastructures without giving up data sovereignty, we offer a concrete path: analysis of current data flows, CLOUD Act risk assessment, design of a GDPR-compliant cloud architecture and ongoing management support.