Meaning, GDPR impact and US vs EU data hosting explained 

Everyone who is using cloud software or software as a service (Saas) – and that’s basically the whole world – you’ve likely come across the US CLOUD Act in discussions around data privacy, GDPR, and data security. 

But what exactly is this law? Has anything changed in recent years? And what does it mean in practice when choosing between US and European software providers? 

In this article, we’ll give you a clear and practical explanation so you can better understand the impact on your data and technology decisions. 

What is the US CLOUD Act? 

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US law introduced in 2018. It allows American law enforcement authorities to request access to data from US-based technology companies, even if that data is stored outside the United States. 

In simple terms: If your data is processed or controlled by a company that falls under US jurisdiction, US authorities can legally request access to that data, regardless of where it is physically stored. 

This is where the complexity around international data privacy begins. 

What does the CLOUD Act mean in practice? 

Although the CLOUD Act is primarily used for serious criminal investigations, its implications go beyond law enforcement. The most important takeaway is: 

Where your data is stored is not the same as who controls your data

Many organisations assume that storing data in Europe automatically protects it. In reality, the legal jurisdiction of the provider plays a crucial role. 

If you use a US-based cloud or SaaS provider, that company may be required to provide access to data under US law. This can create tension with the General Data Protection Regulation (GDPR), which imposes strict rules on access to and processing of personal data. 

What has changed? Why the CLOUD Act is back in focus 

The law itself hasn’t significantly changed, but the context around it has evolved. 

Schrems II changed the playing field 

In 2020, the European Court of Justice issued its ruling in the Schrems II case, invalidating the Privacy Shield framework due to concerns about access to EU data by US authorities. 

The key takeaway from this ruling: 

It is not enough for data to be stored in Europe. It must also be protected against access under foreign laws that conflict with GDPR. 

Increased scrutiny and buyer awareness 

Since Schrems II: 

  • Organisations must better justify how they handle international data transfers
  • Legal and compliance teams are more involved in vendor selection
  • Buyers increasingly ask detailed questions about data access and jurisdiction 

At the same time, data sovereignty has become a real factor in procurement and vendor selection processes. 

US vs EU data hosting: what’s the real difference? 

At first glance, US and European providers may seem similar. Both offer scalable cloud infrastructure and advanced capabilities. The real difference lies in legal jurisdiction and data access rights

US-based providers 

US providers (including hyperscalers and many SaaS platforms) offer powerful, globally distributed infrastructure. However, they are subject to US law, including the CLOUD Act. 

This means: 

  • Data may be requested by US authorities through legal procedures
  • Jurisdiction applies regardless of where the data is stored
  • Additional safeguards are required to meet GDPR obligations 

For many organisations, this is manageable—but it requires awareness and proper risk assessment. 

EU-based providers 

European providers operate fully under EU law and are directly aligned with GDPR requirements. 

In practice, this means: 

  • Data is governed exclusively by European legislation
  • Lower exposure to foreign government access requests
  • Simpler and more predictable compliance processes 

For organisations prioritising transparency and control, this can be a decisive advantage. 

The key insight 

This is not about “good” versus “bad” providers. Choosing a software provider is also choosing the legal framework under which your data is governed. And that makes it a strategic decision. Not just a technical one. 

Comparison: US vs EU data hosting

  US-based providers EU-based providers
Legal jurisdiction US law (incl. CLOUD Act) EU law (GDPR)
Government access Possible via legal requests Limited to EU legal frameworks
Data location Global (including EU data centres) Primarily within the EU
Data sovereignty Not fully guaranteed Strongly enforced
GDPR compliance complexity Higher (requires additional safeguards) Lower (natively aligned with GDPR)
Schrems II impact Significant (requires risk assessment) Limited
Transparency towards customers More complex to explain Clearer and easier
Risk profile Dependent on safeguards and setup More predictable

Why this matters for marketing and customer data 

Marketing platforms process highly sensitive and valuable data, such as: 

  • Customer profiles
  • Behavioural data
  • Communication history
  • Consent and preferences 

This makes questions around data access and jurisdiction critical—not just for compliance, but for trust and commercial success. 

These topics increasingly come up in: 

  • RFP processes
  • Security and compliance assessments
  • Enterprise sales conversations 

If you can’t clearly explain your setup, it can slow down or even block deals. 

Spotler’s perspective on data privacy and control 

At Spotler, we see data privacy as a fundamental part of modern marketing technology. As a European organisation, we operate in line with GDPR principles and prioritise transparency, control, and responsible data handling. 

This means we make conscious decisions about: 

  • Where data is stored
  • Who has access to it
  • Under which conditions it is processed 

So our customers can not only be compliant, but also confidently explain their data setup to stakeholders. It is not without reason that we are open and transparent about this in our Trust Center

The bigger shift: from storage to control 

The CLOUD Act highlights a broader shift in how organisations think about data. 

It’s no longer enough to ask: 

  • Where is my data stored? 

You also need to understand: 

  • Who can access it?
  • Under which legal framework?
  • How can I demonstrate control? 

Final thoughts 

The US CLOUD Act does not mean your data is freely accessible. But it does mean that: 

Legal jurisdiction matters just as much as physical data location

For organisations operating in Europe, this makes the choice of technology partners more strategic than ever. Because in practice, choosing software also means choosing how your data is governed and protected. 

Frequently Asked Questions about
the US CLOUD Act

What is the US CLOUD Act in simple terms?

The US CLOUD Act is an American law introduced in 2018 that allows US authorities to request access to data from US-based technology companies. Even when that data is stored outside the United States.

In practice, this means that a company operating under US jurisdiction may be legally required to provide access to data, regardless of whether the data is physically stored in Europe.

Does the CLOUD Act override GDPR?

Not directly. The CLOUD Act and GDPR are separate legal frameworks that can sometimes conflict with each other.

GDPR places strict rules on how personal data can be accessed and transferred, while the CLOUD Act allows US authorities to request access to data from US companies. This creates legal and compliance challenges for organisations using US-based cloud providers.

That is why many organisations now assess not only where data is stored, but also which jurisdiction applies to the provider managing the data.

Can US authorities access data stored in Europe?

Potentially, yes.

If the company managing or controlling the data falls under US jurisdiction, American authorities may legally request access to that data under the CLOUD Act—even when the data is hosted in an EU data centre.

This is one of the main reasons why data sovereignty and jurisdiction have become important topics in Europe.

Does using a US cloud provider automatically mean non-compliance with GDPR?

No. Using a US-based provider does not automatically mean an organisation is non-compliant.

However, organisations are expected to carefully assess the legal and technical safeguards surrounding international data access and transfers. Since the Schrems II ruling, companies must take a more active role in evaluating these risks.

This often includes:

  • Risk assessments
  • Additional contractual safeguards
  • Technical measures such as encryption and access controls

What is the difference between data location and data sovereignty?

Data location refers to the physical place where data is stored, such as a data centre in Germany or the Netherlands.

Data sovereignty refers to the legal jurisdiction governing that data.

This distinction is important because data stored in Europe may still fall under foreign laws if the provider is headquartered outside the EU.

Why is Schrems II important in relation to the CLOUD Act?

The Schrems II ruling by the European Court of Justice invalidated the Privacy Shield agreement between the EU and the US.

One of the key concerns behind the ruling was the possibility of US government access to European data under laws such as the CLOUD Act.

As a result, organisations are now expected to assess whether international data transfers provide adequate protection under GDPR.

Are European cloud providers safer from a privacy perspective?

European providers are generally more closely aligned with European privacy legislation such as GDPR because they operate fully under EU jurisdiction.

This often results in:

  • Lower exposure to foreign government access requests
  • Simpler compliance processes
  • Greater clarity around legal responsibilities

However, organisations should still evaluate each provider individually based on their security measures, infrastructure, and compliance policies.

Why are businesses increasingly asking about the CLOUD Act?

Over the past few years, data privacy has become a much more strategic topic.

Buyers, procurement teams, and compliance departments increasingly ask:

  • Who can access our data?
  • Under which laws?
  • How is customer data protected?

This is especially important in sectors handling sensitive customer information, such as marketing, SaaS, customer service, and e-commerce.

What should organisations ask cloud or SaaS providers?

When evaluating providers, organisations should ask questions such as:

  • Under which jurisdiction does your company operate?
  • Where is customer data stored?
  • Who can access the data internally?
  • What safeguards exist against unauthorised access?
  • How do you support GDPR compliance?
  • How do you respond to government data requests?

Clear answers to these questions help organisations better assess privacy and compliance risks.

Does the CLOUD Act only apply to large tech companies?

No.

The CLOUD Act can apply to any company that falls under US jurisdiction and is legally required to provide data access, regardless of company size.

However, discussions around the law most commonly focus on major cloud and SaaS providers because they process large amounts of customer and business data.

What is the main takeaway for European organisations?

The most important insight is that:

Data protection is no longer only about where data is stored. It is also about who controls the data and under which legal framework.

For European organisations, this makes data governance, provider selection, and transparency increasingly important strategic decisions.

Do you have any other questions?
Please feel free to contact. We will gladly answer your questions.