'Small chance' of U.S. government accessing European data under CLOUD Act

Blog post | 23-11-2022 | NCSC

The choice to focus on the CLOUD Act did not stem from an assumed substantial threat from that legislation. Nevertheless, after the study was published, we received several inquiries about the risk of information being requested by the U.S. government based on the CLOUD Act. We asked Greenberg Traurig to map this out.

Risk management is at the heart of adequate security of (personal) data. The integral risk analysis that underlies it requires a clear assessment of the probability and impact of the various risks. This makes it possible to distinguish between hypothetical risks and actual risks. Greenberg Traurig's research shows that while the risk of the U.S. government gaining access to European (personal) data, specifically on the basis of the CLOUD act, is conceivable, yet in practice also (very) small.    

This insight is important for organizations when making risk assessments around the deployment of certain digital services and facilities. Whether this involves proprietary on-prem services or, for example, the use of (public) cloud services.

Combined with the previous research, we can state that in principle it does not matter whether organizations invest data processing and/or storage with U.S. suppliers or whether they do so with European suppliers under U.S. jurisdiction. The CLOUD act is just one example of extraterritorial legislation impacting data processing in Europe. Other countries also have such legislation. What the actual risk of this is has not been investigated with this.

Written by:
Paul van den Berg, 
Strategic Vendor Relations Cybersecurity