Understanding the CLOUD Act and Cross‑Border Data Access

How the CLOUD Act reshapes government access to digital evidence across borders while embedding privacy, civil liberties and rule‑of‑law safeguards.

By Sneha Tete, Integrated MA, Certified Relationship Coach
Created on

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a U.S. federal law adopted in 2018 to modernize how governments obtain electronic evidence from service providers, especially when data is stored across national borders. It clarifies that U.S. legal orders can reach data in a provider’s possession, custody or control regardless of where that data is physically stored, and it creates a framework for bilateral agreements with foreign governments to streamline lawful access to digital evidence.

Why the CLOUD Act Was Enacted

Before the CLOUD Act, law enforcement agencies often relied on mutual legal assistance processes to obtain data stored abroad. These government‑to‑government channels were formal, slow, and not designed for the rapid pace of modern digital investigations. With crimes such as terrorism, child exploitation and cyberattacks leaving digital traces across multiple jurisdictions, delays in obtaining electronic evidence could significantly hinder investigations.

The CLOUD Act was enacted in March 2018 with two central goals:

  • Speed up lawful access to electronic information held by service providers in serious criminal investigations, irrespective of where the data is stored.
  • Reduce conflicts of law by enabling bilateral agreements that reconcile domestic privacy and human rights safeguards with investigative needs.

In essence, the Act responds to a world where cloud services, social networks and communication platforms routinely distribute data across global infrastructure, while law enforcement jurisdiction remains tied to national borders.

Core Features of the CLOUD Act

The CLOUD Act can be understood through two major structural elements often described as Part I and Part II.[10]

Feature What It Does
Domestic reach of orders Confirms that U.S. orders under existing electronic communications law can reach data in a provider’s possession, custody or control, wherever stored.
Bilateral executive agreements Creates a mechanism for the U.S. and qualifying foreign governments to directly request data from providers in each other’s jurisdictions, bypassing traditional mutual legal assistance routes.
Read More

Pregnancy, Preexisting Conditions, and Health Insurance >

Pregnancy, Preexisting Conditions, and Health Insurance

These features work together: the first clarifies obligations for providers under U.S. law, and the second offers reciprocal pathways for foreign partners that meet rule‑of‑law and human‑rights standards.

Domestic Legal Orders and Data Location

Under existing U.S. electronic communications law, notably the Stored Communications Act as amended, authorities can seek data from an electronic communication service or remote computing service provider when the provider has possession, custody or control over that data.[10] The CLOUD Act confirms that the physical location of the data is not decisive; what matters is the provider’s legal and practical control.[10]

However, this authority is limited by familiar constitutional and statutory safeguards. For example:

  • To access content of communications (such as email or messages), authorities generally must obtain a warrant based on probable cause from an independent judge.
  • To obtain certain non‑content data, such as detailed metadata, an order based on specific and articulable facts showing relevance to an ongoing investigation is required.
  • Subscriber or basic account information may be obtainable under a lower threshold, but still through lawful process.

These standards apply even when the sought‑after data resides on servers outside the United States, provided the provider is subject to U.S. jurisdiction.

Bilateral Agreements and Foreign Partners

The CLOUD Act’s second major feature allows the U.S. to enter into executive agreements with foreign governments that meet specific baseline requirements around human rights, rule of law and privacy protections. Under such agreements, qualifying foreign authorities can issue orders directly to U.S. service providers for certain data needed in serious criminal investigations, rather than routing requests through the mutual legal assistance process.

Key elements of these agreements include:

  • Eligibility criteria such as respect for civil liberties, due process and historically reliable legal institutions.
  • Limitations that restrict use to investigations of serious crime, including terrorism and other grave offenses.
  • Requirements that orders be lawfully obtained under the partner country’s domestic system and subject to independent oversight.
  • Safeguards to prevent targeting of individuals in ways that conflict with the other party’s fundamental rights protections.

These agreements are designed to provide a streamlined pathway for foreign partners while preserving protections for individuals whose data is being sought.

Scope: Who and What the CLOUD Act Covers

Covered Service Providers

The CLOUD Act applies broadly to electronic communication service and remote computing service providers that operate or have a legal presence in the U.S., regardless of where they are headquartered. A cloud provider based in another region but with U.S. operations can still fall within the Act’s reach if it meets these conditions.

Courts may also require parent companies to produce data held by their subsidiaries if the parent has sufficient control over that data. This reflects how large technology companies often manage infrastructure and data access across related entities.

Types of Data Involved

As with other U.S. electronic communications laws, the CLOUD Act operates in a landscape where different categories of data trigger different legal thresholds.

  • Subscriber information – identifiers, basic account details or billing data. Generally accessible through relatively low‑threshold process compared to content.
  • Metadata and non‑content records – information about communications (such as logs) without revealing the substance of messages. Courts typically require orders based on specific and articulable facts showing the data’s relevance.
  • Content of communications – the actual substance of emails, messages or stored files. Access typically requires a warrant grounded in probable cause that a crime has been committed and that the content will contain evidence.

These distinctions are central to how providers evaluate legal demands and how courts oversee compliance.

Safeguards: Privacy, Civil Liberties and Human Rights

The CLOUD Act was drafted in the context of intense public debate about privacy, surveillance and digital rights. As a result, it incorporates or relies on multiple safeguards intended to protect individuals while allowing legitimate investigations to move forward.

Judicial Oversight and Legal Standards

For U.S. authorities, the standard requirements to obtain communications data remain in force:

  • An independent judge must find probable cause for warrants seeking content, including that a specific crime has been or is being committed and that the data sought is likely to contain evidence.
  • Orders for certain non‑content data must be supported by specific and articulable facts demonstrating that the information is relevant and material to an ongoing investigation.
  • Legal process must particularly describe the data to be obtained, limiting overbroad collection.

These safeguards are grounded in long‑standing U.S. constitutional and statutory protections.

Requirements for Foreign Partners

Foreign governments seeking agreements under the CLOUD Act must satisfy criteria relating to rule of law, civil liberties and due process. Agreements generally require that:

  • Orders be for the prevention, detection, investigation or prosecution of serious criminal offenses, including terrorism.
  • Requests target specific individuals or accounts rather than broad categories or mass surveillance.
  • There be an independent authority, such as a judge or magistrate, capable of reviewing orders for legality and proportionality.

The U.S. can decline or limit agreements if these standards are not met, aiming to ensure that data disclosed under the CLOUD Act is not used in ways that conflict with fundamental rights.

Encryption Neutrality

Official materials emphasize that the CLOUD Act is encryption‑neutral. It does not create new authority for U.S. law enforcement to compel service providers to decrypt communications, nor does it prohibit voluntary assistance with decryption or prevent countries from addressing encryption in their own domestic laws. In other words, it focuses on access to data through legal orders, not on redesigning cryptographic systems.

Practical Impact on Investigations and Providers

Benefits for Law Enforcement

For investigators, the CLOUD Act offers practical advantages:

  • Faster access to electronic evidence compared with traditional mutual legal assistance processes.
  • Direct requests to providers in partner countries under bilateral agreements, reducing reliance on government‑to‑government channels.
  • Improved ability to address transnational crime, where offenders and victims may be in different countries but data resides with global service providers.

Reports on early agreements, such as the U.S.–U.K. arrangement, highlight both successes in facilitating investigations and ongoing challenges in implementation, including clarity of standards and workload distribution.

Obligations and Concerns for Service Providers

U.S.‑based and U.S.‑connected providers must navigate a more complex environment under the CLOUD Act. They may receive orders from U.S. authorities for data stored abroad, as well as direct orders from foreign partners pursuant to bilateral agreements.

Providers often focus on several issues:

  • Assessing whether orders comply with applicable legal standards and internal policies.
  • Managing potential conflicts of law when domestic obligations in one country collide with privacy or blocking statutes in another.
  • Maintaining transparency through reports and public statements about how often data is disclosed and under what conditions.

For example, one major cloud provider publicly reports that, as of mid‑2025, it had not disclosed enterprise or government content data stored outside the U.S. to the U.S. government under the CLOUD Act. Such statements are intended to reassure customers while demonstrating compliance with the law.

Implications for Users and Organizations

For individuals and organizations, the CLOUD Act has several practical implications:

  • Data stored with U.S.‑connected providers may be subject to lawful access requests even if physically hosted in another country, subject to applicable safeguards.
  • Foreign law enforcement may obtain data directly from U.S. providers under certain agreements when investigating serious crimes.
  • Enterprise and government customers may want to review provider policies, transparency reports, and technical safeguards such as encryption and segregation of data.

Understanding these dynamics is increasingly important for compliance, risk management and privacy governance in multinational organizations.

Frequently Asked Questions About the CLOUD Act

Does the CLOUD Act apply only to U.S. companies?

No. The CLOUD Act applies to any covered service provider that operates or has a legal presence in the United States, regardless of where the company is headquartered. A provider based in another country but offering services in the U.S. or maintaining U.S. infrastructure can fall under its scope.

Can the CLOUD Act be used to compel decryption of data?

Official materials indicate that the CLOUD Act is encryption‑neutral. It does not itself grant new powers to compel decryption of communications. Existing domestic laws around encryption and assistance remain unchanged, and countries may address decryption separately in their legal frameworks.

Are mass or bulk data demands allowed under CLOUD Act agreements?

Bilateral agreements under the CLOUD Act are structured around targeted orders relating to specific individuals or accounts and serious crimes. Requests must be lawfully authorized under the partner country’s system and subject to oversight, which is intended to prevent indiscriminate or mass surveillance demands.

How does the CLOUD Act interact with other privacy laws?

The CLOUD Act does not displace other privacy or data protection laws. Instead, it provides a legal mechanism for reconciling domestic investigative powers with cross‑border data storage, including procedures for foreign partners that meet human‑rights benchmarks. Providers still need to account for regional data protection regimes and may challenge or seek modifications of orders that conflict with these obligations.

What kinds of crimes qualify under CLOUD Act agreements?

Agreements are generally limited to serious crime, a category that typically includes offenses such as terrorism, violent crime, sexual exploitation of children and significant cybercrime. Lesser offenses are not the primary focus of these streamlined cross‑border mechanisms.

References

  1. CLOUD Act Resources — U.S. Department of Justice, Criminal Division. 2024-06-10. https://www.justice.gov/criminal/cloud-act-resources
  2. The Purpose and Impact of the CLOUD Act – FAQs — U.S. Department of Justice. 2019-03-15. https://www.justice.gov/criminal/media/999616/dl
  3. Clarifying Lawful Overseas Use of Data (CLOUD) Act — Amazon Web Services. 2025-06-30. https://aws.amazon.com/compliance/cloud-act/
  4. Frequently Asked Questions about the U.S. CLOUD Act — Cross-Border Data Forum. 2020-11-05. https://www.crossborderdataforum.org/cloudactfaqs/
  5. The Clarifying Lawful Overseas Use of Data (CLOUD) Act — BSA | The Software Alliance. 2025-08-19. https://www.bsa.org/files/policy-filings/08192025bsacloudact.pdf
  6. First Insights Into the U.S.-U.K. CLOUD Act Agreement — Lawfare. 2023-04-13. https://www.lawfaremedia.org/article/first-insights-into-the-u.s.-u.k.-cloud-act-agreement
Sneha Tete
Sneha TeteBeauty & Lifestyle Writer
Sneha is a relationships and lifestyle writer with a strong foundation in applied linguistics and certified training in relationship coaching. She brings over five years of writing experience to waytolegal,  crafting thoughtful, research-driven content that empowers readers to build healthier relationships, boost emotional well-being, and embrace holistic living.

Read full bio of Sneha Tete