What is US CLOUD Act and FISA 702? Why European Businesses Should Care

If you're running a European business, you've probably heard warnings about using US-based software. Maybe you've seen terms like "CLOUD Act" or "FISA 702" thrown around in privacy discussions. But what do these laws actually do, and why should you care?

The short answer: these US surveillance laws give American intelligence agencies broad access to data held by US companies—even when that data belongs to European citizens and is stored on European servers.

This creates a fundamental conflict with European privacy rights. Your customers' data might be technically "GDPR compliant" on paper, but legally accessible to US authorities without meaningful oversight or your knowledge.

If you're using US-based tools for email, accounting, customer management, or cloud storage, you need to understand these laws and what they mean for your business.

The CLOUD Act: Where Your Data Really Lives

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into US law on March 23, 2018, as part of a broader spending bill. Despite its bureaucratic name, its implications are straightforward and far-reaching.

The CLOUD Act gives US law enforcement and intelligence agencies the power to compel US-based technology companies to hand over data stored anywhere in the world. It doesn't matter if your customer data sits on a server in Frankfurt, Dublin, or Stockholm. If the company holding that data is American, US authorities can demand access to it.

How It Actually Works

Under the CLOUD Act, US agencies can issue a warrant, subpoena, or court order requiring a US company to produce:

• Emails and communications content
• Customer records and personal information
• Business documents and financial data
• Metadata about communications and activities

The company receiving this order must comply, even if:

• The data belongs to non-US citizens
• The data is physically stored outside the US
• Producing the data violates the laws of the country where it's stored

There's no requirement to notify the data subject (your customer). There's no requirement to notify you (the business owner). In many cases, there's a gag order preventing anyone from discussing the data access.

The European Data Dilemma

This creates an impossible situation for US companies operating in Europe. If they comply with a CLOUD Act order and hand over European customer data, they violate GDPR. If they refuse to comply with the CLOUD Act, they break US law and face criminal penalties.

The Data Processing Agreements and Standard Contractual Clauses that your US software vendors make you sign? They can't override national law. When push comes to shove, that US company will choose to comply with US law—and your DPA becomes worthless.

FISA 702: Mass Surveillance by Another Name

Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) is even broader than the CLOUD Act. While the CLOUD Act requires targeted orders for specific data, FISA 702 enables mass surveillance programs.

What FISA 702 Authorizes

FISA 702 allows US intelligence agencies (primarily the NSA and CIA) to collect communications of non-US persons located outside the United States without individual warrants. This includes:

• Internet communications (emails, messages, video calls)
• Cloud storage content
• Social media activity
• Business communications

The stated purpose is foreign intelligence gathering and counterterrorism. But there are minimal restrictions on what constitutes a "valid intelligence target," and the surveillance is conducted at massive scale.

PRISM and Upstream Collection

You might remember Edward Snowden's 2013 revelations about NSA surveillance programs. Those programs operate under FISA 702 authority.

PRISM compels major US tech companies (Google, Microsoft, Apple, Facebook, etc.) to provide direct access to user data on their servers. The companies don't get to review each request; they provide systematic access.

Upstream Collection involves the NSA tapping into internet backbone infrastructure to collect communications in transit. If your data passes through US-controlled internet infrastructure (which is common given the US's central role in global internet architecture), it can be captured.

The "Incidental Collection" Problem

Here's where it gets particularly troublesome for European businesses: FISA 702 nominally targets foreign nationals, but when you communicate with US persons, your data gets "incidentally collected" too.

Send an email to a US partner? Potentially captured. Use a collaboration tool with US colleagues? Potentially monitored. Store data with a US cloud provider serving US customers? Your data sits in the same infrastructure being systematically surveilled.

There's no meaningful oversight of this incidental collection, and no notification to those affected.

Why This Matters for Your European Business

You might think, "I'm running a small business in Europe—surely US intelligence agencies don't care about my invoice data." And you're probably right. But that's not the point.

Legal Liability Under GDPR

The GDPR requires that any transfer of personal data to third countries (including the US) only happens with "adequate safeguards." The European Court of Justice has repeatedly ruled that US surveillance laws make these adequate safeguards impossible.

If you're using US software and handling European customer data, you are technically in violation of GDPR—regardless of what compliance paperwork your vendor provides. Data protection authorities have been slow to enforce this, but that's changing.

Customer Trust and Competitive Disadvantage

European customers are increasingly aware of these issues. Data sovereignty is becoming a purchasing decision factor, especially for:

• Healthcare organizations handling medical records
• Legal firms managing client confidential information
• Financial services with sensitive customer data
• Government contractors subject to public procurement rules

If your competitor uses European infrastructure and you don't, they have a trust advantage. They can truthfully say their system keeps data within European legal jurisdiction.

Business Intelligence Risks

The CLOUD Act isn't just for terrorism investigations. It explicitly covers "serious crime," which US law defines broadly. Economic espionage, trade secret theft, and even routine law enforcement investigations can trigger CLOUD Act orders.

Your proprietary business data, customer lists, pricing strategies, and competitive intelligence could theoretically be accessed by US authorities and potentially shared with US companies under various legal frameworks.

Is this likely? Probably not. Is it possible? Yes. Is it a risk that using European alternatives eliminates entirely? Absolutely.

What Changed with the EU-US Data Privacy Framework?

In July 2023, the European Commission approved the EU-US Data Privacy Framework as an "adequacy decision," supposedly solving these problems. Under this framework, US companies can self-certify compliance with enhanced privacy protections.

Why Privacy Experts Remain Skeptical

The fundamental problem remains unchanged: FISA 702 and the CLOUD Act are still active US law. The Data Privacy Framework adds some procedural safeguards:

• A new Data Protection Review Court for non-US persons to challenge surveillance
• Binding commitments from US intelligence agencies to limit data collection
• Enhanced transparency requirements

But privacy advocates point out that:

• The surveillance authorities themselves remain intact
• The safeguards rely on internal US policy that can change
• There's no way for you to know if your data was accessed
• The new review mechanisms have limited practical accessibility

The organization NOYB (None of Your Business), founded by privacy activist Max Schrems, has indicated it plans to challenge this new framework. While an initial challenge by a French parliamentarian was dismissed by the EU General Court in September 2025, many legal experts still expect further "Schrems III" legal actions that could invalidate this agreement just like the previous two attempts (Safe Harbor in 2015 and Privacy Shield in 2020).

How to Reduce Your Risk

You can't control international law, but you can control your software choices. Here's a practical risk-reduction strategy.

Audit Your Current Stack

List every tool that touches customer data:

• Email and communications platforms
• Customer relationship management systems
• Invoicing and accounting software
• Cloud storage and file sharing
• Website hosting and analytics
• Marketing automation tools

For each one, identify:

• Where is the company headquartered?
• Where is data actually stored?
• What jurisdiction governs the data processing?

Prioritize European Alternatives

The only way to completely eliminate CLOUD Act and FISA 702 risk is to use software from companies not subject to US jurisdiction. This typically means:

• Companies headquartered in the EU or Switzerland
• Data storage exclusively in European data centers
• Contracts governed by European law

EuroToolKit's directory helps you find these alternatives across every business function. The European tech ecosystem has matured significantly—you're not sacrificing quality for compliance anymore.

Apply the "Data Sensitivity" Filter

Not all data carries equal risk. Apply common sense:

• High sensitivity: Financial records, health data, legal communications → Prioritize European tools strictly
• Medium sensitivity: Customer contact information, business communications → Strong preference for European, but assess based on specific needs
• Low sensitivity: Public marketing content, non-personal analytics → Less critical, but still worth considering European options

Document Your Decisions

GDPR requires you to demonstrate compliance efforts. Document:

• Your risk assessment for each tool
• Why you chose specific vendors
• What safeguards you implemented
• How you'll respond if the legal landscape changes

This documentation protects you if regulators come asking questions. It shows you took data protection seriously and made informed decisions.

The Bigger Picture: Data Sovereignty

The CLOUD Act and FISA 702 debate is really about a larger question: who controls data, and what rights do individuals have over information about them?

The US approach treats data primarily as a commercial asset and national security tool. The European approach treats personal data as an extension of individual human dignity and autonomy.

These philosophies are fundamentally incompatible. Hoping for a legal framework that bridges them is wishful thinking. The last three attempts all failed in European courts.

As a European business owner, you get to choose which system you want to operate under. Using European software means committing to the European model—and increasingly, that's becoming both the legally safer and commercially smarter choice.

Taking Action

You don't need to rip out your entire tech stack tomorrow. But you should start planning:

1. Identify your highest-risk tools (those handling the most sensitive customer data)
2. Research European alternatives using resources like EuroToolKit
3. Budget for migration as contracts come up for renewal
4. Build data sovereignty into your procurement policy for future tool purchases

The European regulatory environment will only get stricter. Privacy-conscious customers will increasingly demand it. Getting ahead of this shift now gives you a competitive advantage later.

---

Want to explore compliant software alternatives for your European business? Browse our directory of European tools that keep your data under European jurisdiction.