When you explain data sovereignty to an engineer, you talk about architecture. When you explain it to a CFO, you have to talk about risk and contract. Here's the version that works in the boardroom, without a single unnecessary technical word.
01What it is, in one sentence
The Cloud Act is a US law from 2018. It says one thing, but a heavy one: a US authority can compel a US provider to hand over its clients' data, wherever that data physically sits. Including in Europe.
It's not a hidden clause. It's federal law, written in black and white. And it applies to any company subject to US jurisdiction, regardless of where its servers are.
02Why the contract won't save you
This is the part that makes CFOs raise an eyebrow, and it's the most important. You can have the best contract in the world, the best data processing agreement, the standard clauses approved by the European Commission. It changes nothing.
A private contract governs a relationship between two parties. It cannot override a law of the state one of the parties is subject to. When the US court order arrives, the provider chooses between obeying US or European law. It chooses the one that sends it to prison if it breaks it. And that's US law.
03"But my data is in a datacentre in Germany"
It's objection number one, and you can see why. The big US providers have European regions, datacentres in Frankfurt, Amsterdam, Milan. They tell you "your data stays in Europe", and it's true, physically.
But the physical location of the disk doesn't matter. What matters is who controls the company that runs that disk. If it's a US company, or a European subsidiary of a US company, the Cloud Act applies. The data is in Germany, the obligation to hand it over remains.
04When this is a real problem
Honestly: not always. If you run a public e-commerce catalogue, the Cloud Act is a theoretical risk. It becomes concrete when the data has a value someone might want to see without asking you:
- Public administration: records, council communications, citizens' data.
- Healthcare: clinical data, research, patient records.
- Industry with intellectual property: designs, patents in progress, production processes.
- Professional firms: legal files, clients' tax data.
In these cases the risk isn't hypothetical. It's a structural vulnerability no firewall closes, because it isn't a technical problem. It's a jurisdiction problem.
05The solution isn't technical, it's structural
To stay outside the Cloud Act's perimeter, the party that runs the data must not be subject to US jurisdiction. Full stop. A European company, European control, no agreement with US providers upstream of the chain.
That's why every byte of our clients' data lives in Europe, run by a European company. It's not a marketing choice. It's the only way the sentence "your data is safe from foreign subpoenas" is true and not just printed in a brochure.