Europeans, forget the US Cloud Act… worry about FISA instead (!)

As geopolitical tensions flare, many European organisations are having second thoughts about their reliance on US cloud providers. For example, on 18 March 2025, the Dutch parliament called on the Dutch government to reduce its reliance on US cloud services. One major concern is the US government’s ability to demand access to European customer data stored in the cloud. However, when assessing the risk of US government access, we need to distinguish between access for law enforcement purposes and access for foreign intelligence purposes. This distinction is commonly overlooked in European debates about sovereign cloud. In this blogpost, I explain why the distinction matters. 

Let’s begin by looking at the relevant US powers. On the one hand, the Stored Communications Act (‘SCA’) governs law enforcement access. It grants American courts and regulators the power to issue production orders to cloud providers targeting customer data, such as through warrants and court orders. The purpose here is law enforcement, as when a prosecutor seeks evidence as part of a criminal investigation. The US CLOUD Act amends the SCA, by clarifying that such orders apply to any data held by a US cloud provider, regardless of data location.

On the other hand, the Foreign Intelligence Surveillance Act (‘FISA’) governs access for intelligence purposes. Section 702 grants the National Security Agency (‘NSA’) the power to issue production orders to cloud providers targeting customer data. To do so, the NSA requests a (secret) directive from the (secretive) Foreign Intelligence Surveillance Court. The NSA can then share the data it obtains with the CIA and the FBI. The CLOUD Act does not affect FISA Section 702. Nonetheless, FISA directives also apply to data which a US cloud provider stores in Europe.

Yet Europeans often fail to distinguish between these two legal frameworks. For example, the Dutch Algemene Rekenkamer writes in its report on “Dutch central government in the cloud” that:

“Under the CLOUD Act, US investigation and security services can request data from US CSPs (such as Microsoft), including data located outside the US. The CLOUD Act therefore gives US intelligence services access to personal data in the EU that are processed by US CSPs.”

Yet the CLOUD Act relates to law enforcement access, not to access for intelligence purposes, which is governed by FISA Section 702. The report does not mention FISA powers at all. This is an unfortunate oversight in an otherwise excellent report. And it is not just an academic point about citing the right legal source. The distinction has important practical implications. It impacts both the likelihood of US government access and its potential impact on European interests.

 For example, the Algemene Rekenkamer goes on to state that:

 “On behalf of the Dutch National Cyber Security Centre (NCSC), a specialised international law firm studied the risk of American authorities using the CLOUD Act to access information stored in Europe (NCSC, 2022). 3 leading CSPs (Microsoft, IBM and Amazon) were asked how often US authorities had requested and received data on EU citizens. […] Amazon had never received such a request; IBM had received 1, and refused it. Microsoft had honoured 12 requests concerning users outside the United States. How many of the cases involved EU citizens, however, was not clear. The NCSC concluded from the study that the risk of the US government using the CLOUD Act to access personal data in the EU was conceivable but negligible.”

This conclusion of “negligible” risk is also supported by cloud provider’s regular transparency reports, in which providers report receiving either very low number of US law enforcement production orders, or none at all.

However, by focussing only on the CLOUD Act, the analysis overlooks the risk of US government access under FISA Section 702. US law prohibits cloud providers from publishing details of directives in their transparency reports. Providers can only publish the total number of orders they receive in bands of 1,000, as well as the number of accounts targeted. This makes it much harder to assess the frequency of such access – and therefore to assess the risk FISA directives pose to European data. In short, the risk under FISA Section 702 is not “negligible”, but uncertain. As one source I spoke to put it in a recent interview:

“Microsoft, AWS and Google, they say: ‘we don't receive a lot of requests’. The reality is we don't know, 'cause they're not allowed to tell us. You could say, well, that's just a theoretical risk, but whether it has been realized or not, we have no way of knowing.”

Further, the potential impact of law enforcement access and foreign intelligence access differs. First, law enforcement access generally features strong procedural safeguards that protect individual rights, such as the requirement to show probable cause to obtain a warrant. By contrast, the procedural constraints on intelligence agencies are typically weaker and subject to less stringent judicial oversight. Indeed, the CJEU’s concerns in Schrems I and II concerned access by intelligence agencies (including under FISA Section 702), not law enforcement powers. Broadly speaking, access for intelligence purposes therefore poses a higher risk to individual privacy and data protection interests than law enforcement access.

Moreover, such access is more worrying from a political, economic, and societal perspective too. The US government’s ability to demand access to European customer data grants it an information advantage over European governments. It can use this to influence foreign affairs in a way that undermines European strategic autonomy. Yet this risk stems from the NSA’s broad power to obtain data it considers relevant to US foreign intelligence interests, not from a US prosecutors’ ability to obtain evidence relating to a specific criminal investigation.

In short, when assessing the risk of US government access, we need to distinguish US law enforcement from US intelligence activity. That way, we can better assess both the likelihood of US government access, as well as its potential impact on European interests. From this perspective, FISA Section 702 poses a higher risk to European cloud sovereignty than the US CLOUD Act.

If you’re interested in this topic, check out my related post covering ‘3 Myths about Sovereign Cloud’, including misunderstandings about data location.

Johan David Michels is a researcher with the Cloud Legal Project at the Centre for Commercial Law Studies, Queen Mary University of London, and a Guest Teacher at the London School of Economics. He has published articles covering cloud and IT services in leading US and European law journals and is a co-author of Cloud Computing Law (2nd edn, OUP, 2021). His research has received funding from Microsoft and Broadcom; he retains full responsibility for all views expressed here. He has written an independent expert report for Broadcom on "Sovereign Cloud for Europe" and his most recent article, entitled “Storm Clouds are Building: Surveillance, Sovereignty, and State Interests”, will be published in the Virginia Journal of Law and Technology in 2025.