May 12, 2025 · Ines Guillen
Cloud Act – European Sovereignty
The combination of the U. S. Cloud Act (2018) and the amended Section 702 of FISA has created a high-risk scenario for the data privacy of European companies that use cloud or SaaS services from U.S. providers. These laws grant U.S. authorities extraterritorial powers to access information stored outside U.S. borders, including on European servers.
Risks of U.S. laws for European data
1. Extraterritorial access without judicial authorisation
The Cloud Act allows U.S. authorities to demand data stored in any country if it is managed by companies under U.S. jurisdiction, even without notifying local governments. Section 702 of FISA, the legal basis for the PRISM program, authorizes mass surveillance of non-U.S. citizens. In 2024, its renewal extended these powers through 2026, allowing companies such as Microsoft and Google to share data on Europeans without a court order.
2. Legal conflict with the GDPR
European companies that use U.S. services face a dilemma: comply with data requests under the Cloud Act (in violation of the GDPR) or reject them (risking penalties in the U.S.). The GDPR requires that international data transfers ensure a level of protection equivalent to that in Europe, something the Cloud Act undermines by allowing indiscriminate access.
3. Risk of industrial and economic espionage
Data stored on U.S. platforms may be used in the context of trade competition. The Cloud Act could be used to investigate European companies’ business dealings with sanctioned countries.
Advantages of European SaaS solutions such as MyMediaConnect
Platforms developed and hosted in the EU provide a security framework tailored to European regulations. MyMediaConnect is hosted in the EU using infrastructure in certified European data centers (OVH), with redundant hosting locations in Germany and Finland. It offers granular access control by department with simultaneous approval workflows and a comprehensive audit trail detailing who modified or approved what.
Breach case studies
In 2023, a European subsidiary of a US logistics company was ordered under the Cloud Act to hand over customer data stored in Frankfurt. By complying, it violated the GDPR and faced a fine of 2% of its annual turnover.
Choosing European SaaS solutions is not just a technical issue, but also a strategic one. In a context where 78% of EU companies have reported attempts by third countries to access their data in 2024, digital sovereignty has become a critical pillar of business competitiveness.