What is the CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into US law on March 23, 2018. It requires US technology companies to provide data stored on their servers when requested by US law enforcement — regardless of where in the world that data is physically stored.
This means: if you use a service operated by a US company (or a subsidiary of a US company), the US government can potentially access your data, even if it's stored on a server in Frankfurt, Amsterdam, or Dublin.
Why this matters for EU businesses
If you're an EU business collecting personal data from EU citizens, you have a legal obligation under GDPR to protect that data from unauthorized access by foreign governments.
The conflict is direct:
- GDPR says: don't transfer personal data outside the EU without adequate safeguards
- CLOUD Act says: US companies must hand over data regardless of where it's stored
When you use a US-based SaaS tool, you're placing your data in the middle of this legal conflict.
Which tools are affected?
Any tool operated by a US-incorporated company, including:
- Cloud infrastructure: AWS, Google Cloud, Microsoft Azure
- Form builders: Typeform (uses AWS), Google Forms, JotForm
- Analytics: Google Analytics, Mixpanel, Amplitude
- Email: Mailchimp, SendGrid, HubSpot
- CRM: Salesforce, HubSpot CRM
- File storage: Google Drive, Dropbox, OneDrive
- Communication: Slack, Zoom, Microsoft Teams
Even if these tools offer "EU regions" or "EU data centers," the parent company remains subject to US law.
What EU courts have said
The landmark Schrems II ruling (Court of Justice of the EU, July 2020) invalidated the EU-US Privacy Shield and established that:
- EU data protection standards must be maintained regardless of where data is transferred
- US surveillance laws (including the CLOUD Act) are incompatible with EU data protection rights
- Companies cannot rely solely on Standard Contractual Clauses if the destination country's laws undermine the protections
Since Schrems II, multiple EU DPAs have ruled that using US-based services for personal data processing is illegal without adequate supplementary measures — measures that, in practice, are nearly impossible to implement for cloud-hosted SaaS tools.
What can EU businesses do?
Option 1: Use EU-based alternatives
The most straightforward solution. Replace US tools with EU-incorporated alternatives that store and process data exclusively in the EU.
Option 2: Implement supplementary measures
If you must use a US tool, GDPR requires "supplementary measures" such as:
- End-to-end encryption where the US provider never has access to the keys
- Pseudonymization that prevents the US provider from identifying data subjects
In practice, this is difficult for most SaaS tools because they need to process the data to function.
Option 3: Obtain explicit consent
You can ask data subjects to consent to the transfer. But this consent must be:
- Specific and informed (explain the CLOUD Act risk)
- Not a condition of service
- Revocable at any time
This is impractical for most business use cases.
The pragmatic approach for forms
For form data specifically — where you're collecting names, emails, phone numbers, health information, or financial details — the simplest solution is to use a form builder that keeps your data entirely within EU jurisdiction.
FormGuard processes and stores all form data exclusively on EU infrastructure hosted by an EU company. No data is transmitted to any US-based service. This eliminates the CLOUD Act conflict entirely.