FR Request a demo
PlatformPlatform overviewLakehouse & catalogData warehousingData engineering
AI & analyticsAI & machine learningBusiness intelligenceNotebooksCompute
Govern & integrateGovernanceSecurity & sovereigntyBring your own cloud
SolutionsDefense & armamentHealthcare & life sciencesFinanceBankingInsuranceManufacturing & industryPublic sectorSee all industries
DocsOverviewQuickstartAPI referenceSDK & CLIAuthenticationCore concepts
PricingBlog
Request a demo

The logbook

The US Cloud Act, explained for European CIOs

#sovereignty #cloud-act #compliance

If your data sits on infrastructure operated by a US-owned company, US authorities can compel access to it. That is the Cloud Act in one sentence. Everything else in this article is detail, but it is detail that European CIOs are increasingly asked about by their boards, their DPOs and their regulators.

What the Cloud Act actually says

The Clarifying Lawful Overseas Use of Data Act, passed in 2018, allows US law enforcement to require US-based providers to disclose data regardless of where that data is stored. The key word is provider, not datacenter. If the entity operating the service is subject to US jurisdiction, the physical location of the bytes is irrelevant.

FISA Section 702 goes further for intelligence purposes: it authorises targeted collection on non-US persons located outside the United States, again through US providers, and without the individual ever being notified.

”But my data is in an EU region”

This is the most common misconception, and it matters because it shapes procurement decisions. Choosing a Frankfurt or Paris region on a US hyperscaler changes latency and may help with some residency requirements. It does not change jurisdiction. The operating entity remains compellable under US law, and the parent company cannot contractually promise otherwise, because no contract overrides a statute.

European institutions have acknowledged this tension repeatedly: the Schrems II ruling invalidated Privacy Shield precisely because US surveillance law was judged incompatible with EU fundamental rights, and the EDPB’s subsequent guidance asks data exporters to assess whether the importer’s legal regime undermines GDPR protections.

What real immunity requires

Immunity to extraterritorial US law is structural, not contractual. The test is simple: is there any US-owned entity anywhere in the chain that could be served with an order? That includes:

  • The cloud provider operating the infrastructure
  • The software vendor operating the control plane of your platform
  • Any subprocessor with access to your data or your keys

If the answer is no at every level, the Cloud Act has nobody to compel. This is why the architecture of your data platform matters as much as the architecture of your cloud: a European cloud underneath a US-operated data platform leaves the platform layer compellable.

A practical checklist

Before your next platform decision, ask each vendor:

  1. Who operates the control plane, and under which jurisdiction? Not where it is hosted: who owns the operating entity.
  2. Who holds the encryption keys? If the vendor can decrypt, the vendor can be compelled to.
  3. Where does the data physically live, and can you prove it? Residency should be a queryable fact, not a slide.
  4. Can you exit with your data intact? Open formats on storage you own turn a legal risk into a manageable one.

How Polnor answers these questions

Polnor was built so the answers are short. The control plane runs in France under a European entity. The data plane, compute, storage, warehouses, runs entirely in your own OVHcloud or Scaleway account: your VPC, your bucket, your keys, encrypted at rest. Your tables are open Apache Iceberg, so leaving is always possible. There is no US entity in the path to compel, which means the Cloud Act question dissolves rather than getting mitigated.

If that is the conversation your board keeps starting, request a demo and we will walk through your specific exposure together.

← All articles Request a demo