Key takeaways
- Consulting firms produce some of the most sensitive data in existence: confidential strategies, acquisition analyses, restructuring plans for major companies
- Most of this data is stored on Google Drive, SharePoint, or Dropbox: American platforms subject to the Cloud Act. The US government can access it without going through French courts, and without notifying the firm or its client
- An NDA does not protect against a US legal request. The firm's liability may be engaged if a confidential deliverable is compromised via cloud infrastructure
Some of the most sensitive data in existence
A strategy consulting firm advises its clients on their most important decisions. Ongoing acquisitions. Restructuring projects. Competitive repositioning. Non-public financial analyses.
These documents are priceless. For the companies that commissioned them, their disclosure could compromise an acquisition negotiation, alert competitors, destabilise teams, or move markets.
And yet, in the vast majority of firms, these documents are stored on Google Drive, SharePoint, or Dropbox. Convenient platforms, well-mastered by the teams.
Except that these platforms are operated by American companies. And American companies are subject to the Cloud Act.
The Cloud Act: what it actually says
The Cloud Act (Clarifying Lawful Overseas Use of Data Act) is an American law passed in 2018. It authorises the US government to request any American technology company to provide the data it hosts, including data stored on servers outside the United States.
In practice: Google can be compelled to hand over your Drive data to a US government agency. Without going through French courts. Without requiring a mutual legal assistance treaty. And without necessarily being required to inform the users concerned.
We cover this mechanism in depth in a dedicated article. What matters here: the Cloud Act does not only concern consumer personal data. It applies to corporate data, professional data, and consulting deliverables.
Your NDA does not protect against this
The typical reaction to this point: “We have confidentiality agreements with our clients. We are covered.”
No. An NDA is a contract between two private parties. It does not override a legal request from a sovereign government. If US authorities request access to your files from Google, Google has no choice. Your NDA changes nothing about the legal equation.
This is not theoretical. Cases of industrial espionage involving data hosted on American cloud platforms have already been documented. The current geopolitical context makes the question even less abstract.
The question is not “Will this happen to us?” The question is: “Are we in a situation where it could happen, and have we taken steps to prevent it?”
What your clients probably do not know
Most clients who entrust their most sensitive documents to a consulting firm do not know where those documents are stored. They trust the firm to manage this appropriately.
Some, particularly large listed companies, companies in regulated sectors, or those that have already dealt with data sovereignty questions, are beginning to ask precise questions: “Where are our deliverables stored?” “Who can access them?” “Is your infrastructure subject to the Cloud Act?”
A firm using Google Drive cannot answer these questions favourably. A firm that hosts its data in France, on infrastructure not subject to the Cloud Act, can.
As sensitivity to these issues grows, the question of French hosting becomes a differentiating argument for firms that have anticipated it, and a reputational risk for those that have not.
What this means for a firm
Moving to sovereign infrastructure does not mean completely reorganising working methods. Solutions that allow consultants to continue working as they are used to, while ensuring that data stays in France, exist.
At Archesia, data is hosted in France, on infrastructure not subject to the Cloud Act. You can connect your existing Google Drive to keep your working habits while centralising the most sensitive deliverables in a sovereign environment. For firms whose clients have stronger requirements, a deployment directly on your own servers is also possible: zero data in the cloud, total control.
Client data confidentiality is not just a contractual formality. It is a concrete responsibility, whose legal and reputational implications are underestimated by most firms. The page dedicated to consulting firms details how Archesia addresses these requirements. And if you want to discuss directly, we are here.
Frequently asked questions
Does the Cloud Act apply even if data is stored on servers in Europe?
Yes. That is precisely the central point of the Cloud Act. It applies to any American company, regardless of where data is physically stored. Google, Microsoft, and Dropbox are American companies: their European servers are subject to the Cloud Act in the same way as their US servers.
Is SharePoint also affected?
Yes. Microsoft is an American company subject to the Cloud Act. SharePoint Online, OneDrive, and Teams host their data on Microsoft infrastructure, regardless of the configured region. The data remains accessible to US authorities upon legal request.
What is the difference between GDPR and the Cloud Act?
The GDPR governs the protection of personal data within the European Union. The Cloud Act is an American law that gives US authorities a right of access to data hosted by American companies. These two frameworks apply simultaneously and can come into tension: the GDPR does not provide immunity against the Cloud Act.
How do we explain this risk to our clients?
The clearest framing: "Our deliverables are currently hosted on American platforms subject to the Cloud Act. This means the US government can request access to this data without going through French courts. We have decided to migrate to infrastructure hosted in France to eliminate this risk." Few clients, once informed, find this approach excessive.
Can Archesia connect to our existing Drive while hosting data in France?
Yes. Archesia can index your existing Google Drive while storing the processed data and deliverables produced in Archesia on servers hosted in France. You can also choose to progressively centralise your most sensitive documents in Archesia, keeping Drive for less critical documents.