In short
- The Cloud Act is a US law from 2018 that authorises American authorities to access data held by any US company, regardless of the country where the data is stored
- Google, Dropbox, and Microsoft are US companies: the Cloud Act applies to their services, even if their servers are located in Europe
- The solution: entrust your data to a French company, not an American one. It does not matter whether Google's servers are in Ireland or Paris: Google operates them, so the Cloud Act applies. With a French hosting provider, you step outside that jurisdiction
What is the Cloud Act?
The Cloud Act (Clarifying Lawful Overseas Use of Data Act) is a US federal law enacted on 23 March 2018. It rests on a single principle: American authorities can compel any company subject to US jurisdiction to hand over data, regardless of the country where that data is physically stored.
Before the Cloud Act, there was a legal grey area. If Microsoft hosted data in Ireland, the US government had to go through international agreements to access it. The process was slow and uncertain. Microsoft had even won a court case on this point in 2016.
The Cloud Act settled the matter. In the US government’s favour. From that point on, the physical location of servers became irrelevant. What matters is the nationality of the company operating the service.
Google is American. Microsoft is American. Amazon is American. Dropbox is American. It makes no difference whether their servers are in Dublin, Amsterdam, or Frankfurt.
Who is affected in practice?
The question comes up often: “My company is small: does this really apply to me?” The answer is yes. The Cloud Act makes no distinction based on size. It applies to the service provider, not to the customer.
Here are the most common situations:
You use Google Drive or Google Workspace
Your documents, emails, and shared files are stored by Google. Google is subject to the Cloud Act. So is your data.
You use Microsoft 365, SharePoint, or OneDrive
The same logic applies. Microsoft is a US company. Even if your tenant is configured to the “Europe” region, the Cloud Act applies.
You use Dropbox
Dropbox is headquartered in San Francisco. All your files fall within the scope of the Cloud Act.
You use a US SaaS tool for your documents
Notion, Slack, Box, Airtable. As soon as the publisher is a US company, the Cloud Act may apply.
This does not mean that the US government is continuously reading your files. It means it can request them, that it will in all likelihood receive a response, and that you will not necessarily be informed.
What does it change for your business?
Three points deserve to be clearly understood.
No mandatory notification
When US authorities issue a request under the Cloud Act, the American company may be bound to secrecy. It has no obligation to notify you. Your documents may be handed over without your knowledge.
No direct recourse
You are not a party to the procedure. The request is made to Google, Microsoft, or Dropbox. Not to you. You have no say in the matter. You cannot challenge the request before a US court, because you will in all likelihood never know it was made.
The scope extends beyond criminal investigations
The Cloud Act is not used solely for criminal investigations. It can be invoked in the context of economic intelligence gathering. For a company holding strategic information, tender responses, R&D data, or commercial negotiations, this is not a trivial matter.
In practical terms: if you are an SME storing your contracts, commercial proposals, and customer data in Google Drive, there is a legal framework that allows a foreign government to access those documents without your consent and without notifying you.
This is not a theoretical risk. It is an operational legal mechanism.
What can you do?
The good news is that alternatives exist. The French and European ecosystem has progressed considerably in recent years.
Choose French hosting
French hosting providers offer hosting in France, operated by companies not subject to the Cloud Act. Your data remains under French and European jurisdiction.
Choose a European AI model
If you use a tool that analyses your documents, check which AI model is being used and where it runs. Sending your files to a model hosted in the United States is equivalent to storing them on an American server. ChatGPT (OpenAI) is a US company: the Cloud Act applies to it. Mistral, a French company, offers high-performing models that run on European infrastructure.
Simply choose
Total sovereignty is not necessary for everyone. Some companies handle highly sensitive data (regulated professions, defence, healthcare). Others have more standard requirements. What matters is that you decide on the level of protection, not your default service provider.
That is the approach we have taken at Archesia. We offer three hosting modes, depending on the sensitivity of your data:
- Shared cloud hosted in France: for SMEs and agencies that want to move away from US tools without infrastructure constraints. Your data is partitioned and never leaves France.
- Isolated cloud: for businesses handling confidential data (customer data, strategic information, tender responses). Your own dedicated infrastructure, always in France, with no resource sharing with other customers.
- On-premises deployment: for regulated professions and organisations that require total control over their data. Everything stays on your own infrastructure, with no external dependencies.
In all cases, you choose the level of protection. Not your default service provider.
For further reading on hosting and GDPR, we have written a detailed guide on what GDPR actually requires.
Frequently asked questions
Does the Cloud Act apply even if my data is hosted in Europe?
Yes. The Cloud Act does not depend on the location of the servers. It depends on the nationality of the company operating the service. If your provider is American (Google, Microsoft, Dropbox, Amazon), the Cloud Act applies, even if the servers are in Paris or Amsterdam.
Is the Cloud Act used in practice?
Yes. Google and Microsoft's transparency reports show tens of thousands of access requests per year from US authorities. The Cloud Act simplified and accelerated this process for data stored outside the United States.
Does GDPR not protect me from the Cloud Act?
GDPR places obligations on your company as data controller. But it cannot prevent a US company from complying with a US law. When GDPR and the Cloud Act conflict, the American company is caught in the middle. In practice, it complies with the law of its home country.
What are the practical alternatives to Google Drive or SharePoint?
Archesia is a French document management system with semantic search and sourced summaries, hosted in France and not subject to the Cloud Act. Your documents remain under French jurisdiction, the AI model is European, and you choose the level of protection according to your needs.
Do I need to migrate all my documents immediately?
Not necessarily. The pragmatic approach is to identify your most sensitive documents (contracts, customer data, strategic information) and place them under sovereign hosting as a priority. Some tools, such as Archesia, connect to Google Drive to work with your existing files without a disruptive migration.