Cloud Act and generative AI: who really decides where your data sleeps?

You paste a confidential document into ChatGPT or Copilot. A draft contract, a margin table, a strategic memo. Tonight, that document is sitting on an American server. And the American justice system can access it, even if it's physically stored in Europe. It has a name: the Cloud Act.

I've seen executives discover this reality in the middle of negotiations. Too late to raise the issue of hosting. Data sovereignty isn't an IT department's responsibility; it's a leadership decision, just like choosing a bank or insurance company. Here's why, and more importantly, what to do.

The Cloud Act, that law that nobody reads before pasting a document into a chatbot

Woman sitting next to an AI robot

Key takeaways

  • The Cloud Act (2018) allows US authorities to demand data held by any provider subject to US law, even if stored in Europe, without notifying you. ChatGPT, Copilot, Gemini, and Claude are affected.
  • Article 48 of the GDPR in principle opposes these disclosures, but it is your company, as the data controller, that is responsible for unlawful transfers: up to €20 million or 4 % of global turnover.
  • On April 17, 2026, the European Commission awarded its sovereign cloud contract (€180 million, 6 years) to four European groups — OVHcloud, Scaleway, STACKIT in particular — based on a sovereignty reference framework (SEAL) reusable by any company.
  • Shadow AI is massive: 61% of employees use AI via personal accounts; 54% of undeclared tools have ingested sensitive data.
  • Three management decisions: classify data by sensitivity, reserve the sovereign or local network for strategic data (Mistral, SecNumCloud hosting, on-premise deployment), and keep the arbitration to the Executive Committee.

What the text says, without jargon

The Clarifying Lawful Overseas Use of Data Act was passed by the U.S. Congress on March 23, 2018. It amends the Stored Communications Act of 1986 and resolves a long-standing issue for the FBI: how to obtain data held abroad by an American company without going through the slow procedures of international mutual legal assistance.

The answer can be summed up in one sentence: US authorities can require a provider subject to US law to hand over the data it holds or controls, regardless of where that data is stored. Server in Frankfurt, data center in Paris, cloud region in "Western Europe": it doesn't matter. What counts is the legal nationality of the provider, not the geographical location of the machines.

Two key points that change everything. First, the procedure does not involve informing the company in question: you will never know that your data has been accessed. Second, the scope is broad: American companies, their subsidiaries, and potentially any foreign company with a significant commercial presence in the United States.

ChatGPT, Copilot, Gemini, Claude: same system

OpenAI, Microsoft, Google, and Anthropic are companies incorporated under US law. Their generative AI assistants—ChatGPT, Copilot, Gemini, and Claude—are therefore subject to the Cloud Act, even when they offer European hosting. An Irish data center operated by a US entity remains under the jurisdiction of the US courts. This is the very principle of extraterritoriality: the law follows the company, not the server.

Computer with the Copilot logo and Excel on it

In practical terms, every email containing your customer files, pricing information, R&D work, or employee personal data constitutes a data transfer to an entity subject to foreign law. Your data travels further than you do. And it didn't require your consent.

The GDPR designates you as the data controller. Not your supplier.

Article 48, a more theoretical than practical lock

European law has not ignored the problem. Article 48 of the GDPR stipulates that a decision by a third-country authority requiring the disclosure of personal data can only be recognized if it is based on an international agreement, typically a mutual legal assistance treaty. However, the Cloud Act is a unilateral US law, not a treaty. As early as 2019, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) concluded in their joint analysis that a request based solely on the Cloud Act does not constitute a valid basis for data transfer.

A blank sheet of paper with "GDPR" written on it.

The American supplier is thus faced with two conflicting legal orders: obey the American judge and violate the GDPR, or refuse and risk sanctions in the United States. Guess which way a company whose headquarters, management, and the bulk of its revenue are American will lean.

Schrems II, Meta: the bill has already been paid for others

This tension did not remain confined to academia. On July 16, 2020, the Schrems II ruling by the Court of Justice of the European Union invalidated the Privacy Shield, on the grounds that American surveillance programs did not guarantee protection equivalent to that provided by European law. In May 2023, the Irish data protection authority fined Meta €1.2 billion for illegal transfers of personal data to the United States. The CNIL (French Data Protection Authority) also issued formal notices to French organizations using Google Analytics for the same reasons.

A briefcase containing €500 in banknotes and handcuffs

And here's the point many executives underestimate: as the data controller, your company is responsible for the lawfulness of the transfers, not OpenAI or Microsoft. The EDPB's January 2020 recommendations require you to assess your processors' exposure to extraterritorial laws and document additional measures—including encryption with keys inaccessible to the provider. Failure to do so can result in penalties under Article 83 of the GDPR reaching €20 million or 4% of your global annual turnover. The provider collects your subscription fees; you bear the risk.

April 2026: Europe voted with its wallet

This is no longer a debate among experts. On April 17, 2026, the European Commission notified the award of its sovereign cloud framework contract—€180 million over six years, under the Cloud III initiative—to four exclusively European consortia: Post Telecom with OVHcloud and CleverCloud, the German company STACKIT, the French company Scaleway, and Proximus in partnership with S3NS, Clarence, and Mistral. AWS, Microsoft Azure, and Google Cloud, which had previously dominated institutional contracts, are not among the direct awardees.

Open wallet with €50 notes

To make its selection, Brussels created a unique tool: the Cloud Sovereignty Framework, which rates sovereignty on a SEAL scale from 0 to 4. SEAL-3, achieved by three of the four winning providers, requires that no non-European entity have veto power, a data access clause, or the technical ability to shut down the service. In other words, immunity from the Cloud Act has become a measurable and enforceable public procurement criterion. This framework is public—you are free to use it in your own tenders. France is following the same path: the "State Cloud" doctrine, revised in March 2026, mandates that sensitive government data be hosted on infrastructures certified as SecNumCloud by the French National Cybersecurity Agency (ANSSI).

When the European Commission, the ECB and some fifty agencies refuse to entrust their workloads to suppliers exposed to US law, the question deserves at least to be raised in your management committee.

Meanwhile, in your offices: Shadow AI

While Europe is organizing its digital sovereignty, what's happening in your country? According to a YouGov study for Microsoft France (January 2026, 657 managers and executives), 80% of managers use generative AI at least once a week—and 61% of employees access it via personal accounts, outside of any IT framework, with 38% using it daily. More than seven out of ten managers have received no training.

A person walking in the distance in a city

This is what's called shadow AI, and it loves your sensitive data. The Netwrix 2026 report estimates that 54% of undeclared AI tools detected in businesses had ingested sensitive data: source code, customer files, and regulated documents. Netskope measures an average of 223 monthly incidents of sensitive data being sent to generative AI tools per company. And the EQS Group's 2026 Privacy Barometer drives the point home: 80% of organizations lack a clear understanding of their AI usage, and only 32% of those undertaking AI projects have completed a Data Protection Impact Assessment (DPIA).

Do the math for your own organization. If your teams are anything like the French average, parts of your contracts, HR data, and R&D have already left for servers subject to the Cloud Act. Without a decision. Without a trace in your treatment registerWithout your DPO being informed.

Want to know what's really coming out of your company? Viqtor® experts help you map your AI usage and data transfers.

Three decisions to be made — and to be kept at the management level

Several signposted paths that become tangled

1. Sort your data by sensitivity

Not everything is created equal. A product brochure can be transmitted through any tool; your customer database, your margins, your sales pipeline, and your R&D work cannot. Establish a simple classification—three levels are sufficient: public, internal, strategic/regulated—and base it on a real data governance Who can send what, in which tool, and with what validation? Without this mapping, any AI policy remains wishful thinking.

2. For sensitive matters, demand the sovereign or the local

Credible alternatives now exist. Mistral AI, a French company, processes data on European servers, beyond the reach of the Cloud Act, with enterprise offerings that can leverage SecNumCloud-certified infrastructures—and the French Ministry of the Armed Forces entrusted it in January 2026 with the deployment of generative AI within the French armed forces. Its open-weight models can even be deployed on your own servers: the data never leaves your infrastructure. For hosting, OVHcloud, Scaleway, and Outscale offer European hosting immune to US extraterritoriality. A slightly less sophisticated sovereign AI is preferable to a cutting-edge AI that exposes your most valuable asset. For non-sensitive uses, US tools remain usable—provided it is a documented choice, governed by a subcontractor agreement compliant with Article 28.

3. Keep arbitration at the Executive Committee level

Where your data goes isn't a technical question. A CIO optimizes costs and performance; a service provider sells their catalog. Neither will be held accountable before the CNIL (French Data Protection Authority), your shareholders, or your clients in the event of a data breach or unlawful transfer. You will be. The decision to balance the power of the tools with control of the information assets falls to senior management, supported by a GDPR audit seriousness, a continuous evaluation of your subcontractors and partners and documented GDPR processes — AIPD included for risky AI uses.

The most powerful AI is worthless if it makes you lose control of what makes you valuable: your data. The real question tonight is simple: Is your most sensitive data on your own—or on someone else's?

Viqtor® helps you regain control: mapping of processing activities, evaluation of AI providers, GDPR compliance managed from a sovereign 100 % platform.

FAQ — Your questions about the GDPR audit

Yes. The Cloud Act criterion is the legal nationality of the provider, not the location of the servers. A Parisian data center operated by an American company or its subsidiary remains subject to American regulations. Only a legally European provider, without any American control, structurally escapes this extraterritoriality.

No, not in itself. But processing personal data requires a data processor agreement compliant with Article 28, a risk assessment of data transfers (post-Schrems II), additional measures if necessary, and a Data Protection Impact Assessment (DPIA) for high-risk uses. It is the unregulated use—shadow AI—that creates the infringement, not the tool itself.

Your company, as the data controller, is responsible for choosing its subcontractors and ensuring the legality of data transfers before the CNIL (French Data Protection Authority). The supplier has its own obligations, but these do not absolve you of responsibility: the penalties under Article 83 of the GDPR primarily target the party that determines the purposes and means of the processing.

An AI whose provider, hosting, and governance are governed exclusively by European law: a European company, servers located in the EU, and no non-European entity with access to the data. Mistral AI is the most successful French example of this. The next level involves deploying an open-weight model on your own infrastructure: the data then never leaves your premises.

It helps, but only under one strict condition: that the encryption keys remain inaccessible to the provider. This is the main technical measure recognized by the EDPB recommendations of January 2020. However, with generative AI, this protection breaks down: to process your prompt, the model must read your data in plain text. Encryption protects storage, not inference.

The process begins with an initial assessment: which tools are actually used, by whom, and with what data. This is followed by a classification based on sensitivity, a usage charter, the selection of validated tools (sovereign tools for sensitive data), the updating of the processing register, and a Data Protection Impact Assessment (DPIA) for high-risk cases. A GDPR audit powered by a platform like Viqtor® covers these steps without requiring months of internal resources.

en_USEN