U.S. CLOUD Act and Why Corporate Structure Matters for Data Sovereignty

European companies are increasingly seeking European data sovereignty. As part of this discussion one of the main concerns is the Lawful Overseas Use of Data (CLOUD) Act, which obliges U.S. cloud providers to disclose any data pertaining to a customer within such provider’s possession, custody, or control, regardless of whether the data is located within or outside of the United States. 

A common question arising from this provision is whether a European cloud provider with a U.S. subsidiary could be mandated to disclose data stored in Europe to U.S. authorities.

The scope of application of the CLOUD Act

The CLOUD Act establishes two distinct and cumulative requirements that must be met for a company to be subject to an information disclosure order:

1. The company must be subject to U.S. jurisdiction (U.S. incorporated entity); and
2. The information or data being requested must be in the “possession, custody, or control” of the company.

While the CLOUD Act has an extraterritorial effect, its jurisdictional scope does not automatically extend to all non-U.S. companies. Key requirement is the level of control that the U.S. based company exercises over the foreign entity. 

Does a U.S. subsidiary compromise European data sovereignty?

In the scenario of a European provider with a U.S. subsidiary, the requirement of control over data is the key factor. The subsidiary, while subject to U.S. law, can only be compelled to disclose data that is within its control. Control can be either technical or organizational.

In a relationship between a subsidiary and a parent company, it is clear that the parent company has control over its subsidiary based on ownership and the right to appoint directors of the subsidiary. The subsidiary, on the other hand, cannot exercise control over the parent company based on ownership. The only way a subsidiary could have this kind of control is through the parent company’s bylaws or contractual arrangements. In the absence of such arrangements, the U.S. subsidiary has no control over the data stored by its parent company outside the U.S, and thus cannot be compelled to disclose it under the CLOUD Act. 

Therefore, the mere fact that a European cloud provider has a subsidiary in the U.S. does not, by itself, compromise the principle of European data sovereignty. To determine whether a U.S. subsidiary poses a risk for data sovereignty requires a careful, case-specific analysis of the situation. 

How UpCloud’s corporate structure protects European data

UpCloud’s corporate structure is designed to enforce the legal and technical separation between the European parent company and its foreign subsidiaries, thereby safeguarding European data from unlawful third-country governmental access. 

• Our U.S. subsidiary operates only U.S. data centers and is the sole entity in UpCloud group that is subject to the U.S. jurisdiction.
• All customer account information, regardless of the selected data center, is held by the European parent company, UpCloud Oy, incorporated in and subject to the laws of Finland.
• The U.S. subsidiary has no control over the customer account information, nor can it access any production hardware located outside the U.S.
• All our European data centers are operated by the European parent company, UpCloud Oy, under the relevant Finnish and EU member state laws.

UpCloud can therefore reject any information request received from foreign governmental authorities and will always direct the requester to contact the relevant Finnish authorities for mutual legal assistance, to validate the request in accordance with the Finnish law. 

Further details regarding jurisdiction and about our measures to prevent international governmental access can be found here.