A legal opinion prepared on behalf of the Federal Ministry of the Interior concludes that US authorities can gain access to cloud data under certain legal conditions, even if it is stored in data centers within the European Union. The document was prepared by legal scholars at the University of Cologne and made publicly available as part of a request under the Freedom of Information Act. The analysis brings the question of Europe’s digital sovereignty back into focus and questions existing assumptions about the protection of data by European storage locations.
The central finding of the report is that the physical location of data is not decisive for the applicability of US access rights. Rather, the decisive factor is whether the cloud provider or its parent company is subject to US jurisdiction. According to the experts’ assessment, the Stored Communications Act in conjunction with the Cloud Act and Section 702 of the Foreign Intelligence Surveillance Act in particular give rise to far-reaching disclosure obligations vis-à-vis US authorities. These obligations may also apply if data is processed exclusively in the European Union.
The question of control over the data is particularly relevant here. The expert opinion states that US authorities can demand access to data if a US parent company exercises legal or de facto control over the cloud provider. This may also be the case if operations are carried out via European subsidiaries. It should also be noted that even purely European companies could potentially be affected if they maintain close business links to the United States and therefore fall within the scope of US law.
Technical protective measures such as encryption are not considered sufficient in the report to reliably rule out a disclosure obligation. Although providers can technically restrict their own access to customer data, this does not necessarily release them from legal obligations under US procedural law. Rather, this could require relevant data to be retained in order to be able to provide it in response to an official order. A deliberate exclusion of access could have legal consequences in the United States.
On the European side, the report points to existing tensions with the General Data Protection Regulation. Although European supervisory authorities can prohibit data transfers to authorities in third countries, many transatlantic data processing operations are currently based on the EU Commission’s adequacy decision as part of the EU-US Data Privacy Framework. However, the experts do not see this as a conclusive solution, but rather a legally fragile construct that does not resolve the structural conflicts between European data protection law and US security laws.
In practical terms, assessments differ. Some legal scholars are of the opinion that the use of US cloud services is still possible in compliance with data protection law, provided that no specific or systematic legal violations are proven and companies fulfill their compliance obligations. Other experts see the abstract possibility of access as a structural risk, particularly for authorities and organizations with sensitive or security-relevant data.
Conclusion
The report for the Federal Ministry of the Interior confirms that European cloud data is not protected from access by US authorities simply because of its storage location. The decisive factor is the legal integration of the cloud provider in the US jurisdiction. This poses a permanent legal and data protection risk for companies and public bodies in the European Union when using US-based cloud infrastructures. The analysis underlines the structural conflict between European data protection law and the extraterritorial effect of US security laws and increases the political pressure to develop viable European alternatives to strengthen digital sovereignty.
| Source | Key message | Link to |
|---|---|---|
| University of Cologne, legal opinion on behalf of the BMI | Legal analysis of the scope of the CLOUD Act, SCA and FISA 702 and their application to cloud data stored in the EU | https://fragdenstaat.de/dokumente/247903-gutachten-cloud-act-bmi/ |
| Tagesspiegel Background Digitalization | Report on the consequences of the expert opinion for the Federal Ministry of the Interior and the adaptation of the confidentiality rules | https://background.tagesspiegel.de/it-und-cybersicherheit/briefing/bmi-passt-wegen-cloud-gutachten-geheimschutzregeln-an |
| Süddeutsche Zeitung Dossier | Classification of the legal risks for European authorities and companies when using US cloud services | https://www.sz-dossier.de/meldungen/us-cloud-act-bmi-gutachten-bestaetigt-moeglichen-datenzugriff-36e5a4f6 |
| Rolf Koellner, specialist article | Detailed legal assessment of the Cologne Opinion and the extraterritorial effect of US cloud law | https://www.rakoellner.de/2025/12/gutachten-der-universitaet-zu-koeln-zum-us-behoerdenzugriff-auf-eu-daten/ |
| European Data Protection Board | Fundamental classification of third country access to personal data in the context of the GDPR | https://edpb.europa.eu/system/files/2022-01/edpb_recommendations_2020_01_supplementary_measures_en.pdf |
3 Antworten
Kommentar
Lade neue Kommentare
Mitglied
Veteran
Urgestein
Alle Kommentare lesen unter igor´sLAB Community →