Pain Point

CLOUD Act Data Access

The exposure created by the US Clarifying Lawful Overseas Use of Data Act (2018), which authorizes US law enforcement to compel US-headquartered cloud providers to disclose customer data **regardless of physical storage location** — combined with GDPR Article 48 (which prohibits foreign-court-compelled transfers without an MLAT).

3 connections 3 resources 2 posts

Summary

What it is

The exposure created by the US Clarifying Lawful Overseas Use of Data Act (2018), which authorizes US law enforcement to compel US-headquartered cloud providers to disclose customer data **regardless of physical storage location** — combined with GDPR Article 48 (which prohibits foreign-court-compelled transfers without an MLAT).

Where it fits

This is one of the "three data gravity wells" (US/EU/China) that shape modern multi-region S3 architecture. With **China Data Localization** as the PRC-side counterpart and **Data Residency** as the architectural framing, CLOUD Act is what makes "AWS in eu-central-1" categorically different from "EU-headquartered provider" for some regulators and customers.

Misconceptions / Traps
  • "The bucket is in Frankfurt" does not make the data shielded from CLOUD Act compelled disclosure if the operating cloud provider is US-headquartered.
  • Sovereign cloud and "EU Data Boundary" offerings address the jurisdictional gap, not the technical gap. The technical access path may be identical; the legal access path is what changes.
  • CLOUD Act has been used in practice — it is not a hypothetical risk to wave away.
Key Connections
  • scoped_to Sovereign Storage — the architectural response
  • Drives demand for Aliyun OSS / Tencent COS / Huawei OBS as in-PRC alternatives for non-US-domiciled data
  • scoped_to S3, Object Storage

Definition

What it is

The exposure created by the **Clarifying Lawful Overseas Use of Data Act (2018, US)**, which authorizes US law-enforcement to compel US-headquartered cloud providers (AWS, Microsoft, Google, Cloudflare, Wasabi, Backblaze) to disclose customer data **regardless of where the data is physically stored**. Together with **GDPR's Article 48** (which prohibits transfers compelled by foreign court orders without an MLAT), this creates a structural conflict-of-laws for any S3 bucket holding EU, UK, or PRC-domiciled personal data on a US-headquartered provider — even when that bucket lives in an EU region.

Connections 3

Outbound 3
scoped_to3
S3Object StorageSovereign Storage

Resources 3

SpecHigh
www.congress.gov/bill/115th-congress/house-bill/4943

The CLOUD Act statute itself — primary source for the compelled-disclosure scope including Section 103 on "data stored abroad."

DocsMedium
en.wikipedia.org/wiki/CLOUD_Act

Reference overview of the CLOUD Act including the Microsoft v. United States precedent that motivated it and the executive-agreement framework.

DocsHigh
commission.europa.eu/law/law-topic/data-protection_en

EU Commission's data-protection portal covering GDPR Article 48 (foreign-court-compelled transfers) — the conflict-of-laws axis with CLOUD Act.

Featured in

2026-05-08 When the Index Gained 13 Nodes: A Field Guide to the May 2026 Wave On May 7 the index added 13 new nodes — five technologies, six pain points, one architecture, one standard. Each answers a specific question engineers building on object storage are asking right now: what is China's S3 stack, why are GPUs starving, what replaced MinIO, what are the three data gravity wells, and a few more. This post walks through them by question rather than by node type, because that's how the questions actually arrive in production. 2026-05-07 When DeepSeek Made Storage Strategic: The China Direction Reshaping the S3 Ecosystem DeepSeek's $5.6M training run didn't just reset model architecture. It made object storage performance-critical, made silicon export controls a storage decision, and pushed Aliyun OSS, Tencent COS, and Huawei OBS from regional curiosities into the global S3 vocabulary. This index added 13 nodes to track what changed.