The story starts with a drug trafficking investigation. In 2013, US prosecutors served Microsoft a warrant under the Stored Communications Act for a suspect's Outlook.com emails. Microsoft handed over the account metadata it held in the US — but the message contents lived in a datacenter in Dublin, and Microsoft refused to fetch them, arguing a US warrant doesn't reach across the Atlantic. The dispute, Microsoft Corp. v. United States, climbed all the way to the Supreme Court. The justices heard argument in early 2018 and never ruled, because Congress mooted the case mid-litigation: tucked into the 2,232-page omnibus spending bill signed that March was the Clarifying Lawful Overseas Use of Data Act.
What the CLOUD Act Actually Says
The act has two halves, and both matter.
Half one: US process follows the provider, not the server. The act amended the Stored Communications Act to state explicitly that a provider subject to US jurisdiction must produce data in its "possession, custody, or control" regardless of where the data is physically stored. The Dublin datacenter defense was erased. If a company is American — or merely has enough US presence to be served — a US warrant reaches every byte that company can technically retrieve, on any continent.
Half two: a bypass around the treaty system. Before 2018, a foreign government wanting data from a US provider went through Mutual Legal Assistance Treaties — a diplomatic process routinely taking many months, with US judicial review of each request. The CLOUD Act created "executive agreements": qualifying foreign governments can be certified to demand data directly from US providers for their own investigations, skipping the MLAT queue and its case-by-case US review. The US–UK agreement entered into force in October 2022; an agreement with Australia followed, and negotiations with the EU and Canada have been underway for years.
Jurisdiction attaches to the company, not the datacenter. If the provider can reach your data, every government with legal leverage over that provider can reach it too — through the provider.
What This Does to "Swiss Hosting" Claims
Walk through the cases, because the marketing rarely does:
- US company, EU servers: fully reachable by US process. Server location is irrelevant — this is the exact scenario the act was written for. AWS Frankfurt, Azure Zurich, and Google Cloud Belgium regions do not change who Amazon, Microsoft, and Google answer to.
- EU company on US-owned cloud: the cloud provider is the one with "possession, custody, or control" of the underlying storage. A European SaaS startup running on a US hyperscaler has a US-reachable layer beneath it, whatever its own incorporation papers say.
- Genuinely foreign company, no US presence: US process can't compel it directly — but if its government signs a CLOUD Act executive agreement, data can flow anyway; and a company with no US offices, US customers, or US bank accounts is rarer than privacy marketing implies.
None of this means jurisdiction is meaningless. Swiss or German incorporation does affect which government's orders arrive first, what local law requires the provider to log, and what it can challenge — the 2021 ProtonMail IP-logging case is the canonical example of local law cutting both ways. But jurisdiction is a question of which legal process applies, not whether legal process applies. Anyone selling geography as immunity is selling something that hasn't existed since 2018.
The Criticisms Are Substantive
The CLOUD Act's defenders make a fair point: cross-border data requests were genuinely broken, with serious crimes stalled behind year-long MLAT backlogs. The criticisms are about what got traded away:
- Executive agreements remove the judge. Under MLAT, a foreign request for data on a US server got individualized US judicial review. Under an executive agreement, the foreign government's own process suffices — the US reviews the country once at certification, not each demand.
- The targets can't object in any practical forum. A user whose data is produced under a foreign demand to a US provider typically never learns it happened, and the act's comity mechanism — letting providers challenge orders that conflict with foreign law — is narrow, provider-initiated, and rarely used.
- It collides with the GDPR. Article 48 of the GDPR says foreign court orders aren't valid transfer grounds without a treaty — placing US providers between two legal systems that each claim to win. That unresolved tension is a recurring theme in our piece on GDPR's practical limits.
The deep issue isn't the CLOUD Act's drafting. It's that any data a provider can produce is data that some combination of governments will eventually have a lawful path to. Legislation only decides how many signatures the path requires.
The Architecture That Survives the Subpoena
Follow the logic to its end and you arrive at the only durable answer: make "possession, custody, or control" mean ciphertext. The CLOUD Act compels providers to hand over what they hold. It does not — cannot — compel mathematics. A provider that holds only end-to-end encrypted data, with keys derived and held on user devices, complies fully with a lawful order by producing exactly what it has: encrypted blobs, plus whatever metadata its design makes it retain.
That last clause is the honest caveat. Encryption protects content; it does not by itself protect metadata — account identifiers, timestamps, who-talked-to-whom. A zero-access provider can still be ordered to produce those, and as the Salt Typhoon breach showed, metadata at scale is its own surveillance product. Evaluating a service means asking both questions: what's encrypted, and what's retained.
This is the standard we think any private communications service should be judged by — Haven included. We built Haven so that message and email content is encrypted with keys derived on your device from a passphrase we never see; a compelled disclosure from our infrastructure yields ciphertext. We're a small operator and you shouldn't take that on faith — the same scrutiny applies to us as to anyone: read the threat model, check what's client-side, ask what the operator could produce under order. Services like Proton, Tutanota, and Signal publish transparency reports showing exactly this dynamic — orders arrive, ciphertext goes out. That's the system working.
Server location is a detail. Key location is the decision.