An expert report for the Federal Ministry of the Interior (BMI) states: US authorities have legal instruments to access cloud data stored in European data centers. The consequences are far-reaching.
A previously unpublished report for the Federal Ministry of the Interior (BMI), prepared by legal scholars at the University of Cologne and only made public by an IFG request, gets to the heart of the matter - and should make all European companies think about it now at the latest. The issue actually affects every company that has any kind of business or legal ties with the USA - as a parent company, subsidiary or via relevant business relationships. According to the report, it is precisely these "connections" that can lead to US jurisdiction having an impact on the chain.
The report cites two legal bases in particular as drivers:
- Stored Communications Act (SCA), extended by the CLOUD Act
- FISA Section 702 (access options in the context of national security)
The key point here is that the decisive factor is not where the data is located - but who controls it. If a US parent company exercises "ultimate control", this may be sufficient - even if operations and data storage are carried out by European companies or data centers.
And: According to the expert opinion, the scope does not end with US companies. It can also include purely European companies as soon as there are "relevant business connections" to the USA.
If you want to know what such debates look like in reality, you don't have to speculate:
- Microsoft-Ireland case: United States v. Microsoft Corp. was about the release of emails stored on a server in Ireland. The dispute was ultimately "resolved" politically because the CLOUD Act was intended to clarify precisely these access options by law(Supreme Court, judgment/order of 17.04.2018).
- Transparency report as an indicator: Microsoft itself shows in its "Government Requests for Customer Data Report" that US authorities can also request content that is stored outside the USA (including "warrants seeking content stored outside the United States" in the first half of 2024, see Microsoft Corporate Responsibility, Report H1/2024).
- Public hearing in France: The General Counsel of Microsoft France said in a Senate hearing according to heise online of 21.07.2025 that he could not guarantee under oath that EU data would never be transferred to the US government without consent - in the case of formally correct requests, Microsoft must always deliver.
This is the point that many decision-makers underestimate: Even if something rarely happens in the end - the possibility is real, and it can be linked to confidentiality obligations in an emergency.
In purely legal terms, there is a clear guard rail in Europe: Art. 48 GDPR places third-country orders (courts/authorities) under a strict reservation - they are generally only a basis for data disclosure if they are based on an international agreement (e.g. mutual legal assistance).(GDPR, Official Journal of the EU).
At the same time, the practice is more complicated as soon as a provider or parent company is actually subject to US law. A conflict of access then arises that an authority cannot discuss away in the end, but which it must control organizationally and contractually.
Important for the classification: In 2023, the German Data Protection Conference (DSK) stated that the mere risk of third country access (e.g. via company law instruction rights) does not in itself constitute an automatic "third country transfer" pursuant to Art. 44 et seq. GDPR - but it remains a factor in the assessment of the service provider and the protective measures.(DSK resolution of 31.01.2023).
And this is precisely where it becomes critical for the public sector: where the risks are high, verifiable measures for technical and legal data sovereignty are needed - not just paper.
If you say "yes" at least once when answering the following questions, you should put the topic of 2026 at the top of your agenda:
If you can answer all these questions spontaneously and with full conviction with "No", good news: There is no need to contact us.
Yes, there are lawyers who argue that certain cloud setups remain "fundamentally" GDPR-compliant - and that a clear distinction must be made between third country transfers and the question of service provider reliability.
However, this does not reduce the risk. It merely shifts it to the practice of controls, impact assessments, additional measures - and to the question of how resilient "promises of sovereignty" really are in an emergency.
If you want to avoid this risk structurally, there is hardly any way around one criterion: no corporate or control chain through which third country law can "penetrate" - plus a technical architecture that makes any access technically impossible.
SecureCloud is a German GmbH based in Germany and positions itself as a provider with infrastructure and data storage exclusively in Germany. How many of your current cloud providers can say that about themselves? And how many can prove it? We do this with documented security certificates such as our BSI C5 certificate.
For organizations that don't have time for legal grey areas, this is ultimately the decisive difference: not "we store in the EU", but "we are also legally anchored in Germany - without external leverage".
Note: This article does not constitute legal advice, but rather classifies content that has been published in the trade press or on the websites of the companies mentioned. Any similarities with real countries or hyper-scalers are purely coincidental - and can in no way be intentional.