When Microsoft and AWS both opened UK data centres, many businesses believed that if the data stays in the UK, UK law applies. It’s an understandable assumption, but it’s also wrong.
The Clarifying Lawful Overseas Use of Data Act – better known as the CLOUD Act – was signed into US law in 2018. It gives American authorities the power to compel US-headquartered technology companies to hand over data, regardless of where that data is physically stored. For any UK business running on AWS, Microsoft Azure, or Google Cloud, that has real implications irrespective of which data centre their files sit in.
What the CLOUD Act Actually Says
The CLOUD Act updated a piece of US legislation from 1986 – the Stored Communications Act – to reflect the realities of cloud computing. If a company is incorporated in the United States, US law enforcement can require it to produce data held anywhere in the world.
The original rationale was criminal investigations. US prosecutors were frustrated by the slowness of Mutual Legal Assistance Treaties (MLATs), the traditional route for accessing overseas data, which could take ten months or more to process. The CLOUD Act was designed to remove that bottleneck. In practice, a US court order issued to a US cloud provider can compel that provider to produce your business data – emails, contracts, financial records, client information – even if that data has never left a server in Manchester or Leeds.
Why Storing Data in the UK Isn’t Enough
The CLOUD Act follows the provider, not the data. If your cloud provider is a US-incorporated entity or a subsidiary of one, US law applies to the data it holds on your behalf, regardless of where the servers are located.
This matters because data residency and data sovereignty describe two different things. Residency is where data is physically stored. Sovereignty is the legal framework that governs it. Choosing a UK data centre with a US provider doesn’t place your data under UK legal jurisdiction; it only changes the postcode on the server. For legal or financial services firms, manufacturers holding IP, or any Manchester-based business managing regulated data, that distinction is material.
Where This Conflicts with the UK GDPR
The tension between the CLOUD Act and UK data protection law is genuine and largely unresolved. Article 48 of the UK GDPR states that personal data cannot be transferred to a non-UK authority simply because that authority has issued a court order. There must be an applicable international agreement in place.
When a US authority issues a CLOUD Act demand and a US cloud provider complies, UK data controllers face a direct compliance problem. The UK GDPR requires that access to personal data by a foreign government has a proper legal basis and that accountability for any breach sits with the data controller, not the provider. Contractual protections like data processing agreements or standard contractual clauses cannot override this. US statutory obligations take precedence over contract.
Under UK GDPR, serious breaches can result in fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. For businesses that comply with a US warrant and thereby trigger a UK GDPR breach, both sides of that dilemma carry penalties.
The UK-US Agreement and Its Limits
There is a bilateral agreement specifically designed to address this conflict: the UK–USA Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, which came into force in October 2022. It establishes a government-to-government mechanism for resolving conflicts and meaningfully distinguishes the UK’s position from the EU’s, which has no equivalent agreement with the US.
But the agreement doesn’t eliminate the underlying risk. It operates through designated legal channels for qualifying law enforcement requests; it doesn’t prevent CLOUD Act orders more broadly, and it doesn’t resolve the structural tension with UK GDPR. Your data’s legal exposure is shaped by your provider’s corporate structure, the nature of the data, and the specific circumstances of any request, not by the location of a server.
Practical Steps for Reducing Risk
This isn’t a case for avoiding cloud infrastructure. It remains essential to how modern businesses operate. But cloud decisions should be made with provider jurisdiction factored in explicitly, particularly for businesses handling personal data, financial records, or sensitive intellectual property.
- Understand your provider’s corporate nationality: If your cloud provider is a US-incorporated entity or a subsidiary of one, the CLOUD Act reach applies. This is true even if the provider’s UK-region servers are ten miles from your office. An IT provider in Manchester or anywhere else in the UK cannot override that reach if the underlying platform is US-owned.
- Classify data by sensitivity: Not all workloads carry the same risk. Client personal data, financial records, regulated data, and proprietary IP warrant closer scrutiny of hosting jurisdiction than lower-sensitivity workloads.
- Consider UK-incorporated alternatives for your highest-risk workloads: An IT company in Manchester or elsewhere in the UK that operates under UK jurisdiction can handle your most sensitive workloads, while hyperscaler infrastructure handles the rest – reducing exposure without requiring a wholesale migration.
- Implement governance controls: Documented data maps, third-party agreements requiring notification of access requests, and encryption with customer-managed keys all reduce risk and demonstrate the accountability UK GDPR requires. If your cyber security posture doesn’t currently reflect these controls, that’s worth addressing before a request arrives.
What This Means for Your Cloud Strategy
Most businesses that signed contracts with major US cloud providers weren’t thinking about US legal jurisdiction. They were thinking about storage costs, scalability, and uptime. Those are the right operational questions, but the CLOUD Act makes clear that provider choice is also a legal and compliance decision.
For businesses across Manchester and the North West, the question isn’t whether the CLOUD Act is a theoretical concern. It’s whether your current cloud setup would hold up if it became a practical one. Working with an IT consultancy in Manchester that understands both the technical and regulatory dimensions of cloud infrastructure means the IT services supporting your business are built with the full regulatory picture in mind – not just performance and cost.
Cloud Geeni’s cloud-managed services are built around exactly this kind of proactive planning. We help you choose the right environment for each workload, document your data flows, and build a cloud strategy that reflects the full compliance picture – not just the technical one.
Thinking through your cloud strategy?
Cloud Geeni provides IT consulting in Manchester and across the wider UK, working with businesses to build cloud environments that balance performance, cost, and compliance. If you want a clear view of where your data sits and who has legal reach over it, talk to our team.
