The CLOUD Act Problem: What European Companies Expanding Into the US Need to Understand About Data Jurisdiction

European companies expanding into the United States usually plan around incorporation, payroll, banking, and office leases. Data jurisdiction rarely makes that list. This is a mistake. The moment a European company opens US operations, it creates a second legal relationship with its own data, one governed by US law rather than EU law, and that relationship carries consequences most expansion plans never account for.

What Most Expansion Plans Miss

Most of the conversation around digital sovereignty looks at this from one direction only: should EU companies stop using US cloud providers. That debate is well covered. The reverse situation gets almost no attention. When a French, German, or other European company sets up a US subsidiary, signs a US lease, hires US staff, and opens US bank accounts, it starts generating data that is subject to US jurisdiction by default, regardless of where its European headquarters sits or where its European servers are located.

This matters because the two legal systems do not align. GDPR requires companies to control and protect personal data and restrict its movement outside the EU without proper safeguards. US law takes a different starting point entirely.

What the CLOUD Act Actually Says

The Clarifying Lawful Overseas Use of Data Act, passed in 2018, gives US law enforcement the authority to compel any company under US jurisdiction to produce data in its possession, regardless of where that data is physically stored. A US subsidiary of a European company, or a European company using a US-based cloud or software provider, falls under this authority once it operates in the US market.

This creates a direct conflict with GDPR. A request issued under the CLOUD Act does not need to go through the legal channels that GDPR assumes will protect EU personal data from foreign access. European regulators have been explicit that this conflict is real and unresolved, not a theoretical edge case.

Why Operating in the US Changes the Calculation

A European company that has never set foot in the US can keep its entire technology stack on EU soil and stay outside CLOUD Act reach. Expansion changes that. Once a company has a US entity, US employees, US customers, or US-based infrastructure, several things shift at once.

First, any provider used by the US subsidiary, whether a CRM, an HR platform, or basic cloud storage, is likely to be a US company subject to US legal process. Second, data generated by US operations frequently flows back to the European parent company for reporting, finance, or management purposes, which can pull EU personal data into a system now reachable under US law. Third, French parliamentary testimony in 2025 made clear that even European-marketed cloud offerings from US providers cannot fully guarantee protection from CLOUD Act requests, since the parent company remains bound by US law.

None of this means a European company should avoid US expansion. It means the data architecture needs to be designed deliberately, rather than inherited from whatever tools the US team happens to adopt.

Practical Exposure Points

A few areas tend to create the most risk during expansion. Shared software accounts between the European parent and the US subsidiary often blur jurisdictional lines without anyone intending it. HR and payroll data for US staff, run through a US-based provider, sits squarely under US jurisdiction even if the parent company is European. Customer data collected through US sales or marketing activity frequently gets centralized into systems the European team also uses, creating cross-border exposure that was never explicitly approved.

None of these are exotic scenarios. They are standard parts of running a US subsidiary, which is exactly why they go unnoticed.

What To Do Before, Not After, You Expand

Companies expanding into the US benefit from mapping data flows before systems are chosen, not after. This means identifying which data needs to stay under EU governance, which data is genuinely local to US operations, and where the two will inevitably intersect, such as financial consolidation or group-wide reporting.

It also means being specific with providers. Asking whether a vendor is US-based, and what legal protections apply to the data it holds, is a reasonable question during procurement, not an afterthought during a compliance review. Some workloads will need to stay on EU infrastructure regardless of where the business operates. Others can sit on US infrastructure with appropriate safeguards, provided someone has actually evaluated the trade-off rather than defaulting to convenience.

European companies that get this right do not avoid US expansion. They expand with a clear answer to a question regulators and customers are increasingly likely to ask: who can access this data, and under whose law.