CLOUD Act and STACKIT: securing data protection in the European cloud

Cloud Computing, ein Richterhammer unter einer Wolke, Cloud Act

Digital services today rely on powerful cloud infrastructures – and therefore increasingly on the security and legal integrity of stored data. The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) from 2018 has raised questions for many European companies and authorities: Who is allowed to access what information? What role does the location of the data center play? And what does this mean for data protection and compliance with the GDPR?

STACKIT, the Schwarz Group’s European cloud platform, offers a sovereign alternative to non-European providers. With complete control over infrastructure, operations and software management, STACKIT ensures that your content is protected from unauthorized access – regardless of whether authorities or service providers from overseas demand access. This article provides an overview of the CLOUD Act, highlights the impact on data protection in Europe and shows how companies can work with STACKIT in a legally secure, high-performance and GDPR-compliant manner.

Glossary: Important terms relating to CLOUD Act and STACKIT

Data protection benefits with STACKIT: Protect what belongs to you

Companies today are under increasing pressure to store their data not only efficiently, but above all in a legally compliant manner. The CLOUD Act poses a challenge for many international cloud providers: Even if data is located in Europe, the possibility of it being viewed by US authorities cannot be ruled out – for example on the basis of “overseas use” or if certain facts are suspected. This may involve the disclosure of sensitive data, such as emails, server logs or CRM systems.

STACKIT offers a clear advantage here: as part of the Schwarz Group, STACKIT is a fully European service provider – without the involvement of US corporations or software services that fall under the CLOUD Act. This means:

In addition, STACKIT applies the highest standards in terms of security: ISO/IEC 27001-certified data centers, multi-level access controls and end-to-end encryption protect your data against unauthorized access – both physically and digitally. The combination of technical expertise, controlled infrastructure and an independent legal basis makes STACKIT the ideal platform for data-sensitive services – from email hosting to complex management solutions with personal content.

Another advantage of STACKIT is the innovative strength and flexibility of the platform: new services and security standards are continuously implemented in accordance with European data protection regulations. Companies that use future-oriented technologies such as AI, big data or industry-specific SaaS applications will find STACKIT to be an infrastructure that is designed for continuous development and maximum compliance. Regular audits, transparent compliance management and comprehensive support with GDPR evidence for external audits also offer security at the highest level.

CLOUD Act in detail: significance, risks and effects

The CLOUD Act was passed in the USA in 2018. Its aim is to give investigative authorities such as the FBI or DEA access to data even if it is physically stored outside the USA – for example on servers in Europe – if the service provider is based in the USA or does business there. This affects many well-known providers of cloud services, email tools and storage solutions.

For European companies, authorities or service providers that process personal data or other sensitive data, this means a considerable risk: even if servers are located in Frankfurt or Paris, a US provider may be legally obliged to disclose this data – without European customers or authorities being able to prevent this or have it legally checked. In practice, this can also affect email accounts, CRM systems or stored databases. The CLOUD Act is therefore in conflict with the GDPR: The European General Data Protection Regulation stipulates that data may only be processed or transferred outside Europe if an adequate level of data protection is guaranteed. A blanket approach contradicts this principle.

Organizations with high compliance requirements in particular – for example in the healthcare sector, the public sector or industry – are therefore well advised to take a close look when choosing their provider. After all, it is not only the technical security but also the legal integrity of a cloud service that determines whether data and content are actually protected.

How to minimize risks when using the cloud

Any company or public authority that operates digital services and software solutions can hardly avoid cloud offerings. However, not every offering is equally suitable – especially with regard to data protection, release scenarios and international access rights. The following recommendations will help you make informed decisions:

  1. Rely on European providers with no US connection: only operators whose corporate structure is based entirely in Europe are not bound by the CLOUD Act. STACKIT meets this criterion: The data centers are located exclusively in Germany and Austria. The management, operation and programs used are also not subject to any foreign requirements or external access rights.
  2. Avoid hybrid dependencies on US software: Many platforms use US-based services in the background – for logging, monitoring or mail functions, for example. When choosing a provider, ensure complete transparency with regard to the technologies used. With STACKIT, you can be sure that only European solutions are used that are not obliged to publish data.
  3. Check contractual clauses and SLAs: A reputable provider will clearly indicate who has access to your data, where it is stored and how it is protected. Topics such as backup, security, auditability and rights management should also be clearly regulated. STACKIT documents all relevant services in detail – including measures to prevent unauthorized access.
  4. Use encryption and role-based access: Technical measures such as end-to-end encryption, VPN connections and rights concepts significantly increase the security of your data. With STACKIT, these security features are standard. This means you retain full control over your data, even with distributed applications and server architectures.
  5. Avoid unnecessary data storage outside Europe: The use of international APIs or software services can also lead to an indirect outflow of data. You should therefore give preference to solutions with a clear hosting location in Europe – as is consistently practiced by STACKIT.

Companies also benefit from short distances and direct support: STACKIT provides German-speaking contact persons, ensures fast response times and thus enables smooth operation – even for business-critical applications. This personal service creates trust and provides additional legal certainty, especially for sensitive data and complex cloud projects.

CLOUD Act & STACKIT: Sovereignty through European infrastructure

Since 2018, the CLOUD Act has been causing discussion worldwide – especially in Europe. This is because the US law allows access to data stored overseas by American authorities – even if this data is stored in European data centers. For many companies and authorities, this not only puts data protection at risk, but also the sovereignty of their data.

STACKIT meets this challenge with a clear counter-model: a completely European cloud platform – operated by the Schwarz Group, without any legal or technical dependency on US service providers. All data and content remains under European control. The server locations in Germany and Austria, GDPR-compliant processing and the deliberate avoidance of overseas components offer security against unwanted disclosure. This gives companies a decisive advantage: they retain control over their applications, services and customer information – with maximum security, scalability and legal clarity.

STACKIT is therefore the ideal platform for anyone who wants to operate digital solutions with confidence – from e-mail services and database solutions to complex service management. With this consistent European focus, STACKIT is setting an example for digital sovereignty, data protection and innovation – values that are crucial for the future viability of companies in the digital age.

FAQ: Frequently asked questions about the CLOUD Act in connection with STACKIT

The following questions and answers summarize the most important aspects from the article – especially with regard to access rights, data protection and cloud provider selection.

Does the CLOUD Act also apply to European companies?

No, the CLOUD Act only applies to providers based or with significant business activities in the USA. European operators such as STACKIT are not subject to this law – even if they provide digital services or tools.

Can US authorities still gain access?

Only if the provider is legally bound by the CLOUD Act – for example through corporate links or technical dependencies. STACKIT operates its entire infrastructure in Europe and does not use any US components that would be subject to disclosure.

Which data is affected?

Basically, all information that is stored or processed digitally – from mail content and server logs to sensitive customer or company data. Personal data in accordance with the GDPR is particularly critical.

What distinguishes STACKIT from US-based providers?

STACKIT is completely European – organizationally, technically and legally. All data remains on servers in Germany and Austria. The platform is ISO-certified and GDPR-compliant, with no obligation to issue overseas.

How does STACKIT protect data from unauthorized access?

Through multi-secured infrastructure, encryption, role-based access management and complete control over the entire service management – from the network to the application. In addition, all locations are within Europe.

STACKIT Support Headset

Please contact us for your

individual consulting

To the contact form