US CLOUD Act vs. Swiss Data Location: Why CH/EU Hosting Matters for Client Data

What is the US CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed by the US Congress in March 2018 as part of the Consolidated Appropriations Act and signed by President Trump. It clarifies that US providers of electronic communication and cloud services must produce stored data on a valid US authority order – regardless of where in the world that data is physically located.

What matters is its scope. The CLOUD Act reaches a provider when two conditions are cumulatively met: (a) US courts can exercise personal jurisdiction over the provider – which is the case where there are sufficient business contacts with the US, irrespective of seat; and (b) the provider has "possession, custody, or control" over the data sought. The control requirement is a substantive filter and is not equivalent to mere business presence.

For US groups with EU data centres (e.g. Microsoft Azure EU, AWS Frankfurt) the CLOUD Act clearly applies, because the US parent controls the data of its EU subsidiary – even when the server sits in Zurich, Frankfurt or Dublin. For the reverse case – a European provider with a US subsidiary – the mere US presence of the subsidiary is not sufficient where that subsidiary has no factual control over the parent's data.

The location of the data centre alone therefore offers no protection. What matters is legal control over the data, not the geography of the hard drive. That is the core reason why "data in the EU" with a US provider is a different statement from "data under Swiss/EU jurisdiction".

Why this matters for client data

Fiduciaries, lawyers and SMEs process particularly sensitive client data: tax files, payroll data, trade secrets and – depending on the mandate – personal data of particularly sensitive categories under Art. 5 lit. c revDSG (e.g. health data, information on criminal proceedings or social assistance). Trade secrets do not fall within the Art. 5 lit. c revDSG catalogue but under general data protection and contractual confidentiality. Several overlapping duties apply to such data – under data protection law (revDSG), professional law and contractually towards the client.

The professional-law classification matters: the criminal-law professional secrecy under Art. 321 StGB applies only to the professions exhaustively listed there (including lawyers, notaries, auditors, physicians). Generic fiduciaries (Treuhänder) are not a category under Art. 321 StGB; their confidentiality duties arise from the mandate contract, from cantonal or industry regulation and from professional codes of conduct – not from criminal-law professional secrecy.

A US authority access under the CLOUD Act can directly collide with these duties. If a fiduciary uses a US cloud provider and that provider hands over data on a US order, this can neither be controlled nor reliably prevented from Switzerland – often the controller is not even informed (gag orders).

Important context: Since 15 September 2024 the Swiss-U.S. Data Privacy Framework (DPF) is in force (Federal Council decision of 14 August 2024). For certified US recipients it ensures an adequate level of data protection within the meaning of Art. 16 para. 1 revDSG and thereby legitimises the commercial data transfer. The Swiss-U.S. DPF is a standalone instrument and is not identical to the EU-US Data Privacy Framework (European Commission decision of 10 July 2023). *Note: the related EU-US DPF is the subject of pending proceedings before the CJEU (Latombe appeal, October 2025). The Swiss-US DPF could come under political pressure following a CJEU ruling; the situation should be reviewed periodically.*

Moreover, the DPF does not resolve the conflict with the CLOUD Act: it governs the permissibility of the transfer, not government access. US orders under the CLOUD Act and FISA Section 702 (as of June 2026: subject to a temporary extension, with reform/reauthorisation open) remain applicable even to DPF-certified providers. Data location and provider jurisdiction therefore remain independent risk factors.

*This is not legal advice. Assessing the individual case requires expert review.*

How the third-country transfer works legally

The revised Data Protection Act (revDSG, in force since 1 September 2023) governs the disclosure of personal data abroad in Art. 16 and 17. Basic rule (Art. 16 para. 1): a transfer is permitted if the Federal Council has determined that the relevant state ensures an adequate level of data protection. The corresponding list of states is set out in Annex 1 of the Data Protection Ordinance (DSV).

All EU/EEA states are recognised as adequate – transfers there are permitted without additional safeguards. For the USA, adequacy has applied since 15 September 2024 only for DPF-certified recipients; for non-certified US recipients no adequate level exists.

Where there is no adequacy decision, a transfer under Art. 16 para. 2 revDSG is only permitted with appropriate safeguards – such as standard contractual clauses (SCC recognised by the FDPIC), binding corporate rules (BCR) or a treaty. In addition comes the assessment duty derived from Art. 16 para. 2 revDSG and the principle of proportionality (Art. 6 revDSG): the controller must ensure that the agreed safeguards actually take effect in the destination state (Transfer Impact Assessment, TIA) and, where necessary, adopt supplementary measures (e.g. strong encryption with key control held by the controller). The FDPIC has adopted this requirement in its practice – substantively analogous to the CJEU judgment Schrems II (C-311/18, 16 July 2020), which directly binds EU authorities but not Swiss law.

Art. 17 revDSG contains narrowly interpreted exceptions (including explicit consent, contract performance, overriding public interests, assertion of legal claims). For routine cloud use with client data these are generally not a viable basis.

Assessing data location – step by step

1. 01Map data types: which client data is affected, is there a personal reference, particularly sensitive data (Art. 5 lit. c revDSG) or a confidentiality duty (professional secrecy under Art. 321 StGB, or contractual/professional-code confidentiality)?
2. 02Clarify provider jurisdiction: is the provider (or its parent) subject to US law and does it control the data? Assess the data centre location separately from legal control.
3. 03Determine the transfer path: does adequacy under Annex 1 DSV apply (EU/EEA; USA only with DPF certification)? If not: appropriate safeguards under Art. 16 para. 2 revDSG (SCC/BCR).
4. 04Carry out a Transfer Impact Assessment (Art. 16 para. 2 in conjunction with Art. 6 revDSG): do laws such as the CLOUD Act or FISA 702 apply? Do the safeguards actually take effect? Document the residual risk.
5. 05Define supplementary measures: encryption with key control held by the controller, pseudonymisation, access restriction; for high sensitivity choose a CH/EU provider without US ties.
6. 06Secure contractually: data processing agreement under Art. 9 revDSG, data residency assurance, duty to notify on authority requests, document in the processing record (Art. 12 revDSG).
7. 07Review periodically: reassess the legal situation regularly – including DPF status (pending CJEU Latombe proceedings), FISA 702 status (as of 2026 temporary/under reform), PCLOB (note: the Board has lacked a quorum since the January 2025 removals; independent assessment of the US legal situation is required), provider structure and sub-processors.

When CH/EU data location is the right choice

A Swiss or EU data location with a provider not subject to US jurisdiction is the most robust option when:

- you process client data subject to particular confidentiality duties (fiduciary, law firm, tax advice) – here confidentiality protection and the risk of covert authority access weigh particularly heavily; - you hold particularly sensitive personal data (Art. 5 lit. c revDSG) or clients' trade secrets; - clients or principals contractually require Swiss/EU data residency; - you want to avoid the burdensome Transfer Impact Assessment and safeguards architecture for US transfers – with a CH/EU provider without a US parent the third-country problem largely disappears.

For AI applications with client data the same applies, intensified: anyone running a language model or a RAG pipeline on confidential files should keep inference and the vector store with a provider under Swiss/EU law or run it locally/self-hosted, so that neither training nor processing data is exposed to the CLOUD Act risk.

When data location is not the decisive criterion

Data location is no panacea and should not be overweighted when:

- the data has no personal reference and no confidentiality duty (e.g. anonymised or purely technical data) – then the CLOUD Act conflict is not the central issue, and functionality, availability or cost may legitimately prevail; - the chosen provider hosts in CH/EU but is subject to US jurisdiction: an "EU data centre" of a US group precisely does not solve the problem. Here, location alone is misleading; - the recipient is DPF-certified and the processing is commercially uncritical – the transfer is legitimised under data protection law, yet the residual CLOUD Act risk remains and must be assessed separately.

The clean distinction matters: location ≠ jurisdiction. What is decisive is who can legally access the data, not just where it sits. Moreover, data location never replaces the other duties (encryption, access control, data processing agreement under Art. 9 revDSG, processing record under Art. 12 revDSG).

FAQ

Related topics

Sources

1. CLOUD Act – Volltext und Übersicht, U.S. Department of Justice (Criminal Division, CLOUD Act Resources) · 2018-03-23
2. revDSG Art. 16 (Bekanntgabe ins Ausland), Fedlex – Schweizerische Bundeskanzlei · 2023-09-01
3. EDÖB – Neuer Datenschutzrahmen Schweiz–USA (Swiss-U.S. DPF), Medienmitteilung vom 15. August 2024 (Bundesratsbeschluss: 14. August 2024, in Kraft: 15. September 2024) · 2024-08-15
4. EuGH, Urteil vom 16. Juli 2020, C-311/18 (Schrems II) – EUR-Lex · 2020-07-16
5. EDÖB – Bekanntgabe von Personendaten ins Ausland (Staatenliste / Anhang 1 DSV) · 2024-09-15