Five facts about how the CLOUD Act actually works
We provide our customers with industry leading data protection and best-in-class security when using the AWS Cloud worldwide. In recent months, we have noticed an increased interest in dealing with government data requests. Many of these questions relate to a 2018 U.S. law, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). In fact, the CLOUD Act has not given the U.S. government any new powers to request data from vendors, but rather creates important legal guardrails to protect content. To put this topic into context, since we began collecting statistics in 2020, there have been no data requests to AWS that have resulted in the disclosure of customer content of corporate or government data stored outside the U.S. to the U.S. government. Our commitment to protecting customer data is underpinned by multiple layers of legal, technical, and operational protection. For example, AWS has designed its core products and services so that only customers themselves and the people they authorize can access customer content. In these cases, any government that wants access to customer content would have to request this data directly from the customer. In addition, U.S. law itself provides numerous legal protections that reduce the risk that AWS could be required to disclose corporate or government data. The U.S. Department of Justice (DOJ) has implemented additional operational protections over the past eight years.With that in mind, we'd like to address some common misconceptions about the CLOUD Act and provide clarity on how it impacts or doesn't affect AWS customers worldwide. We are also expanding our FAQ on the CLOUD Act to make it easier for our customers and partners to deal with this topic.
Fact 1: The CLOUD Act does not give the U.S. government unrestricted or automatic access to data stored in the cloud
The CLOUD Act was passed to address challenges faced by law enforcement agencies in obtaining data stored abroad in cross-border investigations of serious crimes. These include terrorism and violent crime to child sexual exploitation and cybercrime. The CLOUD Act primarily allows the U.S. to enter into reciprocal enforcement agreements with trusted foreign partners to gain access to electronic evidence for serious crime investigations, regardless of where the evidence is stored, by repealing blocking laws under U.S. law. Many governments rely on national laws to require providers within their jurisdiction to disclose electronic data under the control of the companies, regardless of where the data is stored. Similarly, the CLOUD Act clarified that U.S. law enforcement agencies can use existing powers, such as a court approved search warrant, to request data under the control of a provider, regardless of where the data is stored; the enforcement agreements allow for the effectiveness of these reciprocal laws, supported by strict procedural and substantive safeguards.
Access to data under U.S. law is far from unrestricted or automatic, and law enforcement agencies must meet strict legal standards. Under US law, providers are even prohibited from passing on data to the US government without a legal exemption. To require a provider to disclose content data, the law enforcement agency must convince an independent federal judge that there is reasonable suspicion of a particular crime and that evidence of that crime will be found at the location being searched (i.e., in a specific electronic account, such as an email account). This legal standard must be supported by concrete and trustworthy facts. Each search warrant must pass this rigorous examination of reasonable suspicion on the basis of credible facts, specificity and legality, must be approved by an independent judge and must meet the requirements of scope and jurisdiction. In May 2023, the DOJ also issued a policy requiring prosecutors who request evidence stored abroad to obtain approval from the department's Office of International Affairs (OIA) before receiving such an order. The DOJ's Foreign Evidence Policy indicates that every nation enacts laws to protect its sovereignty; the OIA is working to clarify questions in this regard and to assist prosecutors in selecting an appropriate mechanism to preserve evidence.
Fact 2: AWS has not disclosed any customer content of enterprise or government customer data under the CLOUD Act since the beginning of statistical collection
AWS has strict procedures in place to handle requests from law enforcement agencies in all countries to verify their legitimacy and ensure that they comply with applicable law. AWS recognizes the legitimate needs of law enforcement agencies in investigating criminal and terrorist activity, but they must observe the legal protections for such investigations. We do not release customer data in response to any governmental requests, unless we are required to do so by a legally valid and binding order. We have publicly assured this in our legal conditions. In addition, we will challenge government requests that violate the law, are too far reaching, or are otherwise unreasonable (for example, if such a request would violate the fundamental rights of individuals). If we receive such requests for content from Enterprise Customers, we will use all reasonable efforts to refer law enforcement to the Customer and notify the Customer when permitted by law. If we are required to disclose Customer Content, we will notify customers prior to disclosure to give them an opportunity to protect themselves against disclosure, unless prohibited by law. If, after these steps have been exhausted, AWS is still required to disclose Customer Data and we have the technical ability to do so (which, as described above, is not the case in many cases), we will only disclose what is strictly necessary to comply with the legal process.
In line with our policy of referring law enforcement to customers, the DOJ's Computer Crime and Intellectual Property Section has also issued guidelines that instruct prosecutors to request data directly from a company, such as a company that stores data with a cloud provider, rather than from the provider itself.
A clear testament to the effectiveness of our efforts and strict regulatory requirements is the fact that AWS has not shared any customer content of corporate or government customer data stored outside the U.S. with the U.S. government since statistical collection began in 2020. This record reflects AWS's technical protections, robust legal protections in U.S. law, policies implemented by the DOJ, and the nature of the criminal investigation, which focuses primarily on the collection of electronic evidence from consumer accounts.
Fact 3: The CLOUD Act doesn't just apply to companies headquartered in the U.S. it applies to all vendors that do business in the United States
The CLOUD Act applies to all providers of electronic communications services or remote computing services that operate or have a legal presence in the U.S., regardless of the location of their headquarters. For example, cloud providers headquartered in Europe that do business in the U.S. are also subject to the requirements of the law. OVHcloud, a cloud service provider headquartered in France that operates in the U.S., notes on its CLOUD Act FAQ page that "OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, this could also include data stored outside the United States." The situation is similar with other cloud providers headquartered in the EU and elsewhere that also operate in the U.S.
Fact 4: The principles of the CLOUD Act are in line with international law and the laws of other countries
The CLOUD Act did not introduce a new legal position regarding the scope of electronic data that must be disclosed as part of legitimate criminal investigations. Many countries require the disclosure of customer data, regardless of where it is stored, in response to legal proceedings related to serious crime. For example, the UK Crime (Overseas Production Orders) Act allows UK law enforcement authorities to access electronic data stored outside the UK in connection with criminal investigations. According to a 2024 U.S. DOJ filing, several EU member states, including Belgium, Denmark, France, Ireland, and Spain, have similar requirements. In fact, as of 2023, the majority of law enforcement requests AWS receives come from agencies outside the United States.
This concept is also enshrined in the Budapest Convention on Cybercrime, the first international treaty to improve cooperation in the investigation of cybercrime. In addition, the EU regulation e-Evidence, 2023/1543, adopted in August 2023, authorizes member states to "instruct a service provider to create or secure electronic evidence regardless of the location of the data." The GDPR also allows the transfer of personal data in response to mandatory disclosure requests from third countries provided that the party concerned can invoke an appropriate legal basis and transfer instrument or exemption (see the current EDPB Guidelines 02/2024 on Article 48).
AWS is committed to ensuring that governments enter into reciprocal enforcement agreements under the CLOUD Act, including between the U.S. and the European Union, and the U.S. and Canada. We believe these agreements are important to resolve potential conflicts of law once and for all and to enable effective investigation of serious crimes to promote public safety. The strong substantive and procedural safeguards already in place under US law are recognised.
Fact 5: The CLOUD Act does not limit the technical measures and operational controls that AWS offers its customers to protect against unauthorized access to customer data
We can only respond to legal data requests if we have the technical ability to do so. AWS has a range of products and services in place to ensure that no one not even AWS employees can access customer content. AWS customers also have a number of additional technical measures and operational controls in place to prevent access to data. For example, many of AWS's core systems and services are designed with zero-operator access, which means that the services do not provide technical capabilities for AWS employees to access customer data in response to a legal request.
The AWS Nitro System, which is the foundation of AWS compute services, uses specialized hardware and software to protect data from external access while it is being processed on Amazon Elastic Compute Cloud (Amazon EC2). With a strong physical and logical security perimeter, Nitro is designed so that no unauthorized person not even AWS employees can access customers' workloads on EC2. The design of the Nitro system has been validated by NCC Group, an independent cybersecurity company. The controls that prevent operator access are so fundamental to the Nitro system that we have included them in our AWS Terms of Service to provide an additional contractual assurance to all of our customers.
We also provide customers with features and controls to encrypt data, whether in transit, at rest, or in memory. All AWS services already support encryption, with most also supporting encryption with customer managed keys that are not accessible to AWS. AWS Key Management Service (AWS KMS) is the first highly scalable, cloud native key management system with FIPS 140-3 Level 3 certification. In simple terms, this means that AWS offers extremely strong encryption, where our customers control who receives a key.
Continuation of our customer orientation
At AWS, our customer centric approach drives everything we do, from how we design our services to how we protect your data. We understand that your trust is earned through transparency, strong technical controls and tireless commitment to your interests. That's why we've been clear about how we handle government data requests, including the impact of the CLOUD Act, and the multi-layered protections legal, operational, and technical to protect your data.
We encourage you to read more about this important topic in our extended CLOUD Act FAQs. We will continue to innovate on your behalf, develop new features and services that put you in control of your data, and maintain our commitment to the highest standards of privacy and security.