US Authorities Have Far-Reaching Access to European Cloud Data
Referring to the FISA legislation™, legal experts™ point to 'business contacts' or a 'website' aimed at US customers 'may be sufficient' for the US intel community to gain access
While we’re on the subject of insane digital gulag-style demands for cross-border travel, we shall, of course, follow up on yesterday’s posting:
Specifically, we shall enquire if that new policy currently under review with the US Dept. of Homeland Security marks a decisive break or is merely a kind of formalisation of what’s been going on for some time now.
Hence, I wish to point you to a piece that appeared not that long ago on the website of the German IT-related webzine Heise.de. Given the topic, I shall further add that Heise.de provided the translation of the article, with sections of the underlying expert opinion, which is written in German, were translated by me, and, as always, I’ve added emphases and [snark].
Opinion: US Authorities Have Far-Reaching Access to European Cloud Data
An analysis for the Ministry of the Interior highlights the reach of US laws. According to it, data stored in the EU is also not secure.
By Stefan Krempl, via heise.de, 10 Dec. 2025 [source, archived]
The debate about Europe’s digital sovereignty and the strategic use of US cloud infrastructures in sensitive areas is gaining new momentum. A previously unpublished expert opinion, prepared by legal scholars at the University of Cologne on behalf of the Federal Ministry of the Interior, has now become publicly accessible as part of a Freedom of Information Act (IFG) request. It concludes that US authorities have far-reaching access to data even when it is stored in European data centers [this isn’t meant when the Eurocritters throw a tantrum demanding ‘strategic autonomy’ or ‘sovereignty’].
Access by Intelligence Agencies
The experts were tasked with clarifying whether and to what extent US intelligence agencies and other state bodies have a legal right of access to data in the cloud, even if the infrastructures are operated outside the United States. According to the opinion, the Stored Communications Act (SCA), extended by the Cloud Act, and Section 702 of the Foreign Intelligence Surveillance Act (FISA), in particular, allow US authorities to compel cloud providers to hand over data [at this point, I’ll cite from the opinion’s p. 4:
The obligation to disclose data does not depend on the location of the company’s registered office, but rather on the location of the server. As soon as data is stored or processed on US territory, it is subject to Section 702 FISA. Since this data may only relate to non-US persons, Section 702 FISA has an extraterritorial application component.
Read up on Sec. 702 FISA; and perhaps consider that a VPN with a US IP address may not help as I’m sure the brainiacs of the intel community thought about that, too]
A sensitive point is the finding regarding the scope of US jurisdiction. Companies are therefore required to hand over data even if it is stored outside the USA. The decisive factor is therefore not the physical storage location of the information, but the control over it by the affected company [in other words, even if a US company tells you that ‘our servers are located in your country, trust us’, these legal scholars deem it plausible that data is vacuumed up by the US intel community]. This implies that even data stored in data centers on European soil and managed through German subsidiaries are subject to access. The prerequisite is that the US parent company exercises ultimate control.
Reach of US Jurisdiction
However, the reach of US laws does not end here. According to the opinion, the jurisdiction of the United States can impact not only European subsidiaries of US companies. It also has the potential to affect purely European companies, provided they maintain relevant business connections in the USA [i.e., if a European™ (insert any other country, if relevant) company has subcontractors in the US, your data is toast]. This extends the risk of indirect or direct data access to a wide range of companies operating in the European internal market [plus there’s the issue of, if a non-US company has no physical or other ties to the US but the internet connection, the data of said company may still be accessed by the US intel community].
Although a cloud provider could technically prevent itself from accessing the data, for example, through encryption, this does not necessarily avoid the disclosure obligation. US procedural law requires parties to store procedurally relevant information even before the start of legal proceedings. A cloud service provider that is regularly confronted with disclosure requests could therefore be obliged to retain data. If it excludes itself from access through technical measures, it risks significant fines or criminal consequences [that’s US procedural law is perhaps the real-world mind-fuckery masquerading as ‘catch-22’ where the real aim is to make the company retain information before the opening of potential proceedings (which is a future possibility); now, I’m not naive enough to believe that some laws (penalties) on the books aren’t useful to prevent crime, but to prophylactically keep stuff in order to use at a later, hypothetical time in a courtroom seems…odd (and reminds me, strangely enough, of how the Science™ propagates vaccines)].
In Europe, supervisory authorities may prohibit the disclosure of information to authorities in third countries based on the General Data Protection Regulation (GDPR). Data transfers to the USA can currently be based on the shaky adequacy decision of the EU Commission – the EU-US Data Privacy Framework. However, the opinion highlights the legal tensions arising from the global reach of US laws [fair enough]. It points to the need to develop European alternatives to strengthen digital sovereignty [and that’s the lala-land part: this will never happen as the behemoths will always gobble up the small newcomers—and the only alternative is for EUropean gov’ts to build one of these clouds themselves, which they typically do with contractors and sub-contractors, hence it’s equally absurd to even ponder this, to say nothing about ‘alliance requirements’, ‘data sharing’, and the like].
What does this mean for MS 365 & Co.?
Lawyers Stefan Hessel, Christina Ziegler-Kiefer, and Moritz Schneider conclude in a current analysis that the use of the cloud-based solution Microsoft 365 in compliance with data protection regulations is still fundamentally possible. The abstract risk, stemming from extraterritorial US powers, does not in itself constitute automatic unreliability of the processor, as long as no systematic violations of European law are proven [remember, we’re talking about Bill Gates’ company Microsoft here]. Those responsible must concentrate on their compliance obligations and conduct a data protection impact assessment if the risk is high. Other experts do not see it that way.
Gems From the U Cologne’s Expert Opinion
As stupid as the foregoing sounds (very much so, if truth be told), there’s much more hare-brained nonsense in the legal opinion, and I’ll give you a few choice quotes to drive this home.
German companies currently have no legal protection against such orders. European companies are not entitled to the right of objection against such a disclosure request provided for in Section 2703(h)(2)(A) SCA, as there is no corresponding agreement between the US and the EU.
This is from p. 3, and do note that, due to the equivalence clause in the EU Treaties, whatever applies to one member-state also applies to all others.
And that’s before the idea of the US gov’t treating anyone else as equal is considered, in particular its cuckold EU vassals.
Speaking of vassals, here’s the money paragraph from p. 4:
The provisions of the CLOUD Act make it clear that a request for disclosure from US law enforcement authorities must be complied with even if the data is stored on a server outside the US. This is also the case if the server is operated by a US corporation through a European subsidiary, provided that the US company can arrange for the data to be disclosed by the subsidiary.
Please note that we’re talking about US law™ that must be complied with outside the US and beyond its (nominal) jurisdiction.
Speaking of US jurisdiction, here’s the money paragraph from p. 5:
The scope of jurisdiction of US courts is determined by the extent of a company’s contacts with the United States. If a European company operates a branch in the United States, it can be assumed that US courts will exercise jurisdiction over the company. Depending on the circumstances of the individual case, the existence [!] of business contacts [!!] may also be sufficient [!!!].
Please let that sink in: under the rule of law™, whatever shit is requested by a (mostly kangaroo, at this point) US court™, is ‘dependent on the circumstances of the individual case’.
In my book, ‘the law’ is an abstract, if not reified, collection of circumstances that is both generic enough to permit application beyond any individual case, as well as very specific as to the implications.
What we observe here, however, is the exact opposite: whatever law™ is on the books in the US (jurisdiction) is applied elsewhere, and whether it is applied depends entirely on the whims of the presiding judge; there are no standards that are deemed universal or at least socially acceptable (such as, e.g., the requirement of a warrant signed by a judge before one’s privacy is invaded by police), for, as the opinion holds, ‘the [mere] existence of business contacts may [!!!] also be sufficient’.
This is the summary of the expert opinion: (pp. 30-1; Italics in the original):
In summary, it should be noted that the jurisdiction of US courts over foreign entities is always determined by the circumstances of the individual case. In general, the courts consider the extent and intensity of a particular company’s contacts with the US. A distinction is made between general and specific personal jurisdiction, whereby the assumption of general personal jurisdiction requires more intensive contacts with the US than specific personal jurisdiction, but then empowers the courts to allow all types of lawsuits against a company.
Whether EU companies that store their server data in the EU are subject to the jurisdiction of US courts must be determined on the basis of their business relations with the US. According to the case law of the US courts, it is not sufficient for the assumption of general personal jurisdiction that an EU company operates a subsidiary in the US; however, a branch of the parent company could be sufficient. For the assumption of specific personal jurisdiction, the operation of a website that is at least also aimed at US customers could be sufficient.
Do re-read the last couple of lines: if you own a company and operate a webshop ‘at least also aimed at US customers’ from, say, Nepal, you’re subject to US specific personal jurisdiction.
This is, of course, an insane standard™ that allows US courts to arbitrarily apply their law™ against individuals world-wide (that is, at least in countries whose élites are beholden—compromised—and on the hook of the US intel community).
There’s yet another gem here: on p. 33 (the last one) of the expert opinion whose author’s name is redacted, it is noted that
the author’s expertise relates exclusively to the law of NY State and US federal law, but they have no expertise as regards German law. Therefore, the author of this legal opinion was supported by the academic associates [orig. wissenschaftliche Mitarbeiter] [names redacted] who are familiar with German law.
So, what we get is a (most likely US) jurist’s blabber about US legislation, requested by the German (sic) Interior Ministry to inform them about whatever TF the US may or may not be up to. Plus the German law™ expertise derives from non-professorial research associates. Here’s the U of Cologne Law School’s roster of professors, in case you wish to pick a guess. (For the record, my guess is that Professors Karl-Nikolaus Peifer or Karl-Eberhard Hain may have authored the opinion, for both work on media and communications-related law, but I don’t know.)
Bottom Lines
‘Sovereign is he who determines the exception’, German jurist Carl Schmitt infamously held a century ago.
As US courts are able to determine, on a case-by-case basis, who and what company falls under its (extraterritorial) jurisdiction, we know who is sovereign (the US gov’t) and who isn’t (everybody else, including US citizens).
As regards the implications here, well, where do we start?
These issues and problems of the FISA law™ were known from its inception, they hark back to the USA PATRIOT Act passed in the wake of ‘9/11’, and there’s apparently no lobby in the United States that works to roll back those powers the US gov’t has arrogated over the past decades.
Speaking of history, it is relevant to note that the above-cited legal expertise relates to German law™, and that we’re missing the EU-level perspective here (for the time being). Hence, the presumption that whatever is found™ in the above legal opinion may apply, ceteris paribus, also across the rest of the EU/EEC bloc.
Can any of this be changed?
Absent an abrogation of NATO, all so-called SOFAs (status of forces agreements) providing yet another layer of extraterritorial jurisdiction for all US personnel stationed abroad—that also includes, by the way, non-uniformed service members, civilians working for the US intel community, and third party contractors, such as Palantir—and the withdrawal (kicking out) of US personnel, any possible answers to this question are moot.
Oh, lest I forget, individual countries in which US personnel is stationed would have to proactively do all of the above, which is to say, it will neither happen any time soon nor will it happen without the US gov’t determining that doing so is not in its best interest.
Note the absence of the interests of both US and all other citizens.
The US, courtesy of the internet, has effectively ended sovereignty worldwide, with the exception of perhaps a handful of countries that are, so far, more or less outside that scope; these include, to my mind, Russia, Belarus, China, North Korea, and Iran for sure.
Note furthermore the absence of anything that implicates the physical infrastructure, such as internet service providers, the underwater cables, etc.
I suppose that, technically speaking, if they are owned/operated by US companies and/or subcontractors, that data access is equally legal™.
But these are discussions for another day.



Blessings and appreciation from Sydney Australia.