US Cloud Act and Sovereign Cryptography
The US Cloud Act allows US authorities to access data managed by US companies, regardless of where the server is physically located (including Switzerland).
Core concept
The law creates a potential conflict with the Swiss nDSG and the EU GDPR. Customer-held sovereign cryptography, where key control remains exclusively with the customer (BYOK / hold your own key), reduces exposure but is not a complete legal or technical solution. The Cloud Act reaches data within a provider's possession, custody, or control regardless of storage location (18 U.S.C. ยง 2713). Metadata, support access, decrypted processing, key-management design, subsidiaries, and lawful orders still require separate assessment.
Relevance
- Risk Assessment: Evaluation of the risk when using US hyperscalers for sensitive data.
- Encryption Standards: Consistent use of customer-managed keys (CMK).
- Alternative Providers: Evaluation of Swiss providers. They may still be exposed if they have a US presence, a US parent, US subsidiaries, or US sub-processors; providers without a US jurisdictional nexus and without covered US sub-processors reduce exposure.
Related topics
- Strategy: Digital Sovereignty, the control and ownership context for US Cloud Act and Sovereign Cryptography.
- Innovation: Privacy, the privacy context for US Cloud Act and Sovereign Cryptography.
- Standards, the standards section that frames US Cloud Act and Sovereign Cryptography.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.