The CLOUD Act and Its Global Counterparts:
Government Access to Cloud Data and the Erosion of Digital Privacy
A comparative analysis of the US CLOUD Act, India’s Section 69 IT Act, and the UK’s Investigatory Powers Act — how governments compel disclosure of private data from cloud providers, and why the safeguards may be inadequate.
By Ravinder Singh Dhull, Advocate · March 2026 · 22 min read
When a government issues an order compelling a cloud provider to hand over your emails, files, or communications, three questions matter above all others: what legal authority permits this? what safeguards protect against abuse? and can the provider — or you — challenge the demand? The answers to these questions differ dramatically across jurisdictions, and the gap between what the law permits and what privacy requires has never been wider. This article examines the three most significant government access frameworks — the US CLOUD Act, India’s Section 69 of the IT Act, and the UK’s Investigatory Powers Act — and the profound privacy concerns they raise.
⬥ ⬥ ⬥
I. The US CLOUD Act: Jurisdiction Follows the Provider, Not the Server
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), enacted on 23 March 2018, represents the most consequential rewriting of cross-border data access law in a generation. It was born from a specific legal impasse — the Microsoft Ireland case — but its implications extend far beyond the dispute that created it.
The Microsoft Ireland Case: The Catalyst
In 2013, the FBI sought a warrant under the Stored Communications Act (SCA) compelling Microsoft to produce emails associated with a customer’s account suspected of involvement in drug trafficking. Microsoft complied with the portion of the warrant seeking metadata stored in the United States but refused to produce the email contents, which were stored in its Dublin, Ireland data centre. Microsoft argued that the SCA’s mandatory disclosure provisions did not apply extraterritorially.
The Second Circuit Court of Appeals agreed with Microsoft, holding that the SCA warrant could not compel production of data stored overseas. The US government appealed to the Supreme Court. While that appeal was pending, Congress enacted the CLOUD Act, rendering the case moot — and fundamentally changing the rules of the game.
What the CLOUD Act Actually Does
The CLOUD Act has two principal components. First, it amends the SCA to clarify that US law enforcement can compel US-based technology companies to produce data in their “possession, custody, or control” — regardless of where that data is physically stored. Jurisdiction follows the provider, not the server. If Microsoft, Google, Amazon, or any other US-headquartered company stores your data in Frankfurt, Mumbai, or Sydney, a US warrant can reach it.
Second, it creates a framework for bilateral Executive Agreements that allow foreign law enforcement agencies to seek data directly from US technology companies, bypassing the notoriously slow Mutual Legal Assistance Treaty (MLAT) process. These agreements are intended to be reciprocal — the US also gains streamlined access to data held by providers in the partner country.
The Safeguards — and Their Limits
The CLOUD Act maintains a graduated access threshold. Access to communications content requires a search warrant, signed by an independent US judge, based on a finding of “probable cause” that a specific crime has occurred and that the specified account contains evidence of that crime. The warrant must describe with particularity the data to be searched or seized. Access to metadata — subscriber information, IP addresses, connection logs — faces lower thresholds and may be obtained through subpoenas or court orders.
The Act also includes a comity provision. A provider that receives a US warrant may move to quash or modify the demand if it reasonably believes the target is not a US person and does not reside in the US, the disclosure would create a material risk of violating a foreign country’s law, and the foreign country has a CLOUD Act Executive Agreement with the US. A court may grant the motion after a multi-factor balancing test weighing the interests of the US, the foreign state, the person whose data is sought, and the nature and severity of the offence being investigated.
Critics argue these safeguards are structurally insufficient. The probable cause requirement, while meaningful, applies only to content — not to the metadata that can reveal as much or more about a person’s associations, movements, and activities. The comity provision is available only where the foreign country has an Executive Agreement — and as of 2025, only the United Kingdom (in force since October 2022) and Australia (in force since January 2024) have such agreements. For the vast majority of countries — including India and all EU member states — the comity challenge is unavailable, leaving providers in the impossible position of being compelled by US law to disclose data that foreign law may prohibit them from disclosing.
Executive Agreements in Practice
| Partner Country | Signed / In Force | Scope | Key Provisions |
|---|---|---|---|
| United Kingdom | 2019 / Oct 2022 | Serious crime (≥3 years imprisonment) | 20,000+ UK orders transmitted to US companies; death penalty limitation; subscriber data and content |
| Australia | 2021 / Jan 2024 | Serious crime (≥3 years imprisonment) | Death penalty limitation; complements Assistance and Access Act 2018; reciprocal access |
| Canada | In negotiation | — | Formal negotiations announced; terms not yet public |
| European Union | In negotiation | — | GDPR Article 48 conflict unresolved; EU e-Evidence Regulation as parallel track |
AWS has reported that as of June 2025, there have been zero instances in which enterprise or government content data stored outside the US was disclosed to the US government in response to a CLOUD Act request. This may reflect genuine restraint, or it may reflect the chilling effect of the Act’s mere existence — providers may be structuring their operations to avoid scenarios where the conflict materialises. The Department of Justice’s own guidance advises prosecutors to seek data from the enterprise customer rather than the cloud provider wherever possible, which provides a practical safety valve but not a legal prohibition.
⬥ ⬥ ⬥
II. India’s Section 69: Sweeping Powers Without Judicial Oversight
India’s equivalent to the CLOUD Act’s data access provisions is found in Section 69 of the Information Technology Act, 2000, as amended in 2008 — a provision that grants government agencies extraordinarily broad surveillance and decryption powers with a framework of safeguards that critics describe as structurally inadequate.
The Statutory Framework
Section 69 empowers the Central Government or any State Government to direct any agency to intercept, monitor, or decrypt any information generated, transmitted, received, or stored in any computer resource. The grounds upon which such directions may be issued include sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States, public order, and — critically — the prevention of incitement to the commission of any cognizable offence, or for the investigation of any offence.
This last ground — “investigation of any offence” — dramatically expands the scope beyond what the earlier Indian Telegraph Act, 1885 permitted. Section 5(2) of the Telegraph Act allowed interception on only five grounds, all related to sovereignty, security, and public order. Section 69’s addition of a sixth ground effectively extends surveillance powers to the investigation of any criminal matter, regardless of severity.
The Critical Difference
Under the US CLOUD Act, access to communications content requires a warrant issued by an independent federal judge based on probable cause. Under India’s Section 69, interception, monitoring, and decryption of all information — content and metadata alike — may be authorised by an executive officer (the Competent Authority, typically the Home Secretary), with no judicial oversight whatsoever. The Review Committee that examines these orders is itself part of the executive branch, headed by the Cabinet Secretary (at the Centre) or the Chief Secretary (at the State level). The executive is, in effect, judge of its own cause.
The Ten Agencies Order of 2018
On 20 December 2018, the Ministry of Home Affairs issued an order authorising ten security and intelligence agencies to intercept, monitor, and decrypt information from any computer resource in India. These agencies include the Intelligence Bureau, the Narcotics Control Bureau, the Enforcement Directorate, the Central Board of Direct Taxes, the Directorate of Revenue Intelligence, the Central Bureau of Investigation, the National Investigation Agency, the Cabinet Secretariat (RAW), the Directorate of Signal Intelligence (for Jammu & Kashmir and North-East), and the Delhi Police Commissioner.
The order provoked significant public and media outcry. Critics argued that it effectively authorised mass surveillance of digital communications, with no requirement that surveillance be targeted at specific individuals suspected of specific offences. The government maintained that the order merely formalised existing powers and did not confer any new authority. While this is technically correct — Section 69 already granted these powers — the formalisation of ten agencies’ authority to surveil any computer resource created a framework that is, in practice, far more permissive than what exists under either the US CLOUD Act or the UK’s Investigatory Powers Act.
Section 69(4): The Coercion Mechanism
What makes Section 69 particularly potent as a tool of government access is Section 69(4), which criminalises non-compliance. Any intermediary or person in charge of computer resources who fails to assist with interception, monitoring, or decryption faces imprisonment of up to seven years. This criminal penalty — notably absent from the Indian Telegraph Act’s equivalent provisions — effectively eliminates the provider’s ability to resist or challenge a surveillance order. There is no provision analogous to the CLOUD Act’s comity challenge, no mechanism for the provider to move to quash the order, and no requirement that the order be judicially reviewed before execution.
The Destruction of Records: Built-In Opacity
Rule 23 of the IT (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 mandates that all records relating to interception be destroyed within 180 days after the order has lapsed. While framed as a privacy safeguard — preventing indefinite retention of intercepted data — this provision has a deeply problematic consequence: it makes it practically impossible for an affected individual to prove that they were subjected to unlawful surveillance. Once the records are destroyed, the government can deny that any interception order was ever issued, and the individual has no evidence to present in any court proceeding challenging the surveillance.
⬥ ⬥ ⬥
III. The UK’s Investigatory Powers Act: The “Snoopers’ Charter”
The United Kingdom’s Investigatory Powers Act 2016 — widely criticised as the “Snoopers’ Charter” — represents perhaps the most comprehensive surveillance framework enacted by any Western democracy. It consolidates and expands a range of surveillance powers that had previously been scattered across multiple statutes.
The Act authorises three principal categories of government access. Interception warrants permit the interception of communications in transmission — the digital equivalent of wiretapping. Equipment interference warrants authorise the hacking of devices to obtain data. And Technical Capability Notices (TCNs) — the provision most directly comparable to Australia’s Assistance and Access Act — can require telecommunications operators to maintain the capability to provide access to communications, including by removing electronic protection (encryption) applied to those communications.
Unlike India’s Section 69, the UK framework includes mandatory judicial authorisation. Interception and equipment interference warrants require approval by both a Secretary of State and a Judicial Commissioner — a “double lock” mechanism designed to prevent executive overreach. However, the TCN provisions — which can require providers to build capabilities that undermine encryption — need only be approved by the Secretary of State, without judicial oversight. This asymmetry has drawn particular criticism: the most intrusive power (compelling providers to break their own security) receives the least judicial scrutiny.
The UK’s Crime (Overseas Production Orders) Act 2019, enacted to complement the US-UK CLOUD Act Executive Agreement, grants UK law enforcement agencies the power to obtain electronic evidence directly from service providers in the US. Since the Executive Agreement entered into force in October 2022, the UK has transmitted more than 20,000 orders to US companies — a figure that underscores both the scale of cross-border data access and the efficiency gains over the MLAT process.
⬥ ⬥ ⬥
IV. Comparative Analysis: Safeguards and Shortcomings
| Safeguard | US CLOUD Act | India — Section 69 IT Act | UK — Investigatory Powers Act |
|---|---|---|---|
| Judicial oversight | Yes — warrant from independent federal judge for content | No — executive authorisation only; Review Committee also executive | Partial — “double lock” for intercept warrants; no judicial oversight for TCNs |
| Probable cause / necessity | Probable cause required for content; lower threshold for metadata | Broad statutory grounds; “investigation of any offence” sufficient | Necessity and proportionality required for intercept warrants |
| Provider can challenge | Yes — comity-based motion to quash (limited to Executive Agreement countries) | No — non-compliance punishable by up to 7 years imprisonment | Limited — can challenge TCNs on technical feasibility grounds |
| User notification | Non-disclosure orders can prevent notification; delayed notification possible | No notification; records destroyed within 180 days | No general notification requirement; Investigatory Powers Tribunal provides retrospective review |
| Encryption | “Encryption neutral” — no authority to compel decryption | Can compel decryption; refusal punishable by 7 years | TCNs can require removal of electronic protection (encryption) |
| Extraterritorial reach | Yes — data anywhere in the world if held by US provider | Primarily territorial; applies to intermediaries operating in India | Overseas Production Orders via CLOUD Act agreement; TCNs have extraterritorial effect |
| Independent oversight | Congressional reporting; DOJ guidelines | Minimal — executive Review Committee meets bimonthly; no public reporting | Investigatory Powers Commissioner; annual reports published |
⬥ ⬥ ⬥
V. Privacy Concerns: The Case Against Unaccountable Government Access
The fundamental critique that unites privacy advocates across jurisdictions is not that governments should never have access to digital communications. It is that access without adequate safeguards, proportionality requirements, and independent oversight inevitably leads to abuse — and that the current frameworks fall short on all three counts.
The Absence of Legitimate Purpose Constraints
India’s Section 69 illustrates this concern most starkly. The ground of “investigation of any offence” places no threshold of seriousness on the crimes that can trigger surveillance. A petty theft investigation could, in theory, justify the interception and decryption of a citizen’s entire digital life. There is no requirement of proportionality — no obligation to demonstrate that less intrusive means of investigation have been exhausted or considered. The Supreme Court in K.S. Puttaswamy v. Union of India (2017) established that any restriction on the fundamental right to privacy must be (a) backed by law, (b) directed toward a legitimate aim, and (c) proportionate to that aim. Whether Section 69 in its current form survives this three-fold test remains an open and actively litigated question — the constitutional validity of Section 69 is currently under challenge before the Supreme Court in Internet Freedom Foundation v. Union of India.
The Conflict of Interest in Self-Review
Both India and the UK rely on executive review mechanisms that create inherent conflicts of interest. In India, the Competent Authority that authorises surveillance is part of the Home Ministry; the Review Committee that scrutinises those orders is headed by the Cabinet Secretary — a fellow member of the executive. In the UK, while intercept warrants require judicial approval, Technical Capability Notices do not. The absence of truly independent judicial scrutiny at the authorisation stage means that the very branch of government with the greatest interest in surveillance is also the branch that decides whether surveillance is justified.
The Pegasus Precedent
The Pegasus spyware scandal, which came to global attention in 2021, demonstrated the real-world consequences of inadequate surveillance safeguards. Journalists, human rights activists, opposition politicians, and business executives were targeted using military-grade spyware allegedly sold to government clients. In India, the Supreme Court appointed a technical committee to investigate, and in Manohar Lal Sharma v. Union of India (2021), directed the committee to recommend amendments to the existing surveillance regime to ensure individual privacy. While the Pegasus controversy did not arise directly under Section 69, it exposed the same structural vulnerability: when surveillance powers are broad and oversight is weak, abuse is not merely possible but predictable.
The GDPR Collision
The CLOUD Act creates a direct conflict with the GDPR’s Article 48, which provides that any judgment or decision of a foreign authority requiring a data transfer shall only be recognised or enforceable if based on an international agreement, such as a mutual legal assistance treaty. By contrast, the CLOUD Act allows US authorities to demand data from US providers regardless of where it is stored — including within the EU — without requiring any such international agreement. For European businesses using US-headquartered cloud providers, this creates an unresolvable tension: the provider is legally compelled by US law to disclose data that EU law prohibits it from disclosing. This conflict has accelerated European data sovereignty initiatives and driven significant enterprise migration toward EU-owned cloud providers.
⬥ ⬥ ⬥
VI. What Must Change: Principles for Reform
Drawing from the comparative analysis above and the principles established by the Supreme Court of India in Puttaswamy, the European Court of Human Rights in its surveillance jurisprudence, and the UN High Commissioner for Human Rights’ reports on digital surveillance, the following principles should guide reform of government access frameworks worldwide.
1. Mandatory judicial authorisation. No surveillance or data access order should be issued or executed without prior approval by an independent judicial authority. Executive self-authorisation, no matter how many layers of executive review are added, cannot substitute for judicial independence.
2. Proportionality and necessity. Every order must demonstrate that the surveillance is necessary for a legitimate aim, proportionate to the seriousness of the offence under investigation, and that less intrusive means of obtaining the evidence have been considered and found inadequate.
3. Serious crime thresholds. Surveillance and data access powers should be reserved for serious offences — not extended to the investigation of any cognisable offence regardless of severity.
4. Notification and challenge rights. Affected individuals should be notified of surveillance after the operational need for secrecy has passed, and should have effective means to challenge the legality of the surveillance before an independent tribunal.
5. Transparency and public reporting. Governments should publish annual statistics on the number of surveillance orders issued, approved, rejected, and reviewed — disaggregated by authorising agency and statutory ground invoked.
6. Encryption integrity. Governments should not compel providers to weaken or circumvent encryption. The security of encrypted communications benefits criminals and law-abiding citizens alike, and weakening encryption for one necessarily weakens it for all.
⬥ ⬥ ⬥
VII. Conclusion: The Surveillance State and the Rule of Law
The US CLOUD Act, India’s Section 69, and the UK’s Investigatory Powers Act represent three distinct answers to the same question: how much access should governments have to the digital lives of their citizens — and everyone else? The US approach prioritises judicial oversight for content but extends its reach globally through provider-based jurisdiction. India grants its executive sweeping powers with minimal independent oversight and criminal penalties for non-compliance. The UK attempts a middle path with its “double lock” mechanism but carves out its most intrusive power — compelling the destruction of encryption — from judicial review.
None of these frameworks adequately resolves the fundamental tension. Legitimate law enforcement needs are real: terrorism, child exploitation, and organised crime increasingly operate through encrypted digital channels. But the history of surveillance — from COINTELPRO to Pegasus — demonstrates that broad powers with weak oversight are inevitably abused. The question is not whether governments need access to digital evidence. The question is whether the rule of law — judicial independence, proportionality, transparency, and accountability — will govern that access, or whether it will be subordinated to the convenience of the executive.
For Practitioners and Businesses: If your data — or your clients’ data — is stored with a US-headquartered cloud provider, the CLOUD Act means US law enforcement can reach it regardless of where the servers are located. If you operate in India, Section 69 means government agencies can intercept and decrypt any information on any computer resource, with criminal consequences for non-compliance. These are not theoretical risks. They are the legal reality of cloud computing in 2026. The time to assess your jurisdictional exposure, evaluate your provider’s data access policies, and advise your clients on encryption and data localisation strategies is now.
Advocate, Punjab & Haryana High Court · Founding Partner, M & D Law Associates LLP
With over 22 years of practice spanning constitutional law, PIL, technology law, and data protection, Advocate Dhull brings a practitioner’s perspective to surveillance, privacy rights, and digital sovereignty. He has filed over 3,000 RTI applications and has led PILs on issues ranging from government accountability to digital rights. He is the architect of the LexPatra legal technology platform.
Juris Altus | jurisaltus.com | Excellence in Legal Practice & Innovation
Panchkula • Delhi-NCR • International Alliance Network