LawSnap
Privacy Artificial Intelligence Data Centers

Beyond the Server Location: Why the New Fight Over FISA 702 and the Cloud Act Matters to Corporate Privacy Strategy

Published
Source National Law Review open_in_new
Score
10

Why it matters

Core event: The headline highlights an intensifying corporate debate over FISA Section 702 and the CLOUD Act, emphasizing that U.S. jurisdiction over cloud providers—based on corporate control rather than server location—exposes global data to compelled access and surveillance, clashing with EU GDPR rules like Article 48.[1][3][6]

Involved parties: U.S. laws include FISA 702 (reauthorized via 2024 Reforming Intelligence and Securing America Act, RISAA, expanding "electronic communication service provider" to cover cloud/data centers) and 2018 CLOUD Act (enabling warrants for data worldwide from U.S.-controlled firms); agencies like FBI, CIA, DOJ, and ODNI (reporting 35% rise in U.S. person queries in 2025); companies such as AWS, Azure, Google, CrowdStrike, Microsoft; EU bodies (EDPB, CJEU via Schrems II); critics like Sen. Ron Wyden, EFF, Brennan Center; proposed reforms like SAFE Act.[2][3][4][5][7][11]

Context and timeline: FISA 702 (2008) enables warrantless surveillance of non-U.S. persons abroad, sweeping in U.S. data; RISAA (April 2024) reauthorized it to April 2026, broadened ECSP definition for cloud era; CLOUD Act (2018) mandates U.S. providers disclose data globally, conflicting with GDPR (no MLAT basis, SCCs insufficient); German white paper (April 2025) flagged EU risks; ODNI 2024 report (May 2025) showed query spikes from cyber threats.[1][2][5][6][7][8]

Newsworthy now: With FISA 702 sunsetting April 2026, reauthorization fights resume early 2025, urging corporate privacy shifts (TIAs, EU providers for sensitive data, vendor diligence amid AI/cloud growth); rising FBI queries, EU fines threats, and no hyperscaler fixes amplify urgency for strategies beyond data residency.[3][5][6][7][11]

Sources

[1] https://www.softwareseni.com/how-the-us-cloud-act-and-fisa-702-create-legal-exposure-for-eu-cloud-data/
[2] https://syntexsecurity.substack.com/p/cloud-architecture-as-surveillance?action=share
[3] https://btlaw.com/en/insights/alerts/2026/beyond-server-location-why-new-fight-over-fisa-702-and-cloud-act-matters-corporate-privacy-strategy
[4] https://haileyhr.com/blog/why-do-we-choose-not-to-use-american-cloud-provide/
[5] https://www.penncerl.org/the-rule-of-law-post/after-a-bruising-battle-fisa-section-702-lives-on-now-let-the-2026-section-702-reauthorization-debate-begin/
[6] https://natlawreview.com/article/beyond-server-location-why-new-fight-over-fisa-702-and-cloud-act-matters-corporate
[7] https://www.brennancenter.org/our-work/research-reports/section-702-foreign-intelligence-surveillance-act-fisa-2026-resource-page
[8] https://www.seald.io/blog/privacy-shield-invalid
[9] https://www.lawfaremedia.org/article/it-s-time-to-renew-section-702-of-fisa-permanently
[10] https://www.mofo.com/resources/insights/231229-fisa-section-702-reform-potential-implications-for-businesses
[11] https://www.nextgov.com/cybersecurity/2026/03/fbi-queries-americans-data-under-fisa-702-rose-35-2025/412103/
[12] https://www.civo.com/blog/is-your-cloud-truly-sovereign
[13] https://www.eff.org/deeplinks/2026/03/congress-dropping-ball-clean-extension-fisa
[14] https://www.kiteworks.com/gdpr-compliance/cloud-act-european-data-protection/
[15] https://www.harvey.ai/blog/debunking-myths-data-sovereignty-and-us-based-service-providers
mail

Get notified about new Privacy developments

Primary sources. No fluff. Straight to your inbox.

Related

View all Privacy

See more entries tagged Privacy.