US law that lets authorities demand your data from any American company — no matter where in the world it's stored.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) means that if your data is held by a US company — Google, Apple, Microsoft, Amazon, Dashlane, LastPass — the US government can legally demand it, even if it's stored on a server in Europe, Australia, or anywhere else.
US law enforcement serves a warrant or subpoena on a US-headquartered company. The company must comply regardless of where the data is physically stored. The law was passed in 2018, partly in response to the Microsoft Ireland case where Microsoft argued US warrants couldn't reach data stored in Dublin. The CLOUD Act settled that: they can.
Every US-based service you use — even if they promise European data storage, even if they claim GDPR compliance — is subject to US government access. 'Zero-knowledge' architecture protects vault contents but not metadata: who you are, when you logged in, your IP address, your device IDs. That metadata is enough to identify and locate you.
Anyone using services from US companies: Google (Alphabet), Apple, Microsoft, Amazon (AWS), Meta, Dashlane, LastPass, 1Password (Canadian but uses US infrastructure), Dropbox, Slack, Zoom. Even European companies using AWS or Azure for hosting may fall under CLOUD Act jurisdiction.
The Canadian truckers' Freedom Convoy showed how financial data can be weaponised. GoFundMe froze $10.1M in donations. The Canadian government expanded anti-money-laundering rules to cover crowdfunding platforms. 200+ bank accounts were frozen ($8M). A single mother had her account frozen for donating $50. A federal judge later ruled the Emergencies Act invocation was 'unreasonable and ultra vires' — the freezes were illegal.