Tech
Cloud act: are your client files at risk? Complete guide for lawyers
February 21, 2026
•
Solan Després (7 min)
Imagine this scenario:
You are defending a client in a sensitive case. All your communications, strategies, and evidence are stored in the cloud. One day, without warning, US authorities seize your entire correspondence with your client — not through an international letter rogatory, but directly from your US-based cloud provider. You are not informed. You cannot oppose it. Professional secrecy is violated.
This scenario is not science fiction. This is the Cloud Act.
Adopted in 2018 by the United States, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows US authorities to access data stored by US companies, wherever it is in the world. Google, Microsoft, Amazon, Dropbox, Apple… No exceptions.
For French lawyers, bound by absolute professional secrecy, this American law represents a direct threat: it conflicts head-on with your ethical obligations and the European GDPR.
In this complete guide, we break down the Cloud Act, its concrete implications for your law firm, and the solutions to protect your client files.
The Cloud Act Decoded: What Every Lawyer Needs to Know
What exactly is the Cloud Act?
The CLOUD Act (US federal law of March 23, 2018) amends the Stored Communications Act of 1986 to adapt it to the era of cloud computing.
Key principle: US-based technology companies (cloud service providers, messaging services, social media) must provide US authorities with all data stored on their servers, regardless of the physical location of those servers.
In practice:
- Google stores your emails on a server in Dublin (Ireland)? → US authorities can access them through the Cloud Act.
- Microsoft hosts your OneDrive files in Amsterdam? → Accessible by US authorities.
- Dropbox replicates your data between the US and Europe? → All accessible.
The geographic location of servers no longer protects your data if the provider is American.
In these frequent processes:
No intervention from French justice is required. No international letter rogatory. The Cloud Act completely bypasses traditional judicial cooperation.
The user (you) is generally not informed of the seizure.
What data is concerned?
All data stored by the US company:
- Emails (Gmail, Outlook.com, Yahoo Mail)
- Cloud files (Google Drive, OneDrive, Dropbox, iCloud)
- Messages (WhatsApp, Facebook Messenger, Skype)
- Contacts, calendars, notes
- Metadata (who contacted whom, when, from where, for how long)
- Connection histories and logs
For a lawyer using Google Workspace or Microsoft 365:
- All your emails with clients
- All your shared files
- All your appointments (Google Calendar, Outlook Calendar)
- All your work documents (contracts, procedures, strategies)
The Cloud Act allows full access.
Cloud Act vs Professional Secrecy: The Legal Conflict
Professional secrecy of the lawyer in France
In France, the professional secrecy of the lawyer is a fundamental principle, protected by:
- Article 66-5 of the law of December 31, 1971: "The professional secrecy of the lawyer is of public order. It is general, absolute, and unlimited in time."
- Article 226-13 of the Penal Code: Violation of professional secrecy is punishable by a fine and imprisonment (1 year in prison, 15,000€ fine).
- National Rules of Professional Conduct (RIN): Articles 3 and following.
The secrecy covers:
All lawyer-client communications, all documents related to defense, all legal consultations, all information entrusted by the client.
The Cloud Act contradicts professional secrecy
The Cloud Act does not recognize any foreign professional secrecy protection.
Typical scenario:
- US authorities are investigating a company (e.g., money laundering, tax fraud, sanctions violations).
- This company consulted a French lawyer.
- US authorities ask Google/Microsoft to provide all the lawyer's emails.
- Google/Microsoft must provide the emails, even if they are protected by French professional secrecy.
- The French lawyer is not informed of the seizure.
- Professional secrecy is violated.
The lawyer finds themselves in an impossible situation:
- They have an ethical obligation of secrecy (France)
- But the data they thought was protected is accessible by US authorities (Cloud Act)
Result: Violation of professional secrecy without the lawyer being able to oppose it, as the seizure happens directly from the cloud provider.
GDPR vs Cloud Act: Europe Resists
The Schrems II ruling (2020): invalidation of the Privacy Shield
In July 2020, the Court of Justice of the European Union (CJEU) issued a landmark ruling: Schrems II (Case C-311/18).
Decision: Invalidation of the "Privacy Shield," the agreement that governed EU-US data transfers.
Reason: US surveillance laws (including the Cloud Act) do not provide an equivalent level of protection to the GDPR. European citizens have no effective remedy against US surveillance.
It was agreed that personal data transfers to the United States no longer benefit from automatic adequacy mechanisms. Each company must assess on a case-by-case basis whether a transfer is legal.
For lawyers: Using Gmail, Google Drive, OneDrive, Dropbox means transferring data to the US and a high risk of non-GDPR compliance.
The Data Privacy Framework (2023): solution or patch?
In July 2023, the European Commission adopted the Data Privacy Framework (DPF), a new EU-US agreement aiming to replace the Privacy Shield.
Promise: Enhanced safeguards on US surveillance, a remedy mechanism for European citizens.
However, many experts (including Max Schrems, the activist behind Schrems II) argue that the DPF does not address the fundamental problems: US authorities can still access data without European control.
For lawyers: Do not rely on the DPF to guarantee compliance. Opt for sovereign solutions that completely avoid US transfers.
The position of the CNIL and French authorities
The CNIL (National Commission for Information Technology and Liberties) has issued several clear recommendations:
- 2020 Recommendation (post-Schrems II): Avoid data transfers to the US if possible, prefer European hosts.
- 2023 Recommendation: Professions requiring secrecy (lawyers, doctors, notaries) MUST use sovereign clouds.
CNIL sanctions:
The CNIL has sanctioned several companies for using non-compliant US clouds and is intensifying its controls.
Guide
How to Protect Your Client Files from the Cloud Act
Principle 1: Data Sovereignty
The only way to fully protect yourself from the Cloud Act is to avoid US providers. Choose sovereign solutions: European operator, hosting in Europe, GDPR compliance.
Examples: OVHcloud, Scaleway, DIV Protocol.
Principle 2: End-to-End Encryption (E2E)
End-to-end encryption guarantees that only you and authorized persons can read your files. Even if US authorities seize the data, it remains unusable without the encryption keys. It is essential to ensure your provider does not store them (Zero Knowledge approach).
Principle 3: Traceability and Auditability
Ensure that your data is traceable through detailed and time-stamped logs, using inviolable technologies like blockchain to guarantee the integrity of the data.
Sovereign Solutions Recommended for Lawyers
Cloud Avocats (CNB)
A free solution for lawyers registered with a French Bar. It is GDPR-compliant and protects professional secrecy, although its features are limited.
NetExplorer
Another French solution specialized for regulated professions, with GDPR compliance, although it only offers sharing without creation or storage.
DIV Protocol
An advanced sovereign cloud solution with end-to-end encryption and blockchain traceability, ideal for lawyers with security needs and looking for a long-term governance approach.
Conclusion: Take Control of Your Data
The Cloud Act is not a distant threat; it is a factor you need to understand and manage. It’s time to act. Protect your client files and ensure your firm complies with professional secrecy and GDPR by opting for a sovereign solution. Control of your data is in your hands.
Take control of your data. Move to sovereign cloud.
Protect Your Client Files from the Cloud Act with DIV Protocol
Free demo with our team
Internal links:
External links:
#Cloud Act
#Lawyer Data Protection
#Lawyer Professional Secrecy
#Cloud Act Lawyer France
#GDPR Data Security