How to Respond to a Data Protection Authority Inquiry About Your US Cloud Provider Arrangements
A letter from your national data privacy supervisory authority is not a routine compliance exercise. When a Data Protection Authority asks about your US cloud provider arrangements, it is asking a precise question: how have you ensured that data you process through US platforms is protected against US government access?
The inquiry may be triggered by a data subject complaint, a national audit programme, or enforcement trends following Schrems II. Whatever the trigger, the response requires the same thing — a clear, documented, and technically verifiable account of how your organisation has addressed an exposure that contracts alone cannot resolve.
In this post, we’ll walk you through a four-stage response framework for DPOs and legal and compliance teams who have received such an inquiry: Assess, Document, Remediate, and Engage.
Executive Summary
Main Idea: A DPA inquiry about US cloud provider arrangements is a direct challenge to your GDPR Chapter V compliance posture — specifically whether your Transfer Impact Assessments are honest, your supplementary measures are technically effective, and your data sovereignty documentation holds up to scrutiny. Customer-controlled encryption keys — held by the European organisation, not the provider — is the architectural measure the EDPB has endorsed as capable of addressing US surveillance law exposure.
Why You Should Care: Under GDPR Article 58, DPAs have broad investigative and corrective powers — including the authority to impose a temporary or permanent ban on processing, order suspension of data flows, and levy fines up to €20 million or 4% of global annual turnover. Aggregate GDPR fines since 2018 have exceeded €5.88 billion. Poor cooperation with a DPA can itself constitute a violation. How you respond — the quality of your documentation, the credibility of your supplementary measures, and your willingness to remediate — will materially influence the outcome.
5 Key Takeaways
- Understand what the DPA is actually asking before you respond. Most inquiries reduce to one question: does your provider have technical access to the plaintext data you process through it? Everything else — your SCCs, TIAs, DPF reliance — is context for that answer.
- EU data centre location is not a defence. The CLOUD Act follows provider control, not data location. A US company operating EU infrastructure retains possession and control of data stored there. DPAs across Europe are familiar with this distinction and will expect your response to address it directly.
- The EU-US Data Privacy Framework does not resolve CLOUD Act exposure. The DPF governs transfer rules for certified US companies. It does not prevent CLOUD Act or FISA Section 702 demands. If DPF reliance is your primary mitigation, your response must explain why — and that explanation is difficult to make credible.
- Inadequate Transfer Impact Assessments are an aggravating factor. A TIA that identifies CLOUD Act risk and concludes it is mitigated by contractual measures alone may indicate the compliance process was not conducted in good faith — not merely that the outcome was wrong.
- Remediating before you respond materially strengthens your position. A DPA inquiry with a remediation plan already in motion — backed by evidence that customer-managed encryption is being deployed — is a fundamentally different conversation from one where the organisation still relies on the same architecture being questioned.
A Complete Checklist of GDPR Compliance
The Enforcement Context: Why DPAs Are Asking This Question
DPA inquiries about US cloud provider arrangements did not appear from nowhere. They are the downstream consequence of a sequence of legal and political developments that began with the CJEU’s Schrems II ruling in July 2020 and have intensified since. Understanding this context helps DPOs frame their responses accurately and avoid treating the inquiry as an isolated administrative event.
The Legal Background: Schrems II, the CLOUD Act, and the DPF’s Fragility
Schrems II invalidated the EU-US Privacy Shield and confirmed that standard contractual clauses require supplementary measures where US law undermines their effectiveness. The EDPB’s Recommendations 01/2020 identified customer-controlled encryption — where the US provider never has access to the unencrypted data or keys — as the primary technical supplementary measure for addressing US surveillance law exposure. Organisations that completed post-Schrems II TIAs without reaching this conclusion should examine whether those assessments were adequate.
The US CLOUD Act of 2018 compounds this. It requires US companies to produce data stored anywhere in the world upon receiving a valid US government demand, regardless of storage location. GDPR Article 48 prohibits personal data transfers to non-EU authorities solely on the basis of a foreign court or administrative order — and the CLOUD Act is not an international agreement within the meaning of that provision. The conflict between the two frameworks is structural.
The EU-US Data Privacy Framework, adopted in July 2023, does not resolve CLOUD Act exposure. It governs transfer rules for certified companies — it does not prevent US government demands. FISA Section 702 was reauthorised in April 2024 with expanded scope. In early 2025, the Trump administration removed three of the five members of the US Privacy and Civil Liberties Oversight Board — the body overseeing DPF intelligence commitments — leaving it without a quorum. The DPF’s predecessors, Safe Harbour and Privacy Shield, were both invalidated by the CJEU. DPF certification alone does not constitute adequate mitigation.
Why Enforcement Is Intensifying
DPA enforcement has moved through distinct phases since 2018. The initial period was characterised by guidance and orientation. Since 2022, enforcement has intensified sharply — including the first billion-euro GDPR fine, levied against Meta in 2023 for unlawful US data transfers. The 2024 DLA Piper GDPR Fines Survey recorded €1.2 billion in fines across Europe in that year, with enforcement expanding beyond technology into financial services and energy. Total GDPR fines since 2018 now exceed €5.88 billion. Enforcement is no longer confined to large organisations or household names. DPAs are increasingly investigating mid-market and sector-specific organisations, using the EDPB’s Coordinated Enforcement Framework to align national priorities. US transfer arrangements are established enforcement priorities in every major European jurisdiction.
Stage 1 — Assess: Understand What the DPA Is Actually Asking
The first step when an inquiry arrives is not to draft a response. It is to understand what triggered it, what the authority is asking for, and what your current architecture actually looks like. Responding too quickly risks providing an incomplete account that creates more problems than it resolves.
Identify the Inquiry Type and Its Implications
DPA inquiries about US cloud arrangements fall into three categories: complaint-driven (a data subject or competitor has filed a complaint); audit-driven (a national or EDPB-coordinated audit of US cloud use in your sector); or intelligence-driven (the DPA identified potential violations through its own monitoring). The category shapes what the authority already knows and how much latitude you have in framing your response.
Map Your Actual Technical Exposure
Conduct an honest internal assessment before you write a word of your response. The central question is simple: does your US cloud provider have technical access to the plaintext data you process through it? Does it manage encryption keys as part of its service? If yes to either, you have real exposure — not a theoretical one — and your response must account for it. Map your findings against your Article 30 records, your existing TIAs, and your transfer mechanisms, identifying every US provider relationship in scope.
Stage 2 — Document: Assemble the Evidence Package
DPAs expect documentary evidence, not assertions. Under GDPR Article 58, they have authority to demand access to all information necessary for their tasks. GDPR Article 5(2) places the accountability obligation squarely on the controller — you must demonstrate compliance, not merely claim it.
What Your Evidence Package Must Contain
The core documents are your Transfer Impact Assessments for each US provider relationship in scope. Each TIA should demonstrate that you identified the relevant US laws (CLOUD Act, FISA 702), assessed how they impinge on your SCCs’ effectiveness, identified the supplementary technical measures adopted, and established why those measures achieve essentially equivalent protection. TIAs completed before you deployed customer-managed encryption should be updated before submission — that update is itself evidence of your accountability commitment.
Supporting technical evidence includes architecture diagrams showing where encryption is applied and where keys are held, key management procedures documenting that keys remain under EEA control, HSM deployment records, and audit logs demonstrating that access controls are operational. Article 30 records, Data Processing Agreements with your US providers, and any DPIA records for high-risk processing complete the package.
One area DPOs frequently underestimate: you need to demonstrate not just that you hold the keys, but that your provider cannot access plaintext data operationally — not for support, not for diagnostics, not through any service pathway. If the provider’s architecture does not support this, address it in the remediation stage before submitting your response.
Stage 3 — Remediate: Address Gaps Before You Respond
If the assessment reveals that your US provider has technical access to plaintext data or manages encryption keys on your behalf, the question is whether you can remediate before responding or must disclose the gap with a credible timeline. Either way, taking remediation steps before you respond is materially better than explaining a gap with no plan attached.
Deploying Customer-Managed Encryption as the Remediation Measure
The remediation measure the EDPB’s guidance identifies is customer-managed encryption: data encrypted before it reaches the US provider’s infrastructure, using keys the customer generates and retains independently in hardware security modules within EEA jurisdiction. When the US provider processes only ciphertext and never holds keys, a CLOUD Act demand reaches the provider but cannot produce readable data. The architecture resolves what contracts cannot.
For organisations across Germany, France, the Netherlands, and the UK, customer-managed encryption supports jurisdiction-specific key deployment without requiring separate infrastructure for each provider relationship. This does not require migrating off US platforms — it requires ensuring the encryption layer sits under your control before data reaches US infrastructure. Platforms that integrate secure email, secure file sharing, secure MFT, and secure web forms within a unified encryption model let organisations maintain existing cloud investments while closing the CLOUD Act gap the DPA is asking about. Document remediation steps in real time — a plan with milestones and a named responsible party demonstrates the accountability posture DPAs respond to positively.
Stage 4 — Engage: How to Respond to the Authority
With your exposure assessed, evidence assembled, and remediation either complete or in motion, you are ready to respond. How you engage — the tone, completeness, and transparency — will significantly influence the outcome.
Principles for an Effective DPA Response
Respond within the stated timeframe. Non-cooperation with a DPA is itself a violation under GDPR Article 83. If the timeframe is genuinely insufficient, contact the authority early to request an extension and explain why.
Be direct about gaps. DPAs have seen enough evasive responses to recognise one. If your prior TIAs relied on contractual measures that were insufficient, or if your provider managed encryption keys, acknowledge it directly alongside the steps taken to remediate. The EDPB and national DPAs consistently treat cooperation and demonstrated commitment to remediation as mitigating factors in enforcement decisions.
Lead with the technical architecture. The most persuasive evidence is not legal argument — it is a clear demonstration that your US provider cannot access plaintext data. Architecture diagrams, HSM deployment records, and RBAC matrices are the substance of a compelling response. Legal framing contextualises technical evidence; it does not substitute for it. Ensure your DPO signs off the response under GDPR Article 39, and if the DPO was insufficiently involved in the original TIA process, acknowledge that as part of your accountability narrative.
How Kiteworks Supports European Organisations Responding to DPA Inquiries
A DPA inquiry about your US cloud provider arrangements is an opportunity as much as a risk. Organisations that respond with honesty, technical evidence, and a credible remediation posture are in a fundamentally different position from those that submit documentation built on contractual assertions that will not withstand scrutiny. Responding well starts with assessing honestly — and ensuring your architecture matches the answer you give.
Kiteworks provides the technical architecture that makes a DPA inquiry response credible. The Private Data Network uses customer-managed encryption — keys held by the European organisation in jurisdiction-controlled HSMs, never accessible to Kiteworks or to US government demands. When a DPA asks whether your US provider has technical access to your plaintext data, the answer is no — and the architecture documentation to prove it is readily available.
Kiteworks supports jurisdiction-specific key deployment across Germany, France, the Netherlands, the UK, and other European jurisdictions, satisfying the EDPB’s Schrems II supplementary measure requirements. Comprehensive audit logs, access controls, and data governance documentation support the evidence package DPA responses require.
To learn more about data sovereignty and responding to DPA inquiries regarding US cloud provider arrangements, schedule a custom demo.
Frequently Asked Questions
Inquiries are typically triggered by a data subject complaint, a national or EDPB-coordinated audit programme, or the DPA’s own monitoring activity. All three should be treated seriously. Under GDPR Article 58, DPAs have the authority to demand information, conduct audits, suspend data flows, and impose fines up to €20 million or 4% of global annual turnover. Non-cooperation itself can constitute a separate violation.
The US CLOUD Act applies based on provider control, not data localization. A US company operating EU infrastructure retains possession and control of the data it stores there. DPAs are well aware of this distinction following Schrems II. EU data centre location is not a defence against CLOUD Act exposure if the operator is a US company subject to US legal obligations.
No. The DPF governs data compliance transfer rules for certified US companies — it does not prevent CLOUD Act or FISA Section 702 demands. FISA 702 was reauthorised with expanded scope in 2024, and the DPF faces active legal challenges. A response relying primarily on Privacy Shield‘s successor as mitigation is unlikely to satisfy a DPA that has studied the enforcement history.
A credible TIA documents the relevant US laws (CLOUD Act, FISA 702), assesses how they impinge on standard contractual clauses‘ effectiveness, identifies the technical supplementary measures adopted — specifically, that customer-controlled encryption keys are held in the EEA — and explains why those measures achieve essentially equivalent protection. Supporting technical evidence showing the provider cannot access plaintext data is the substance that makes the TIA credible.
Disclose the gap directly and provide a documented remediation plan. DPAs consistently treat transparency and demonstrated commitment to remediation as mitigating factors. A response acknowledging a data security posture gap alongside evidence of active remediation — including data governance improvements and deployment of customer-managed encryption — is substantially better than one that overstates historical compliance.
Additional Resources