The law that made everyone look up from their Microsoft 365 dashboard

In 2018, the United States enacted the Clarifying Lawful Overseas Use of Data Act, better known as the CLOUD Act. The key point is simple enough to fit on a sticky note, although ideally not one attached to your monitor: a provider of electronic communication or remote computing services that is subject to U.S. jurisdiction may be required to preserve, back up, or disclose content and records within its possession, custody, or control, regardless of whether the data is stored inside or outside the United States.

That last part is the bit that makes privacy lawyers reach for espresso.

Before the CLOUD Act, Microsoft fought a major case over whether U.S. authorities could require it to produce emails stored in Ireland. The Supreme Court case became moot after Congress passed the CLOUD Act and the government obtained a new warrant under the new law. In other words, the courtroom drama ended not with a final judicial thunderclap, but with Congress quietly changing the script.

The European Data Protection Board and European Data Protection Supervisor later described the CLOUD Act as clarifying that U.S. authorities can require production of data stored abroad by a provider subject to U.S. jurisdiction. They also warned that this route may bypass traditional mutual legal assistance processes between governments.

So the old comfort blanket, “but our data is stored in Europe,” is not quite the blanket it used to be. More like a napkin with confidence issues.

The Microsoft and ICC episode: not CLOUD Act, but still a very loud alarm bell

In 2025, reports said Microsoft cancelled the email address of ICC Chief Prosecutor Karim Khan after U.S. sanctions were imposed. AP reported that the sanctions disrupted the work of the Hague-based court, froze Khan’s bank accounts, and forced him to move to Proton Mail, a Swiss email provider.

This matters because it shows a second problem beyond data disclosure: service dependency.

The CLOUD Act is about government access to data. Sanctions are about restrictions on providing services, support, or technology to designated persons or entities. Different legal tool. Same unpleasant lesson.

A law firm may think it bought email, document storage, collaboration tools, and calendaring. What it also bought, often without thinking too hard about it, is a dependency on the legal and political environment of the provider.

That does not mean Microsoft 365, Google Workspace, AWS, or other U.S. providers are “bad.” They are sophisticated, secure, and widely used for good reasons. It does mean they are not magic castles floating above national law. They are companies. Companies have headquarters. Headquarters have regulators. Regulators have pens. Pens sign orders.

Data residency is not data sovereignty

Many cloud vendors offer EU data residency, local data centers, and region controls. Those are useful. They may help with latency, compliance, procurement, and regulatory expectations.

But data residency answers the question: Where is the server?

Data sovereignty asks a harder question: Who can legally compel the provider?

Those are not the same question. They are cousins who look similar at family weddings and then disagree about everything.

A U.S.-based provider with data in Frankfurt may still be subject to U.S. legal obligations. A European provider with U.S. subsidiaries, U.S. infrastructure, U.S. personnel, U.S. investors, or U.S. operational dependencies may still have exposure. And even a provider outside U.S. jurisdiction may receive requests through mutual legal assistance treaties or local authorities.

So the correct phrase is not “out of reach of the U.S. government.” That is too absolute. The better phrase is:

Harder to reach directly, and less useful to reach if the provider cannot decrypt the data.

That is less catchy, admittedly. It will not fit on a mug. But it is the truth, and truth is annoyingly wordy.

Encryption: the safe, not the invisibility cloak

Encryption changes the risk analysis. Proper end-to-end encryption or zero-knowledge encryption can mean that the provider does not hold the key to read the content. If a government compels the provider, the provider may be able to hand over only encrypted material, account details, logs, and metadata.

That is better. Much better.

But encryption is not a Harry Potter cloak. It does not make the whole problem vanish.

There are three big questions:

First, who holds the keys? If the cloud provider holds the keys, the provider may be technically able to decrypt the data. If the client or law firm holds the keys, the provider’s ability to disclose readable content is reduced.

Second, what is encrypted? Some services encrypt message bodies but not subject lines. Some encrypt files but not filenames. Some encrypt stored content but not traffic logs, sharing records, or account recovery details.

Third, what happens at the endpoints? If a lawyer’s laptop is compromised, the most beautiful encryption architecture in Switzerland will not save the day. The attacker does not need to crack the vault if the door is open and the associate is logged in.

Metadata: the gossip columnist of the digital world

Even when content is encrypted, metadata can still talk. Sometimes it talks too much. Frankly, metadata has never understood professional boundaries.

Metadata can include who emailed whom, when, from what IP address, the size of a file, login times, message routing, subject lines, attachment names, folder structures, sharing links, device identifiers, and audit logs.

For ordinary matters, that may be mildly sensitive. For certain clients, it may be explosive.

Consider what metadata alone can reveal:

A law firm emails a merger target every night at 11:43 p.m. for three weeks. A partner suddenly starts exchanging large encrypted files with a competition authority. A human rights lawyer communicates with a whistleblower in a specific country. A family lawyer’s calendar repeatedly shows meetings involving a high-profile spouse. No one has read the content, but the outline of the story is already standing in the doorway wearing a name tag.

Proton, for example, states that Proton Mail message bodies are encrypted and that it does not have access to encrypted message content after messages are encrypted. But Proton also explains that email subject lines are not end-to-end encrypted because of OpenPGP and email interoperability standards.

That is not a criticism. It is a reminder that “encrypted email” is not one single thing. It is a menu. You need to read it before ordering.

The privacy-focused alternatives

A law firm looking beyond U.S.-controlled cloud services has several categories to consider.

Proton Suite is the most obvious name for many firms because it offers a broader ecosystem: Mail, Calendar, Drive, VPN, and password management. Proton is based in Switzerland and says it rejects direct foreign authority requests, although Swiss authorities may assist foreign authorities through valid international legal assistance procedures. Proton also publishes transparency statistics for legal orders.

Proton can be a strong option for firms that want a privacy-centered suite with a more polished user experience. But firms should understand its limits, especially around email metadata and subject lines. It is not “Microsoft 365, but with a Swiss flag and a force field.”

Tuta, based in Germany, takes a different approach. Tuta says it encrypts emails, subject lines, attachments, calendars, contacts, inbox rules, filters, and search indexes, while email addresses and dates remain unencrypted because of how email delivery works. Tuta’s transparency report says it releases individual mailboxes only with valid German court orders and that encrypted stored mailbox data cannot be decrypted by Tuta.

That makes Tuta interesting for firms with heightened metadata concerns, especially where subject lines matter. And in law, subject lines always matter, because someone will eventually write “URGENT: potential fraud issue” and ruin everyone’s Tuesday.

Tresorit is more focused on secure file storage, sharing, and data rooms. It positions itself as a Swiss, end-to-end encrypted, zero-knowledge cloud service, with data hosting options in Switzerland or the EU. That can be attractive for law firms needing secure document exchange, transaction rooms, litigation bundles, or sensitive client portals.

CryptPad is an end-to-end encrypted, open-source collaboration suite. It can be useful for collaborative documents, notes, spreadsheets, forms, kanban boards, and shared workspaces where privacy matters. It may be more appropriate for specific workflows than as a full replacement for an enterprise legal stack.

There are also self-hosted or European-hosted options built around Nextcloud, client-side encryption tools, encrypted archives, secure portals, and private document management systems. These can be excellent, but only if configured and governed properly. A badly run self-hosted system is not sovereignty. It is a filing cabinet on fire with a “GDPR compliant” sticker.

What about staying on Microsoft 365 but tightening the bolts?

For many firms, the realistic answer is not “cancel Microsoft by Friday.” It is “classify what belongs in Microsoft, what needs extra controls, and what should not be there at all.”

Microsoft offers tools such as Customer Key and Double Key Encryption. Customer Key adds customer-managed encryption for certain Microsoft 365 data at rest, while Double Key Encryption is designed for highly sensitive data and lets the customer control one of the encryption keys. Microsoft itself notes that Double Key Encryption is not for every organization or all data.

That matters. These tools can reduce certain risks, especially around key control. But they do not solve everything. They do not eliminate all metadata. They do not remove dependency on the provider. They do not make sanctions risk disappear. And they may complicate search, collaboration, recovery, e-discovery, and user experience.

In other words, stronger encryption often behaves like a very serious bouncer. Excellent at keeping people out. Occasionally also excellent at keeping you out.

The law firm security ladder

The question is not “Should every law firm move everything to Proton and communicate only through encrypted carrier pigeons?”

The better question is: What level of security is reasonable for this firm, this client base, and this type of work?

That is also closer to the ethics standard. ABA Model Rule 1.6(c) requires lawyers to make reasonable efforts to prevent unauthorized disclosure or access to client information. The comments to the rule say reasonableness depends on factors such as the sensitivity of the information, likelihood of disclosure, cost, difficulty of safeguards, and impact on the lawyer’s ability to represent clients. ABA Formal Opinion 477R similarly says ordinary internet communication may be acceptable with reasonable efforts, but special precautions may be required where the client agreement, law, or nature of the information calls for a higher degree of security.

So let’s build a practical ladder.

Level 1: Regular legal work

This is the daily diet of many firms: contracts, routine employment advice, wills, property, commercial correspondence, ordinary litigation, standard corporate work.

For this level, mainstream cloud services may be appropriate if properly configured. The important words are “properly configured,” which is where many horror films begin.

At a minimum, firms should use multi-factor authentication, strong device management, encryption at rest and in transit, conditional access, proper offboarding, audit logs, backups, retention policies, and a secure client portal rather than sending every document as an email attachment named “final_final_REALFINAL.docx.”

This level is not casual. It is just not “international tribunal under sanctions” level.

Level 2: Sensitive commercial and regulated work

This includes trade secrets, employment investigations, health data, financial services work, tax planning, private wealth, internal investigations, data breach response, and higher-value disputes.

Here, the firm should start separating ordinary collaboration from sensitive workspaces. Use encrypted portals, limit external sharing, apply strict access controls, reduce email attachment use, and consider customer-managed keys or separate encrypted storage for especially sensitive files.

The firm should also ask providers awkward questions, which is healthy. Where is the data? Who can access it? Who holds the keys? What metadata is logged? What happens if a government request arrives? Will the firm be notified where legally possible? How fast can the firm export everything if the relationship turns into a pumpkin?

Awkward questions are due diligence wearing sensible shoes.

Level 3: High-confidentiality matters

This includes major M&A, antitrust investigations, white-collar defense, sanctions advice, politically sensitive matters, high-profile individuals, whistleblowers, activist clients, litigation involving states or state-owned entities, and matters where the mere identity of the client relationship is sensitive.

At this level, the firm should consider a dedicated secure environment. That may include encrypted email with disciplined subject lines, secure file exchange through zero-knowledge services, limited matter teams, separate devices for certain matters, client-specific communication protocols, and strict metadata hygiene.

The biggest shift at this level is cultural. Lawyers must stop treating email as a universal container for every secret the human mind has ever produced. Email is convenient. So is leaving the office door open with a tray of privileged documents labeled “please don’t look.”

Level 4: Exceptional risk

This is the “do not improvise” category. Think national security, war crimes, cross-border corruption, sanctioned entities or individuals, dissidents, journalists, source protection, life-and-liberty matters, or clients who may be targeted by state actors.

For these matters, a law firm should not rely on ordinary cloud defaults. It should design an operational security plan with specialist input. That plan may include non-U.S. providers with strong encryption, client-held keys, minimized metadata, compartmentalized communications, strict device controls, out-of-band verification, secure deletion, and clear rules about what never enters standard email or document management systems.

This is not paranoia. It is tailoring the lock to the value of what is behind the door.

The uncomfortable conclusion

Cloud services are not unsafe simply because they are American. European services are not safe simply because they are European. Swiss services are not magical because the mountains look trustworthy.

The real issue is control.

Who controls the company?
Who controls the keys?
Who controls the metadata?
Who controls access?
Who controls the backups?
Who controls the legal response when a government order arrives?
And, perhaps most importantly, does the law firm understand the answer before something goes wrong?

For law firms, the goal is not to hide from lawful obligations. The goal is to avoid sleepwalking into unnecessary exposure. Client confidentiality is not a decorative clause in the engagement letter. It is the foundation stone. The cloud can support it, but only if lawyers remember that clouds have owners, owners have jurisdictions, and jurisdictions have very long arms.

So the question for every firm is not: “Which cloud service is secure?”

The better question is:

What level of security do our clients actually need, and would we be comfortable explaining our answer to them after a breach, subpoena, sanctions event, or access dispute?

Because in law, as in cloud security, the worst time to ask where the parachute is kept is after the plane has started making interesting noises.