The CLOUD Act and US Recruiting Software: What HR Teams Need to Know
If you use Greenhouse, Workday, Lever or Salesforce for recruiting, you're storing applicant data on US cloud infrastructure. That means a US law you may not have heard of applies to your hiring data: the CLOUD Act.
This article explains what the CLOUD Act is, where it conflicts with GDPR, and what you can do about it.
What Is the CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) came into force in the United States in 2018. It allows US law enforcement agencies to compel US companies to hand over data – regardless of where that data is physically stored.
That means: even if your ATS provider runs its servers in Frankfurt or Dublin, the FBI or Department of Justice can initiate a court order process. The provider must comply. Not voluntarily – as a legal obligation.
Key points:
- Extraterritorial reach: US authorities can request data from servers anywhere in the world
- Court order is sufficient: No mutual legal assistance treaty required
- Providers cannot refuse: Neither GDPR nor EU law overrides this obligation
- Applies to all US cloud providers: Microsoft, Google, AWS, Salesforce, Workday, Greenhouse, Lever
Why Does This Matter for Applicant Data?
Applicant data is among the most sensitive information a business processes. It typically includes:
- CVs with home addresses, dates of birth, photographs
- Salary expectations and negotiation notes
- Interview transcripts and internal assessments
- Test results and psychometric scores
- In some cases: health information, disability status, nationality
All of this sits in your ATS. If you use a US provider, it's potentially subject to the CLOUD Act.
The conflict with GDPR is direct: Article 48 GDPR prohibits the transfer of personal data to foreign authorities unless there is a legal basis under EU law. A US court order under the CLOUD Act does not meet that requirement.
The result: your US provider is caught between two legal systems. It cannot hand over the data without violating GDPR. But it cannot refuse without violating US law.
CLOUD Act vs Schrems II vs DPA – What's the Difference?
These three topics often get lumped together. They're distinct issues.
Schrems II (2020)
The CJEU ruling invalidated Privacy Shield as a transfer mechanism for data flows to the US. Since then, every transfer to the US requires a valid legal basis – typically Standard Contractual Clauses (SCCs) plus a Transfer Impact Assessment (TIA).
That TIA must account for the CLOUD Act. If US government access is a realistic risk, SCCs alone provide insufficient protection.
DPA (Data Processing Agreement)
A DPA governs how your service provider handles data. It's mandatory under Article 28 GDPR. But a DPA does not protect against CLOUD Act requests – it only binds the provider to careful processing, not to refusing government orders.
CLOUD Act
The CLOUD Act operates where SCCs and DPAs reach their limits. It is a state-authorised access power – no civil law contract clause can override it.
In short:
- DPA → governs the processing contract (necessary but not sufficient)
- Schrems II → makes US data transfers complicated
- CLOUD Act → gives US authorities access across all borders
Which US Providers Are Affected?
All US companies and their subsidiaries fall under the CLOUD Act. In a recruiting context, that includes:
| Provider | Type | Headquarters |
|---|---|---|
| Greenhouse | ATS | New York, USA |
| Lever | ATS | San Francisco, USA |
| Workday | HCM/ATS | Pleasanton, USA |
| Salesforce Recruiting | CRM/ATS | San Francisco, USA |
| LinkedIn Talent Hub | Recruiting tool | Sunnyvale, USA |
| Indeed | Job board | Austin, USA |
| HireVue | Video interviews | South Jordan, USA |
| Pymetrics | Assessment | New York, USA |
European subsidiaries of these providers are also affected if the US parent company controls the data.
What Does This Mean Legally for Your Organisation?
As data controller under GDPR, you bear responsibility – not your provider. If US authorities access applicant data held in your US ATS, you are accountable to the individuals concerned.
Specific risks:
- Information obligation breach: You must inform applicants about all potential recipients of their data (Articles 13/14 GDPR). Failing to mention possible CLOUD Act access is a gap.
- No legal basis for third-country transfer: If the access is treated as a data transfer, no GDPR-compliant basis exists.
- Supervisory authority audit: If investigated, you must demonstrate that you conducted a TIA and properly assessed the risk.
For UK organisations: post-Brexit, the UK GDPR applies the same principles. The ICO expects similar safeguards for international transfers, and a US government access risk must be assessed in your Transfer Risk Assessment (TRA).
Practical Steps: What You Can Do Now
1. Inventory Your US Tools
List all HR and recruiting tools you use. Flag every provider whose parent company is headquartered in the US. That's your CLOUD Act risk profile.
2. Conduct a Transfer Impact Assessment (TIA)
For each US provider, you need a TIA – a risk assessment of whether the data transfer is justified despite the CLOUD Act risk. Factors to consider: what data is stored there, how sensitive is it, how realistic is the risk of government access?
3. Review Your Contractual Clauses
Check the Data Processing Agreement with your US provider. Does it include clauses requiring notification of government requests? Does it commit the provider to challenging such orders in court? Microsoft, Google and AWS have such clauses – not all smaller providers do.
4. Update Your Privacy Notices
Your privacy information for job applicants must list all possible recipients. Add a reference to potential access by US authorities if you use US-based tools.
5. Evaluate EU Alternatives
The cleanest long-term solution is switching to EU-based providers. Platforms like HireSift store data exclusively in the EU and are not subject to the CLOUD Act.
EU vs US Providers: An Honest Comparison
| Criterion | US Provider | EU Provider |
|---|---|---|
| CLOUD Act risk | Present | Not applicable |
| GDPR compliance | Complex, TIA required | Straightforward |
| Feature set | Often broader | Growing rapidly |
| Pricing | Can be higher | Often competitive for SMEs |
| EU data residency | Possible, but not sufficient | Standard |
| Legal certainty | Limited | High |
For many European businesses, switching to EU providers is the cleaner path – particularly when a supervisory authority comes knocking.
HireSift stores all data on EU servers (Germany) and is subject neither to the CLOUD Act nor to US data protection law. If you want to remove this risk entirely, it's worth taking a look.
Conclusion: The CLOUD Act Is Not a Fringe Issue
Many HR teams don't realise that their US cloud tools are potential entry points for US government access. This isn't a theoretical risk – it's a structural feature of any US-based software.
You don't need to replace all your tools immediately. But you should:
- Know which of your tools have US-based providers
- Conduct or commission a TIA
- Update your DPA and privacy notices
- Evaluate EU alternatives in the medium term
Protecting applicant data starts with the right tool choices. Try HireSift free – EU servers, GDPR-compliant, no CLOUD Act exposure.
Less screening. More hiring.
HireSift analyzes 100 CVs in minutes — with two transparent scores, EU AI Act compliant, no credit card required.
Try free for 7 daysRelated Articles
Data Processing Agreements for HR Tools: What Recruiters Actually Need to Check
A DPA is mandatory when using HR software — but what needs to be in it? This practical guide covers GDPR Article 28 requirements for recruiters.
Schrems II and Recruiting Software: What You Actually Need to Do
US cloud tools in hiring still carry real risk. Here's how to assess your recruiting software after Schrems II and make your setup defensible.
EU Data Sovereignty in Recruiting: What Every Employer Needs to Know
Storing candidate data in US-based cloud tools? That's a real legal risk. Here's what EU data sovereignty means for your hiring process and how to protect yourself.