The CLOUD Act and US Jurisdiction Over Your iGaming Data

Everything That Touches the US Is Vulnerable

The Clarifying Lawful Overseas Use of Data Act — the CLOUD Act — was signed into US law in March 2018. Its core provision is simple and devastating: any company subject to US jurisdiction must disclose data stored on its servers, regardless of where in the world those servers are physically located.

For iGaming operators, this creates a chain of exposure that most never examine. Your platform runs on AWS eu-west-1 in Ireland? Amazon is a US company. Your payment processor routes through a Stripe subsidiary? US jurisdiction. Your game aggregator's parent company is listed on NASDAQ? Every byte of player data they touch is one subpoena away from disclosure.

How a Single Subpoena Exposes an Entire Operation

The CLOUD Act does not require the US government to notify the operator, the data subject, or even the local government where the data resides. A federal prosecutor can issue a subpoena directly to the US-headquartered company, compel production of all stored data, and impose a gag order preventing the company from disclosing the request to anyone — including the operator whose data is being accessed.

This is not hypothetical. US law enforcement has used the CLOUD Act and its predecessor (the Stored Communications Act) to obtain data from US cloud providers storing information in Ireland, Germany, and Singapore. The legal challenges from Microsoft and others ultimately failed — the CLOUD Act was specifically designed to close the jurisdictional gaps those challenges exposed.

The Multi-Tenant Amplification Effect

The risk compounds on shared infrastructure. When a law enforcement request targets one operator on a multi-tenant platform, the technical reality of shared databases, shared application layers, and shared storage means that isolating one operator's data from another's is often impractical. Investigators receive access to infrastructure that contains data from multiple operators — even those not under investigation.

For operators in grey markets or jurisdictions with adversarial relationships with US regulators, this creates existential exposure. A regulatory action against a co-tenant on your shared platform can inadvertently expose your entire player database, transaction history, and operational intelligence to a foreign government.

The Chain You Don't See

Most operators audit their primary hosting provider and stop there. But the CLOUD Act's reach extends through every US-connected link in the technology chain:

Cloud providers: AWS, Azure, Google Cloud — all US-headquartered regardless of data center location. Their European subsidiaries remain subject to US parent company obligations.

CDN services: Cloudflare, Akamai, Fastly — your player-facing content flows through US-controlled infrastructure. Metadata, access logs, and cached content are all potentially accessible.

SaaS tools: CRM systems, analytics platforms, email services, monitoring tools — if any tool in your operational stack is provided by a US company, the data it processes is within reach.

Payment processors: Even processors with European entities may route settlement, fraud detection, or compliance data through US-based parent company systems.

What Sovereign Infrastructure Actually Means

True sovereignty requires eliminating every US-connected link in the data chain — not just the primary hosting provider. This means European-incorporated hosting (not a US company's European subsidiary), European payment processing with no US parent, European CDN services, and operational tools that never route data through US jurisdiction.

The key distinction is corporate parentage, not server location. A server in Frankfurt operated by a US-parented company is still subject to the CLOUD Act. A server in the same data center operated by a European-incorporated company with no US corporate parent is not.

The Cost of Indifference

Operators who dismiss jurisdictional risk as theoretical are making an implicit bet: that no regulatory action, no law enforcement investigation, and no political pressure will ever target any company sharing their infrastructure. Given the increasing regulatory attention on online gambling globally, and the US government's demonstrated willingness to use the CLOUD Act extraterritorially, that bet looks increasingly poor.