Digital Jurisdiction and the Splintering of Sovereignty

In May 2025 a US federal judge ordered a major cloud provider to hand over data stored on servers in Ireland. The provider complied. Ireland was not consulted. The legal basis was the US CLOUD Act, which asserts that American law enforcement can reach data held anywhere in the world by a US-headquartered company, provided the company controls it.

This was not a surprise. The Act passed in 2018. What changed was the speed at which the request was processed, and the quietness with which it was received. No diplomatic note. No ministerial statement. Just another entry in a log file.

The architecture of reach

The incident illustrates something structural about modern digital infrastructure. Physical location once determined legal jurisdiction as a matter of practicality. A filing cabinet in Dublin meant Irish law applied because nobody in Washington could open the drawer.

Cloud architecture has dissolved that constraint. The same administrative panel that serves a customer in Cork serves one in Chicago. Data moves between regions for load balancing, backup, and cost optimisation, and the movement is visible only to the provider. The customer — a hospital, a government department, a school — typically has no idea where its data sat at the moment it was accessed.

This creates what legal scholars call concurrent jurisdiction: a state of affairs where multiple sovereign powers can simultaneously claim authority over the same information. The theoretical solution is treaty law. The practical solution is that the provider decides, and the provider has a home jurisdiction.

Physical borders no longer bound digital evidence. The provider's country of incorporation does.

Two further developments sharpen this picture. The first is the expansion of encryption workarounds. Several jurisdictions now require providers to build capabilities that allow access to data that would otherwise be end-to-end encrypted. These requirements are framed as public safety measures. Their effect is to make every system, in every country, as open as the most demanding jurisdiction requires.

The second is the growth of data localisation mandates. Countries from India to Brazil to the European Union have enacted or proposed laws requiring certain categories of data to remain within national borders. These laws are routinely described as sovereignty exercises. In practice they often function as trade barriers that benefit domestic cloud providers without addressing the underlying jurisdictional problem, because the provider's ownership still determines who can ultimately access the data.

Where this leaves public bodies

For a public body trying to act responsibly, the landscape is nearly unnavigable. The same procurement that satisfies a local data residency requirement may place the data within reach of a foreign warrant. Legal advice tends to address one framework at a time. The frameworks themselves overlap, contradict, and evolve.

A handful of responses are emerging that deserve attention:

• Community-controlled infrastructure. Municipal and co-operative cloud provision, where the legal entity owning the infrastructure is governed by the same jurisdiction as the users. Examples remain small but are growing in Germany, the Netherlands, and parts of Canada.
• Technical sovereignty requirements. Procurement terms that mandate not just where data is stored but under whose legal control. These are harder to draft and harder to enforce, but they address the actual problem rather than its symptoms.
• Transparency obligations. Requirements that providers notify customers when their data has been subject to foreign legal process, rather than relying on gag orders that keep the customer in the dark.

None of these are complete answers. Together they sketch a direction of travel: away from assuming cloud is neutral infrastructure and towards treating jurisdiction as a design parameter. That shift is overdue.