As a Norwegian company, Runbox is occasionally asked how the U.S. CLOUD Act affects our users—and the answer is simple: it doesn’t. Unlike U.S.-based providers, we own our servers and operate under Norwegian law, ensuring your emails and personal data are fully protected by Norwegian law and GDPR. The CLOUD Act has no jurisdiction over Runbox or your information. Read on to learn how we keep your data safe.
What is the CLOUD Act?
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a U.S. law passed in 2018. It allows U.S. authorities to compel American-based companies to hand over data stored anywhere in the world—even if that data is on servers located in the EU or elsewhere. The law was created after a long legal battle between Microsoft and the U.S. government over access to emails stored in Ireland. The U.S. argued that because Microsoft is an American company, it must comply with U.S. law, regardless of where the data is physically stored. The CLOUD Act made this argument official, allowing U.S. authorities to demand data from U.S.-based companies anywhere in the world.
How does the CLOUD Act affect European and Norwegian companies?
The CLOUD Act has raised serious concerns about data sovereignty and privacy, especially for companies using U.S.-based cloud providers like Amazon Web Services, Microsoft Azure, or Google Cloud. If a U.S. company controls the servers—even if those servers are in Norway or the EU—U.S. authorities can legally request access to the data stored on them.
High-profile cases—like Microsoft, Google, and Facebook—have shown how the CLOUD Act can force U.S. companies to hand over data stored abroad. But these cases involve companies that are either based in the U.S. or use U.S.-controlled infrastructure. European companies using U.S. cloud services may therefore be affected, as U.S. authorities can compel those providers to disclose data, even if the data stored within the EU. (There is not a lot of information about these cases publicly as they often are bound by confidentiality.)
The CLOUD Act doesn’t apply to Runbox
At Runbox, we avoid this risk entirely by maintaining control over our Norwegian company and owning our physical servers. This means that the data on our servers are kept exclusively under Norwegian jurisdiction. Because we are not a U.S. company and do not use any U.S.-controlled infrastructure, the CLOUD Act does not apply to Runbox or the user data stored on our servers.
Your emails and personal data are protected by Norwegian law. As part of the EEA, Norway also enforces GDPR, including Article 48, which restricts transfers of personal data to non-EU authorities. This means that any U.S. request for your data must comply with Norwegian and EU legal standards, and go through Norway’s legal system. We comply with legally valid requests in cases of clear violations of Norwegian law or the Runbox Terms of Service, but we will not disclose any data to foreign governments without a Norwegian court order.
1. We own our servers
Runbox owns and operates its own servers, which are physically located in Oslo, Norway. While the facility housing our servers is not owned by us, the servers—and the data on them—are fully owned and controlled by Runbox, a Norwegian company. This distinction is critical: Because we own our servers and operate under Norwegian law, your data is not subject to the CLOUD Act or U.S. jurisdiction.
2. Norwegian jurisdiction applies
Because Runbox is a Norwegian company and our servers are in Norway, Norwegian law and GDPR govern all data stored on our own servers. The CLOUD Act only applies to U.S.-based companies or those under U.S. control. Since Runbox is not a U.S. company and does not use U.S.-controlled infrastructure, the CLOUD Act does not apply to us. Your emails and personal information remain protected by Norwegian privacy laws and GDPR.
3. No access without a Norwegian court order
The only way any foreign entity—including the U.S. government—can access user data on Runbox servers is with a valid Norwegian court order. While we have received requests from foreign authorities (as documented in our Transparency Report), our policy is clear: We require a Norwegian court order to comply. In some cases, foreign authorities have obtained such orders through Norway’s legal system, proving that the process works as intended. This ensures full transparency, strict oversight, and compliance only with legally valid requests under Norwegian law and GDPR.
The bottom line
Your emails and personal data are fully protected with Runbox—not just by our policies, but by Norwegian law and GDPR. While U.S.-based providers are bound by the CLOUD Act and subject to foreign surveillance, we own and control our servers in Norway, placing your data beyond the reach of U.S. jurisdiction. Your privacy is guaranteed by law. With Runbox, your data stays where it belongs: safe, secure, and under your control.
For more details on how we handle data requests, you can read our previous blog post on our process for disclosing data and our Privacy pages.
If you have any questions or concerns, don’t hesitate to reach out. We’re here to keep your data safe—and to keep you informed.