The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) was passed in March 2018. It clarified that US warrants for stored data apply to any US company, regardless of where in the world the data is physically stored. So a German company storing its email with Microsoft Germany can still have that email subpoenaed under US law if Microsoft (the US parent) is the controller. It also created a framework for 'qualifying foreign governments' (so far the UK and Australia) to request data directly from US providers without going through diplomatic channels. The CLOUD Act is one of the laws that made Schrems II possible.
What the law actually says
The key provision is: a US-based company that has 'possession, custody, or control' of data must produce that data when served with a US warrant, subpoena, or court order, regardless of where the data is stored. This overruled a 2017 case where Microsoft had refused to hand over emails stored in Ireland on the basis that the data was outside US jurisdiction.
The law also lets the US enter into executive agreements with other countries that let those countries' law enforcement request data directly from US providers (and vice versa), bypassing the slow Mutual Legal Assistance Treaty (MLAT) process. The UK and Australia have signed; other countries are in negotiation.
Who it affects
Any company headquartered in the US, owned by a US company, or with significant US operations is potentially in scope. That includes the obvious ones (Google, Microsoft, Amazon, Apple, Meta) and a long tail of less obvious ones, any cloud or SaaS provider you use that has a US parent or US datacentres has CLOUD Act exposure.
The data doesn't have to be on US soil. The law was specifically written to make geography not matter. If Microsoft Ireland has your data and Microsoft Corporation (US) controls Microsoft Ireland, the data is reachable.
What it means with FISA Section 702
The CLOUD Act covers normal law-enforcement requests (warrants, subpoenas). FISA Section 702 covers intelligence gathering, bulk collection of foreign intelligence from US providers, with a secret court (FISC) approving programmatic surveillance instead of individual warrants. Together they give US agencies several different paths to user data held by US companies.
Section 702 was the main legal hook the CJEU used in Schrems II to rule that EU data wasn't safely protected when handled by US companies.
The European response
EU regulators have been pushing for 'data sovereignty' as a structural answer: if the data is held by an EU-based company in EU datacentres governed by EU law, the CLOUD Act doesn't reach it (because there's no US parent to compel). That's the basis for projects like GAIA-X and the various EU funding programmes for European-built infrastructure. It's also why a European browser, hosting a European search backend on European servers, is qualitatively different from a US browser doing the same thing in EU datacentres.