1.0 INTRODUCTION
The rapid development of Artificial Intelligence (“AI”), particularly through the deployment of large language models such as ChatGPT, has accelerated global demand for data centres and cloud infrastructure. Apart from the fact that AI systems and data centres have become critical drivers of technological innovation and economic growth, they also generate significant Intellectual Property (“IP”) value through proprietary datasets, machine-learning algorithms, AI-generated innovations, specialised hardware, and infrastructure technologies. These assets may be protected through a combination of patents, copyright, trade secrets, database rights, and contractual mechanisms.
However, these unique values of the IP assets of the data centre and AI may also be affected by geopolitical and contractual risks, as they often involve parties across different countries. This article examines the legal risks that may arise from an increasingly interconnected global environment and explores ways to mitigate these risks.
2.0 THE CONTRACTUAL RISKS AND CROSS-BORDER DISPUTES REVOLVING AI AND DATA CENTRES
Risks In the Multinational Cloud Agreements
A multinational cloud agreement (MCA) is a contract between a customer (such as a company, government, or institution) and a cloud service provider whose operations span multiple countries.
In view of the above, although governed by a single contractual framework, multinational cloud arrangements frequently involve multiple jurisdictions, each imposing distinct legal, regulatory, and compliance obligations upon the parties. The relation between these cloud services and data centres is that they are often used as the service offered by data centres. Without the data centres as their physical infrastructure, there would be no cloud.
Currently, the increasingly globalized cloud computing and data centre operations could be exposed to commercial agreements with significant geopolitical and regulatory risks. This is due to governments exercising greater control over data infrastructure within their jurisdictions, which may disrupt the contractual arrangements due to changes in law, national security concerns, and competing sovereign interests. Hence, creating legal uncertainty and affects the parties’ ability to perform their contractual obligations.
Geopolitical Disruptions and Force Majeure Risks (Frustrations of Contract)
The geopolitical tensions, economic sanctions, and national security concerns may affect the multinational cloud and data centre projects. This is because governments may impose new restrictions on foreign investment, introduce additional security requirements, or revoke previously granted approvals.
For example, recent attempts by the US to exert power over extraterritorial conduct could be seen in the proposed US Multilateral Alignment of Technology Controls on Hardware Act (MATCH Act), where the US further restricts the export of ASML’s advanced lithography equipment, which is used to manufacture advanced semiconductor chips for AI data centres, to China.
Such regulatory developments may materially impair the ability of cloud service providers and data centre operators to perform their contractual obligations, potentially resulting in service disruptions, supply-chain interruptions, and disputes concerning force majeure or frustration of contract.
Changes in Data Transfer Regulations and Dependence on Foreign Data Centre Infrastructure
Another significant risk may also arise due to the government changing the rules of cross-border data transfers. This is especially when cloud services often depend on moving data between countries, and any legal restriction on such transfers may render the existing contractual arrangements non-compliant.
Next, it is also a critical risk when organisations rely on data centre infrastructure located outside their home jurisdiction, as the enterprises may also be subjected to the laws and regulatory decisions of the host state and obtain limited decision-making influence.
A notable example can be seen in a landmark decision of the Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems (Schrems II)(2020), which invalidates the EU-US Privacy Shield framework with significant ramifications for the transfer of the data of EU citizens to the US as a consequence of the US’s extensive state surveillance and insufficient safeguards protecting privacy. The decision created substantial uncertainty concerning the legality of transatlantic data transfers and exposed organisations to heightened compliance obligations, increased operational costs, and potential regulatory enforcement risks.
Apart from that, the US law on the Clarifying Lawful Overseas Use of Data Act (CLOUD ACT) also allows US law enforcement agencies to access the electronic data stored overseas by US-based technology companies, even though it may be stored in foreign jurisdictions, which may raise concerns about confidentiality, data protection, service availability, and regulatory compliance of the consumers.
Export Controls and Semiconductor Restrictions
Moving on, the increasing export controls on advanced semiconductors and other AI-related technologies also present a growing risk for data centre operators as well. As AI systems may rely heavily on specialised components, restrictions from the government may limit the suppliers that can provide critical hardware to certain countries or entities.
For instance, the US Foreign Direct Product Rule (FDPR) may even apply to products manufactured outside the US if they involve US-origin technology or IP. The 2023 enforcement action against Seagate, which resulted in a civil penalty of approximately USD300 million for supplying hard disk drives to Huawei in violation of U.S. export controls, demonstrates the far-reaching impact of such measures. This also highlights how export restrictions can affect multinational technology supply chains and create significant legal, operational, and contractual challenges for businesses involved in AI and data centre ecosystems.
3.0 STRATEGIES TO MITIGATE THE CONTRACTUAL RISKS AND GEOPOLITICAL VULNERABILITIES
As AI systems and data centres are heavily exposed to the cross-border infrastructure and influence, organisations can no longer rely on traditional contractual protections alone and must adopt proactive measures to reduce the exposure to geopolitical risks.
Localising Data Through Sovereign Clouds and Data Centres
Data localization refers to a conduct of confining the data within a country’s borders, and this targets a growing range of specific data types and broad categories of data deemed “important,” or “sensitive”, or related to national security.
By reducing foreign control over critical data and digital infrastructure, organisations may significantly mitigate exposure to geopolitical risks, regulatory intervention, and foreign governmental access requests.
Data centres may also adopt sovereign cloud models, where the cloud services are operated by locally owned entities within the relevant jurisdiction. This may reduce the likelihood that foreign governments can exercise jurisdiction over sensitive data through overseas cloud providers.
Similarly, by relocating critical workloads and sensitive data to local or regional data centres, or commonly referred to as “geopatriation”. Organisations may be able to maintain greater control over where data is stored and processed, and can reduce exposure to foreign surveillance laws, cross-border regulatory conflicts, and disruptions arising from geopolitical tensions.
A notable writing in Geopatriation: Ensuring AI Data Sovereignty in the Era of Agentic AI by Sahajmeet Kaur mentioned that by 2030, an increase of over 75% of the European and Middle Eastern enterprises will geopatriate their virtual workloads due to the heightened concerns around AI data sovereignty and vulnerability towards geopolitical turbulence.
Following that,France and Germany have also has been witnessed to enact their plans for European digital sovereignty, including the launch of the cloud computing project GAIA-X, which enables the European data infrastructure to become independent from both the US and China.
Strengthening Contractual Safeguards
Given the rapidly changing regulatory landscape, multinational cloud and data centre agreements should include provisions that specifically address geopolitical and legal risks. For example, contracts may contain change in law clauses that allow parties to terminate, suspend, or modify the agreement if regulatory changes make performance unlawful or commercially impracticable.
Other than that, parties should also clearly allocate responsibility for losses arising from government intervention, data access orders, or regulatory enforcement actions. In addition, the use of recognised cross-border compliance mechanisms, such as Standard Contractual Clauses (SCCs), can help organisations maintain lawful data transfers and reduce compliance uncertainty when operating across multiple jurisdictions.
Beyond traditional force majeure provisions, parties should consider incorporating data sovereignty clauses, regulatory change provisions, mandatory notification obligations concerning governmental access requests, and carefully drafted limitation of liability clauses. Such provisions may provide greater contractual certainty where legal developments or geopolitical events materially affect the performance of cloud and data centre services.
Litigating The Conflict of Laws and Statutory Protections
Moving on, cross-border disputes frequently involve competing legal obligations arising from conflicting domestic laws, data protection regimes, and national security interests.
A mechanism under Section 103 of the United States CLOUD Act, which provides thatwhere compliance with a disclosure order would conflict with the laws of a qualifying foreign government, a service provider may apply to the relevant U.S. court to modify or quash the order. This statutory safeguard recognises that data stored in foreign jurisdictions may be subject to legal protections that are inconsistent with the requirements of a foreign enforcement request. As such, it provides an avenue for operators to resist disclosure where compliance would place them in breach of their obligations under the laws of the host country.
Even in circumstances where no formal bilateral agreement exists between the United States and the host jurisdiction, operators may seek protection through the common law doctrine of international comity. Under this principle, courts are required to consider and balance the competing interests of the jurisdictions involved before enforcing an extraterritorial request. Relevant factors may include the nationality and location of the data owner, the regulatory and national security interests of the host state, and the availability of alternative legal mechanisms, such as Mutual Legal Assistance Treaties (MLATs), through which the requested information may be obtained.
These legal safeguards play an important role in mitigating cross-border enforcement risks by providing data centre operators with mechanisms to challenge foreign disclosure orders and manage conflicts between competing legal regimes.
4.0 CONCLUSION
AI and data centres are increasingly valuable sources of intellectual property, and it represents as strategic assets in the modern digital economy. However, they are constantly exposed to the evolving geopolitical, regulatory, and contractual risks. Therefore, organisations must adopt robust contractual safeguards and proactive strategies to preserve operational resilience, protect intellectual property assets, and ensure regulatory compliance across multiple jurisdictions.
5.0 REFERENCES
STATUTES
- CLOUD Act
- MATCH Act
For further information, please contact:
Ahmad Hafiz Zubir, Partner, Azmi & Associates
hafiz.zubir@azmilaw.com
JOURNAL ARTICLES & WEBSITES
- Bogmans, C., Gomez-Gonzalez, P., Ganpurev, G., Melina, G., Pescatori, A., & Thube, S. (2025). Power hungry: How AI will drive energy demand (IMF Working Paper No. WP/25/81). International Monetary Fund. https://www.imf.org/-/media/files/publications/wp/2025/english/wpiea2025081-print-pdf.pdf.
- Bureau of Industry and Security. (2023). BIS imposes $300 million penalty against Seagate Technology LLC related to shipments to Huawei. U.S. Department of Commerce. https://www.bis.gov/node/20250.
- Cory, N., Dascoli, L., (2021). How barriers to cross-border data flows are spreading globally, what they cost, and how to address them. Information Technology and Innovation Foundation (ITIF). https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost/.
- Daeryun Law Firm. (n.d.). Data centers and AI cloud infrastructure. Daeryun Law Firm. https://www.daeryunlaw.com/us/practices/detail/data-centers-and-ai-cloud-infrastructure.
- Kaur, S. (2025). Geopatriation: Ensuring AI data sovereignty in the era of agentic AI. TrueFoundry. https://www.truefoundry.com/blog/geopatriation.
- Mann, M., & Daly, A. (2020). Geopolitics, jurisdiction and surveillance. Internet Policy Review, 9(3). https://doi.org/10.14763/2020.3.1501.
- Sangfor Technologies. (2026). What is sovereign cloud and why it matters in 2026. Sangfor. https://www.sangfor.com/glossary/cloud-and-infrastructure/what-is-sovereign-cloud.
- Sterling, T. (2026). Dutch government objects to proposed US law restricting ASML’s China exports. Reuters. https://www.reuters.com/world/asia-pacific/dutch-government-objects-proposed-us-law-restricting-asmls-china-exports-2026-05-14/.
