The Ruling
On June 11, 2026, Brazil's federal audit court, the Tribunal de Contas da União (TCU), published Acórdão 1380/2026, closing out a monitoring process (TC 008.857/2025-3) led by rapporteur Minister Antonio Anastasia into the federal government's Nuvem de Governo — the shared cloud program run by state IT companies Serpro and Dataprev. The court made two distinct demands. First, it recommended Serpro rewrite clause 3.2 of its contract with Amazon Web Services to eliminate language permitting data access or disclosure "in compliance with determinations by foreign authorities," or, failing that, rewrite it to state explicitly that only Brazilian authorities can invoke it. Second, and more consequentially, it ordered Serpro and Dataprev to submit, within 180 days, a plan to build geographic redundancy into the Government Cloud — a minimum of two geographically distinct data centers per contracted provider, to protect continuity of public digital services against outages, extreme weather, or cyberattack.
Why a Contract Clause Triggered This
The clause language traces back to the US CLOUD Act of 2018, which lets American law enforcement compel US-headquartered providers — AWS included — to produce data they control, regardless of where it is physically stored. TCU's concern is straightforward: Serpro's AWS contract, as written, appeared to acknowledge that possibility rather than foreclose it, for a platform that the court's own reporting ties to systems including the Central Bank and Pix payment rails. That is a legitimate thing for an oversight body to flag. Government cloud contracts are rarely read this closely, and a clause nobody scrutinizes until it matters is exactly the kind of latent risk an audit court exists to catch. The European Union has spent years on an analogous problem — the Schrems II ruling and the EU-US Data Privacy Framework both exist because Europe concluded that US surveillance law and adequacy of data protection don't automatically align — so Brazil raising the same question about its own sovereign-cloud program is not an outlier position; it's catching up to a debate that's already reshaped cloud procurement elsewhere.
Where the Ruling Overreaches
The trouble is that rewriting clause 3.2 doesn't change what the CLOUD Act actually does. AWS is a US company. A Brazilian contract clause cannot opt Serpro out of a US federal statute that binds AWS regardless of what the paperwork says — a valid US legal process still reaches AWS-controlled data wherever it sits. AWS's own public compliance statement claims it has disclosed no enterprise or government content data stored outside the United States in response to a CLOUD Act request since it began reporting in 2020. If that record holds, the practical exposure TCU is targeting may already be closer to theoretical than active — which makes clause 3.2 a paperwork fix for a legal reality that paperwork can't reach. Real mitigation looks like customer-held encryption keys, contractual liability shifting for any compelled disclosure, and technical controls that make data unreadable to the provider itself — not a rewritten sentence a vendor's US obligations override the moment a valid order arrives.
The geographic-redundancy order, by contrast, is the part of Acórdão 1380/2026 that will actually matter. Multi-site resilience is a genuine operational upgrade, independent of who might someday demand the data.
That's also the harder and more expensive half of the ruling, and it's worth watching whether Serpro and Dataprev treat it with the seriousness the clause rewrite is getting in the press. As of this writing, Serpro's own transparency portal — which routinely publishes TCU rulings against the company — had not yet listed Acórdão 1380/2026, weeks after the decision. That's a small data point, but it's the kind of implementation lag that determines whether a 180-day deadline produces real infrastructure or a plan that slips.
The Proportionality Problem
Brazil's Nuvem de Governo already runs on a mix of Serpro-built infrastructure and contracts with AWS, Google, and Huawei, and TCU has been intervening in federal cloud governance since at least 2015, when it first raised contracting concerns in that space. Pushing regulatory energy toward contract-clause semantics risks crowding out the more useful conversation: what technical and contractual guarantees — key custody, audit rights, breach-notification timelines, liability caps — actually reduce a foreign government's practical ability to compel disclosure, versus what merely reads better in a press release. Data localization mandates dressed up as sovereignty measures have a poor record globally of improving security while reliably raising costs and slowing deployment; Brazil should make sure the 180-day redundancy build stays the centerpiece, not the clause-rewrite headline.
What to Watch
The geographic-redundancy plan is due roughly by early December 2026. Whether AWS agrees to amend clause 3.2 at all — and whether Brazil's broader data-protection authority treats this as a template for other federal cloud contracts — will say more about the durability of this ruling than the acórdão's text does on its own.