OVHcloud Law Enforcement Data Request: Police & Government Guide
How police, prosecutors and cybercrime investigators obtain customer, server and connection data from OVHcloud, the French cloud provider, including why its EU legal route differs sharply from US providers and which instrument foreign agencies must use.
This guide offers general professional guidance for law enforcement officers, prosecutors and cybercrime investigators seeking data from OVHcloud. It is not legal advice. It assumes you are acting under proper legal authority in your own jurisdiction and will use the lawful channel appropriate to your case. Procedures, contact points and retention practices change, so always confirm current requirements directly with OVHcloud and with your own legal advisers before you rely on them.
- OVHcloud is EU-based (headquartered in France), so the legal route differs from US providers: French and EU law, not the US CLOUD Act framework, governs requests for EU-hosted data.
- The public abuse form is for reporting illegal or abusive content, not for obtaining customer data; subscriber and traffic data require a formal legal request.
- Formal disclosure generally needs a valid court order or judicial requisition (requisition judiciaire) served through French or EU legal channels.
- Foreign agencies inside the EU normally use a European Investigation Order or European Production Order; non-EU agencies normally use an MLAT or letter rogatory.
- EU data-retention rules and CJEU case law limit what connection logs are kept, so move quickly and request preservation early.
Why OVHcloud is different from US providers
OVHcloud is one of Europe's largest cloud and hosting companies, providing dedicated servers, virtual private servers (VPS) and public and private cloud infrastructure (IaaS). Its parent company is French and headquartered in Roubaix, with data centres across France, the rest of Europe and worldwide. This matters for investigators because the legal regime that protects and governs customer data is primarily French and EU law: the General Data Protection Regulation (GDPR), the French Code of Criminal Procedure and related French statutes.
With most large US hosting providers, foreign police are used to a self-service law enforcement portal and a familiar subpoena, court order or warrant vocabulary, sometimes supported by CLOUD Act executive agreements. OVHcloud's US subsidiary does operate within that framework for data it controls in the United States. However, for customer data hosted in the European Union, OVHcloud applies EU and French rules and has publicly opposed direct disclosure to non-EU authorities outside formal international legal channels. France also has a blocking statute (Loi 68-678) that restricts French companies from handing sensitive data to foreign authorities except through recognised international legal-assistance processes. The practical consequence: you usually cannot simply send your domestic order to OVHcloud and expect production. You will normally need an EU instrument or a mutual legal assistance request.
What OVHcloud holds
As an infrastructure provider, OVHcloud holds account-level and infrastructure data rather than the contents of what customers run on their servers. What is genuinely useful in an investigation depends on the service and on retention realities.
| Data type | What it can yield | Typical legal route |
|---|---|---|
| Customer / account & billing data | Subscriber name, address, contact details, payment or billing identifiers, account creation data | Judicial requisition or court order via French/EU channel; EIO or MLAT for foreign LE |
| Server / dedicated-server, VPS & cloud allocation | Which physical or virtual machine is assigned to which customer, service identifiers, provisioning records | Judicial requisition or court order; EIO or MLAT for foreign LE |
| IP address assignment | Which customer or service an IP or IP range was allocated to at a given time | Judicial requisition or court order; EIO or MLAT for foreign LE |
| Connection / login logs | Access and connection records to the extent retained under EU and French rules | Judicial requisition or court order; subject to retention limits (see below) |
| Stored content on managed services | Contents of customer data where OVHcloud has the technical ability to produce it | Stronger authority generally required; often customer-controlled |
Abuse channel vs legal requisition
OVHcloud operates two distinct paths, and using the wrong one wastes time.
- Abuse channel. OVHcloud publishes a public abuse form for reporting illegal or abusive activity hosted on its network: phishing, malware distribution, fraud, copyright complaints and child sexual abuse material. This is the correct route to get harmful content actioned or taken down, and to flag a server for the provider's attention. It is not a route to obtain subscriber identity or logs, and any informal data it produces will rarely meet evidentiary standards.
- Formal legal requisition. To obtain customer data as evidence, you need a valid, binding legal request served through the proper channel. Inside France this is typically a judicial requisition (requisition judiciaire) issued under the Code of Criminal Procedure. OVHcloud's stated practice is not to release customer data without a properly served, valid and binding legal order.
Legal routes by requesting country
The correct instrument depends on where the investigating authority sits.
- French authorities. Serve a judicial requisition (requisition judiciaire) or relevant court order under the French Code of Criminal Procedure directly through French legal process.
- Other EU member states. Use a European Investigation Order (EIO) under Directive 2014/41/EU, executed via the competent French authority. The EU e-evidence package additionally introduces the European Production Order and European Preservation Order for cross-border electronic evidence between member states; confirm what is in force and operational for your case.
- Non-EU authorities. Use a mutual legal assistance treaty (MLAT) request or a letter rogatory routed to the French central authority. France has signalled it will expedite properly routed MLAT requests. Sending a domestic order straight to OVHcloud for EU-hosted data is likely to be refused, and France's blocking statute discourages direct disclosure outside these channels.
- Data controlled by the US entity. Where data is genuinely held by OVHcloud's US subsidiary, US legal process applies, with non-content data available on a US subpoena and content on a US search warrant; CLOUD Act executive agreements (recognised with a small number of countries) may also apply. Do not assume this covers EU-hosted data.
Preservation and EU retention limits
Processing of personal data by OVHcloud for law enforcement purposes sits within the GDPR and the wider EU data-protection framework. Crucially, EU law no longer permits open-ended blanket retention of connection data. The Court of Justice of the European Union (CJEU), in Tele2 Sverige/Watson (2016) and La Quadrature du Net (2020 and 2024), held that general and indiscriminate retention of traffic and location data is unlawful, with narrow exceptions (for example a genuine national-security threat) and a more permissive position on retaining IP addresses for law enforcement access. The practical effect for investigators is that connection logs may be kept for shorter periods, or under narrower conditions, than you might expect from older providers or non-EU jurisdictions.
Emergency requests
OVHcloud recognises emergency situations, such as a good-faith belief that there is a risk of imminent bodily harm or threat to life. In genuine emergencies, contact the provider through its designated emergency or abuse channel, clearly identify the emergency, the legal basis and the specific data needed, and follow up with the proper formal instrument. Emergency disclosure is an exception, not a substitute for the correct legal channel, and should be reserved for true threat-to-life scenarios.
Step-by-step workflow
- Confirm OVHcloud is the right provider. Check WHOIS, RIPE/ARIN allocation and reverse DNS to verify the IP, IP range or server is on OVHcloud rather than a reseller or downstream customer.
- Pin down the identifiers. Record the exact IP address, port where relevant, server hostname or service identifier, and precise timestamps with the time zone. Specificity drives a faster, narrower response.
- Decide content vs non-content. Separate subscriber and account data from any stored content, and consider whether the content is held by OVHcloud at all or by the customer on a self-managed machine.
- Send a preservation request early. Given EU retention limits, ask OVHcloud to preserve the relevant data while you prepare your formal instrument.
- Choose the correct legal channel. French authority: judicial requisition. EU authority: EIO or European Production Order. Non-EU authority: MLAT or letter rogatory. US-held data: US process.
- Serve through that channel and track it. Route the instrument to the competent French or EU authority where required, reference your preservation request, and record receipt and any reference numbers.
- Plan for customer notification. OVHcloud may notify the customer unless prohibited by law; if secrecy matters, ensure your legal order includes an enforceable non-disclosure provision.
Frequently asked questions
Can I just use OVHcloud's abuse form to get the account holder's identity? No. The abuse form is for reporting illegal or abusive content and getting it actioned. Subscriber identity, IP assignment and logs require a formal legal request through the correct judicial channel.
I am a non-EU investigator. Can I send my domestic warrant directly to OVHcloud? Generally not for EU-hosted data. You will normally need an MLAT request or letter rogatory routed through French legal channels. France's blocking statute and EU rules discourage direct disclosure to foreign authorities outside those channels.
Why might OVHcloud hold fewer connection logs than I expect? EU law, shaped by CJEU rulings, restricts general and indiscriminate retention of traffic data. Retention windows can be shorter and narrower than in some non-EU jurisdictions, so request preservation quickly.
Will OVHcloud tell the customer about my request? Often yes, unless prohibited by law. If your investigation requires confidentiality, ensure your legal instrument carries an enforceable non-disclosure obligation.
Related guides
- Cloud evidence: getting data from AWS, Azure and Google Cloud
- Cloudflare law enforcement data request: police and government guide
- MLAT vs LERS vs Interpol: which channel, when
For the full directory of platform law-enforcement request portals, see our LERS portal hub.