Article illustration 1

In a stark admission with profound implications for cloud customers across Europe, Microsoft executives conceded before the French Senate that they "cannot guarantee" the sovereignty of customer data stored in the EU against potential US government access requests. This testimony, delivered under oath, cuts to the heart of the tension between national jurisdictions and the global operations of cloud hyperscalers, forcing enterprises and governments to reassess data residency assurances.

Anton Carniaux, Microsoft France's Director of Public and Legal Affairs, alongside Technical Director Pierre Lagarde, faced rigorous questioning during a June 18th Senate inquiry focused on digital sovereignty in public procurement. The core issue: the US CLOUD Act, enacted in 2018. This law empowers US authorities to compel US-based technology companies—via warrant or subpoena—to hand over customer data, regardless of where that data is physically stored globally.

Senators pressed Carniaux on whether any technical or legal mechanisms could definitively block such access. While he detailed Microsoft's "very rigorous system" to challenge "unfounded" requests—developed during the Obama era and involving legal battles up to the Supreme Court—the answers revealed inherent limitations:

"We have implemented a very rigorous system... which allows us to obtain concessions from the American government. We begin by analyzing very precisely the validity of a request and reject it if it is unfounded," Carniaux stated. "When this proves impossible, we respond in extremely specific and limited cases... If we must communicate, we ask to be able to notify the client concerned."

However, when directly asked if he could "guarantee... under oath" that French citizen data would never be transmitted to the US government without explicit French consent if a request was deemed legally justified, Carniaux's response was unequivocal: "No, I cannot guarantee that, but, again, it has never happened before."

Why This Matters for Tech Leaders & Developers:
1. Jurisdiction Trumps Geography: Microsoft's admission confirms that data stored on servers physically located within the EU remains subject to US legal jurisdiction due to Microsoft's US incorporation. Promises of "data residency" (where data lives) do not equate to "data sovereignty" (who controls access).
2. Contractual Safeguards Have Limits: While Microsoft (and competitors like AWS and Google Cloud) offer robust contractual commitments and technical controls (like Lagarde's mention of minimizing data transfers within the EU), these operate within the framework of applicable laws like the CLOUD Act. They are barriers, not absolute walls.
3. Real-World Risks: Critics, like Civo CEO Mark Boost, argue this isn't theoretical, pointing to incidents like the Scottish police data transfer. The potential impact spans national security, stringent regulatory compliance (like GDPR), and protecting sensitive commercial IP.

The Hyperscaler Defense & Nuance:
AWS swiftly published a blog emphasizing "five facts" about the CLOUD Act, arguing it doesn't grant "unfettered or automatic access" and requires judicial approval based on probable cause for serious crimes. Crucially, AWS noted:

"The CLOUD Act primarily enabled the US to enter into reciprocal executive agreements with trusted foreign partners... Under US law, providers are actually prohibited from disclosing data to the US government absent a legal exception."

AWS and Microsoft both stress they've never disclosed EU enterprise/government data under the Act. AWS also highlighted that the law applies to any cloud provider with US operations, including EU-based firms like OVHcloud, which acknowledges its own compliance obligations under the Act in its documentation.

The European Response & Shifting Landscape:
This testimony fuels the accelerating European movement towards "digital sovereignty." Initiatives like Gaia-X aim to create federated, EU-centric data infrastructure. Governments and technical advisors are pushing for reduced reliance on US hyperscalers, driven partly by geopolitical tensions and mistrust amplified by the current US administration's policies. Microsoft President Brad Smith acknowledged the "volatile" environment, promising more EU datacenters. AWS and Google Cloud are developing specific "sovereign" solutions. However, building truly independent, scalable European cloud infrastructure remains a monumental, long-term challenge.

Microsoft's stark admission in Paris serves as a critical wake-up call. For European enterprises and public sector entities entrusting sensitive data to US-based clouds, the promises of data residency must now be weighed against the unresolved reality of extraterritorial legal reach. The quest for genuine digital sovereignty just gained significant, uncomfortable clarity, setting the stage for intensified regulatory scrutiny and a potential reshaping of Europe's cloud landscape.

Source: The Register - Microsoft admits it 'cannot guarantee' data sovereignty