[German]Microsoft has inflated a huge balloon with regard to European cloud offerings. Data centers in Europe, a "European Microsoft cloud" for digital sovereignty. And then a Microsoft manager had to admit under oath that this does not protect against access by the US authorities.
Since US President Trump stirred up the world, major cloud providers such as Microsoft have also been facing stormy waters. In Europe, a discussion about digital sovereignty has been raging for several months. Public authorities in particular have to consider an exit from Microsoft 365 and the Azure cloud or even want to implement one. For example, I reported on this in the article Digital sovereignty: EU cloud; Microsoft exit in Danish digital ministry; true cost of Windows 11. The digital dependency on Microsoft is to be reduced.
This development in Europe was also triggered by the long-simmering debate about data protection and data security. The EU-US Transatlantic Data Transfer Privacy Agreement, established by former US President Biden by decree, is under fire under President Donald Trump and could be overturned by the ECJ. This would make it illegal for EU organizations and companies to transfer data to the US cloud.
Shawm sounds for the EU cloud
In mid-June 2025, I reported on the sovereign Microsoft Sovereign Cloud propagated by Microsoft in the German article Microsofts "souveräne" Cloud angekündigt – "weiße Salbe"? Microsoft had published the following beautiful picture
There will be a Sovereign Public Cloud and a Sovereign Private Cloud, as well as national Souveign Clouds (e.g. Delos from the SAP subsidiary). European customers will be offered business services such as Microsoft Azure, Microsoft 365, Microsoft Security and Power Platform, hosted in all existing European data center regions.
According to Microsoft, the Sovereign Public Cloud ensures that customers' data remains in Europe, is subject to European law, operation and access are controlled by European personnel and encryption is under the full control of customers.
Microsoft cannot prevent US access
Anyone who takes a sober look at the legal situation must be aware that data that is somehow processed by US companies is, in case of doubt, accessible to the US authorities through the US Cloud-Act (Clarifying Lawful Overseas Use of Data Act). If push comes to shove, Microsoft would have to hand over the data.
Anton Carniaux, Head of Corporate, External & Legal Affairs at Microsoft France, was questioned under oath in the French Senate on June 10, 2025 about the Sovereign Microsoft Cloud. The transcript can be found at Audition de MM. Anton Carniaux, directeur des affaires publiques et juridiques, et Pierre Lagarde, directeur technique du secteur public, de Microsoft France.
Carniaux first tries to present the great Microsoft services in order to provide each individual with the means for digital transformation using cloud computing with the Azure platform, artificial intelligence (AI) with Copilot, cyber security, IT hardware or collaboration tools such as Office. Everything is tailored to the needs of customers and complies with French regulatory requirements.
However, the rapporteur of the French Senate, Dany Wattebled, did not want to let the Microsoft man get away with it and asked for specific details. He pointed out that Microsoft is subject to the US Cloud Act, which allows the US authorities to access data stored in Europe. How could Microsoft guarantee with concrete evidence that the data of French public administrations, which is managed via the contracts of the Union des groupements d'achats publics (Ugap), is never passed on to the US government? The rapporteur should explain what precise technical and legal mechanisms prevent this access?
And this is precisely where Microsoft's Anton Carniaux had to make his "oath of disclosure": he tries to be vague and explains that, from a legal point of view, there is a contractual obligation to customers, including those in the public sector, to oppose the US government's demands if they are unfounded. If this proves impossible, Microsoft responds in extremely precise and limited cases. But it has never happened, according to the transparency reports.
The rapporteur did not let Anton Carniaux get away with this and asked whether he could assure the committee under oath that the data of French citizens entrusted to Microsoft via Ugap would never be passed on without the express consent of the French authorities due to an order from the US government?
Anton Carniaux's answer was "No, I can't guarantee that, but again, this has never happened." This brings us right back to the start, or to what little lights like yours truly have always advocated: When in doubt, Microsoft will have to hand over the data to the US government, regardless of where that data is located. And the US government can force Microsoft to remain silent, so that the person concerned may not even be informed. Microsoft could use the canary in the coalmine and write "no data was released under the Cloud Act" in its transparency reports. If this information is not provided, this would lead to the conclusion that the data disclosure was forced by the US government.
The sovereign EU cloud with US companies is legally dead
With this admission by the Microsoft manager, the "sovereign EU cloud" with the involvement of US companies such as Microsoft is legally dead (actually, it always has been), provided that the claim that EU citizens' data may never be passed on to the US government without consent is to stand (actually the basis for sovereignty).
