RSS

Microsoft admits it 'cannot guarantee' data sovereignty (2025)

leonidasrup1 pts0 comments

Microsoft exec admits it 'cannot guarantee' data sovereignty

Jump to main content

Search

REG AD

PaaS + IaaS

Microsoft admits it 'cannot guarantee' data sovereignty

Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin

Paul Kunert

Paul<br>Kunert

Published<br>fri 25 Jul 2025 // 14:00 UTC

UPDATED Microsoft says it "cannot guarantee" data sovereignty to customers in France – and by implication the wider European Union – should the Trump administration demand access to customer information held on its servers.

The Cloud Act is a law that gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil. It is said to compel these companies, via warrant or subpoena, to accept the request.

Talking on June 18 before a Senate inquiry into public procurement and the role it plays in European digital sovereignty, Microsoft France's Anton Carniaux, director of public and legal affairs, along with Pierre Lagarde, technical director of the public sector, were quizzed by local politicians.

REG AD

Asked of any technical or legal mechanisms that could prevent this access under the Cloud Act, Carniaux said it had "contractually committed to our clients, including those in the public sector, to resist these requests when they are unfounded."

REG AD

"We have implemented a very rigorous system, initiated during the Obama era by legal actions against requests from the authorities, which allows us to obtain concessions from the American government. We begin by analyzing very precisely the validity of a request and reject it if it is unfounded."

He said that Microsoft asks the US administration to redirect it to the client.

"When this proves impossible, we respond in extremely specific and limited cases. I would like to point out that the government cannot make requests that are not precisely defined."

Carniaux added: "If we must communicate, we ask to be able to notify the client concerned." He said that under the former Obama administration, Microsoft took cases to the US Supreme Court and as such ensured requests are "more focused, precise, justified and legally sound."

The Cloud Act was signed into law in 2018 following challenges the FBI faced when getting data via service providers through Store Communications Act warrants, which was itself legislated before cloud computing became a viable thing. Microsoft challenged previous requests, including one concerning a 2016 drug trafficking probe, when emails of a US citizen were held on Microsoft servers in Ireland, and Microsoft argued the SCA did not cover data held outside the US.

The bill was supported at the time it became law by AWS, Microsoft, and Google – and was criticized by civil rights groups. European cloud providers with skin in the game have talked up the potential data sovereignty issue for customers in the EU, although, as Microsoft has said, it has not received data requests from the US government for data held on Microsoft servers in Europe.

Back at the hearing in France, Microsoft was asked if a data request was well framed, would the corporation be "obliged to transmit the data?"

Carniaux admitted: "Absolutely, by respecting this process. But again, this has not affected any European company, or a public sector body, since we have been publishing these transparency reports."

REG AD

Microsoft transparency reports are twice yearly publications in which the business reveals how it manages user data requests, content removal, and more.

Legrande chimed in to say that for the past three years Microsoft has implemented a technical environment to minimize data transfers and keep customers data within the EU, "whether at rest, in transit or being processed, or whether it is data generated by application logs, including the support part."

As proceedings continued, Carniaux was asked if in the event of an injunction that was legally justified, could he, as Microsoft director of public and legal affairs, "guarantee our committee, under oath" that data on French citizens could not be transmitted to the American government without the explicit agreement of the French government.

"No," said Carniaux, "I cannot guarantee that, but, again, it has never happened before."

The Register asked Microsoft to comment on this but it declined to do so.

Mark Boost, CEO at Civo, claimed: "One line of testimony just confirmed that the US hyperscaler providers cannot guarantee data sovereignty in Europe."

"Microsoft has openly admitted what many have long known: under laws like the CLOUD Act, US authorities can compel access to data held by American cloud providers, regardless of where that data physically resides. UK or EU servers make no difference when jurisdiction lies elsewhere and local subsidiaries or 'trusted' partnerships don't change that reality.

"This is more than a...

data microsoft cannot guarantee sovereignty cloud

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.