- Microsoft is legally obliged to comply with the US Cloud Act
- It means the US government can ask to see any data, including sovereign clouds
- Only companies outside of US jurisdiction, or private encryption keys, are exempt
Microsoft has admitted it cannot guarantee data sovereignty for customers in France or other European Union countries under the US Cloud Act, which allows the US government to access data from US-based tech firms, even if that data is stored overseas.
Questioned about legal protections against US access to EU data, Microsoft France reps Anton Carniaux and Pierre Lagarde confirmed the company would analyze and resist any unfounded US data requests, but ultimately, the company is legally obliged to comply with valid ones.
Importantly, the company has never received a US data request for information stored in Europe, according to its transparency reports, however ongoing geopolitical tensions have sovereign nations worried about that.
Microsoft cannot guarantee data sovereignty
Microsoft stressed there are systems in place to minimize data transfers, to keep EU customer data within the EU, but Carniaux acknowledged that he could not guarantee the US wouldn't access French citizen data without French government consent, raising huge concerns.
Earlier this year, the EU Data Boundary for the Microsoft Cloud project was confirmed complete, with other hyperscaler rivals also investing heavily in European sovereignty, but the latest developments have rendered their efforts not worthwhile after all.
Interestingly, AWS, Microsoft and Google all supported the bill when it was passed, so it's not new news to them.
"UK or EU servers make no difference when jurisdiction lies elsewhere and local subsidiaries or 'trusted' partnerships don't change that reality," Civo CEO Mark Boost explained.
Boost added that this weakness threatens national security, personal privacy and business competitiveness.
Ultimately, the bottom line is that data residency and location is not the same as jurisdiction – even European companies like OVHcloud operating in the US are subject to US government data requests.
And while EU legislation is steadily adding friction, unless a provider is outside US jurisdiction or a customer is the only holder of an encryption key, absolute sovereignty cannot be guaranteed.
Via The Register
