Microsoft admitted during a hearing in the French Senate that the company cannot reliably protect EU data from access by U.S. authorities. This undermines the promise that European cloud data is safe with U.S. providers.
At Microsoft, U.S. access to European cloud data is possible despite local hosting and EU data boundaries.
(Image: AI-generated)
Locally stored data is not automatically protected from access by U.S. authorities—this was openly confirmed by Anton Carniaux, Chief Legal Counsel of Microsoft France, in early June.
"No, I cannot guarantee that the data of French citizens will never be transferred to U.S. authorities without the consent of the French authorities," said Carniaux during the Senate hearing under oath.
Microsoft's Transparency Remains Limited
The statement carries more weight because Microsoft has so far promoted its so-called "EU Data Boundary" as a solution for European customers to guarantee data processing within Europe. However, the technical safeguards apparently reach their limits where U.S. law applies.
According to Microsoft's own statements, data must be disclosed when U.S. authorities make formal requests. In many cases, the company is not even allowed to inform its customers about the access—Carniaux also confirmed this before the committee.
The French government refers to the incident as part of a broader investigation into digital sovereignty. This includes examining whether public institutions should continue relying on U.S.-based cloud services.
Experts See A Structural Problem
Security and privacy experts point out that the structural dependencies of European authorities and companies on U.S. service providers persist even under new frameworks like the Transatlantic Data Privacy Framework.
The developer and privacy advocate Ben Werdmuller commented: "When the provider's promise meets a court order, the court order always wins." For him, it's clear: the only reliable protection lies in client-side encryption, if necessary combined with EU-based hosting providers.
Dennis-Kenji Kipker, professor of IT security law, emphasizes that Microsoft's admissions are unsurprising but unequivocal: "It is now clear that these flowery marketing promises, discussions about data borders, and semi-sovereign clouds do not constitute effective protection mechanisms," he said in an interview with heise.de and concludes: "As a U.S. company, Microsoft must comply with U.S. jurisdiction—regardless of what the marketing promises say."
At the same source, attorney Stefan Hessel disagrees and explains that a European subsidiary of a U.S. cloud provider is not bound by U.S. law: "According to Article 28(3) of the GDPR, cloud providers as data processors may only process data based on the instructions of the customer. An exception to this principle only applies if they are obliged to process the data under EU law or the law of an EU Member State," Hessel is quoted as saying by Heise. Accordingly, Microsoft in Europe would not be allowed to comply with U.S. information requests.
US Sanctions Override Legal Principles
It was only in May of this year that Microsoft caused a stir when the U.S. company temporarily blocked email access to the International Criminal Court (ICC) in The Hague. The reason was a sanction imposed by the Trump administration against individual ICC investigators who had come under scrutiny for their work on alleged U.S. war crimes in Afghanistan. Access to official communications was cut off without prior warning.
The reactions from Europe were correspondingly clear. Microsoft made efforts to mitigate the damage afterwards and promised that in the future it would no longer block accounts solely based on U.S. directives but would first review legal options. The case exemplifies how political decisions in Washington can fully impact European IT structures—even when the data is physically located in the EU.
Consequences for Industry And Administration
European companies and authorities must once again weigh how sustainable their trust in U.S. cloud providers like Microsoft, Google, or Amazon is—especially when it comes to critical infrastructures or personal data.
Brussels is becoming increasingly impatient. The EU is advocating for greater independence and is exploring new approaches to promote European cloud ecosystems. Projects like Gaia-X, which long operated in the shadow of major hyperscalers, could gain new momentum as a result. For example, Nextcloud, the self-hosted open-source cloud solution, has reported a tripled growth since the start of the year, which it attributes to concerns over digital sovereignty. (mc)
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
:quality(80)/p7i.vogel.de/wcms/31/1f/311fb5b8aa1683b31cca284c8d33f443/0130073373v1.jpeg "Ceratizit has forged a very stable supply chain through a sophisticated and comprehensive recycling concept as well as through its holdings in tungsten mines. Here are some details ... (Image:Ceratite)")
:quality(80)/p7i.vogel.de/wcms/4c/49/4c49ab206af08de47d42c35bacc89c1d/0129539746v1.jpeg "With CPQ software, sales staff can create quotes for complex heavy-duty vehicles in minutes. (Image:TII Scheuerle)")
:quality(80)/p7i.vogel.de/wcms/bc/29/bc29ee18ce776b1915e10e07c1525f3a/0129766196v1.jpeg "The control cabinet is integrated into the rear of the press frame and offers accessibility with a small overhang thanks to the variable door opening. (Image:Tox)")
:quality(80)/p7i.vogel.de/wcms/fe/8a/fe8af1b829b085210fef4c1fa8abddb5/0129784389v1.jpeg "As an integral part of Koch Pac-Systeme's Predictive Pack digital service product, the gearboxes with Cynapse and Wittenstein's Smart Services make it possible to detect damage risks in the packaging specialist's machines at an early stage. (Image:Koch Pac systems)")
:quality(80)/p7i.vogel.de/wcms/b5/34/b534e64b2db218cdb5ad938898cbed56/0130044810v1.jpeg "The magnet of the torus-shaped tokamak reactor will generate magnetic pulses lasting up to 500 seconds and heat the enclosed plasma to a temperature of 150 million degrees. (Image:Iter)")
:quality(80)/p7i.vogel.de/wcms/97/28/9728e560d751dd54acd8b88a82ff7330/0129610882v1.jpeg "Temperature measuring devices are essential for monitoring industrial processes and thus ensuring high product quality. (Image:Micro-Epsilon)")
:quality(80)/p7i.vogel.de/wcms/6b/0d/6b0d694b060190016a4db18401fa55eb/0129937458v1.jpeg "(Picture: ©AI-generated)")
:quality(80)/p7i.vogel.de/wcms/db/68/db689490e348201603dd30447711ea2b/0129578734v1.jpeg "With three-axis vibration measurement (X, Y and Z axes) and temperature detection, the CMSVT38 condition monitoring sensor provides detailed status information that helps to detect machine damage at an early stage. (Image:Kübler)")
:quality(80)/p7i.vogel.de/wcms/48/8a/488afa7c9416394023a5ea1095f4ee4b/rfc4800-1-787x443v1v1.jpeg "Precise, intelligent and robust sensors will play a key role in an increasingly automated and data-driven world. (Image:Novotechnology)")
:quality(80)/p7i.vogel.de/wcms/08/70/087062e2e1a9b9add5777410dd746ee9/adobestock-1923991605-5607x3156v1v1.jpeg "A new type of tactile sensor, inspired by human skin, even recognizes grains of sand. (Image:Curioso.Photography - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/7f/08/7f087d7013424d123ab7275cd2e3fe55/adobestock-809456218--c2-a9-20degimages-20-e2-80-93-20stock-adobe-com-ki-generiert-4179x2351v1v1.jpeg "The digital upgrading of existing machines conserves resources, saves energy and reduces the need for new production. (Image:Degimages - stock.adobe.com/AI-generated)")
:quality(80)/p7i.vogel.de/wcms/dd/ce/ddcef80b290218276bf857cdb64a45e1/finkel-stephan-4162x2341v1.jpeg "Stephan Finkel, Partner and Industry Lead Defence & Security at 3DSE (Source: 3DSE)")
:quality(80)/p7i.vogel.de/wcms/34/e2/34e2a9e46e59eb28f09f9a5fdf41ff9a/0130091813v1.jpeg "Electrical drive trains require a multidimensional concept of performance characterization. Rohde & Schwarz has developed the MXO 3 oscilloscope series for this purpose. (Image:Rohde & Schwarz)")
:quality(80)/p7i.vogel.de/wcms/c9/2a/c92af18e41b077a518994a2ba60eb09f/0130037726v1.jpeg "The Renault subsidiary has presented a new brand strategy (Image:Alpine)")
:quality(80)/p7i.vogel.de/wcms/d8/fc/d8fc13ba0ae6e2180b3954cb1f1bd34c/0130060162v1.jpeg "Volkswagen has started series production of the ID Unyx 08. The model was developed in collaboration with Xpeng. (Image:Volkswagen)")
:quality(80)/p7i.vogel.de/wcms/f5/80/f5809e877017e40b413b48fcd8452246/cefmof-hydrogen-station-29-2048x1366-2048x1152v1v1.jpeg "The hydrogen filling station in Jyväskylä. The electrolyzer is installed in the fenced area at the top right. (Image:Cefmof Hydrogen)")
:quality(80)/p7i.vogel.de/wcms/3d/f2/3df286b8c62e72218e4ea42dcd959ee1/0130050208v1.jpeg "The Heracles chip from Intel calculates fully encrypted data without decrypting it. According to the company, the chip is 1,074 to 1,547 times faster than an Intel Xeon with 24 cores in FHE (Fully Homomorphic Encryption) computing operations. (Image:Intel)")
:quality(80)/p7i.vogel.de/wcms/f6/a5/f6a587801c676040f1e6413a7d305e33/0130062380v1.jpeg "Nvidia is investing 4 billion US dollars in silicon photonics. The aim is to avoid an impending bottleneck in the AI infrastructure. (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/02/36/02364f083b3023cee3b3f0893ea3f859/0129857003v1.jpeg "AI will continue to drive growth in the semiconductor market in 2026. (Image:Dall-E / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/61/8f/618f16f8fa95ec6cc838ca9bfb5dbaf1/0130027046v1.jpeg "The Belgian Research Institute has set up a European university consortium on the subject of CMOS 2.0. It brings together 26 university groups to research chip technologies that go beyond conventional transistor scaling. (Image:Imec)")
:fill(fff,0)/p7i.vogel.de/companies/69/88/69882c428938e/tmts2026-ticec-banner-en-2000px.png "tmts2026-ticec-banner-en-2000px (https://www.tmts.tw/en)")
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ad/67adf92d254d2/elatec-wp-smart-factory.png "Elatec WP Smart Factory")
:quality(80)/p7i.vogel.de/wcms/f7/23/f72382cda26c21d90a4c2232643e2fe7/0126128843v1.jpeg "There is also an illusion of the sovereign cloud: European companies face strategic challenges from the US CLOUD Act and growing risks in transatlantic data protection. (Image:AI-generated)")
:quality(80)/p7i.vogel.de/wcms/a6/60/a66045fd9b394d6ba9ed79c45ad3bfa9/0125836302v1.jpeg "Europe's cloud providers offer secure and flexible solutions that comply with strict data protection regulations. (Image: ©Zohaibzahid - stock.adobe.com)")