- Microsoft is legally obliged to comply
- This means that the US government can ask to see all data including sovereign clouds
- Only companies outside US jurisdiction or private encryption keys are exempt
Microsoft has admitted that it cannot guarantee data sovereignty for customers in France or other EU countries according to the US Cloud Act, which gives the US government access to data from US-based tech companies, even if this data is stored abroad.
Asked about legal protection against us access to EU data, Microsoft France Reps Anton Carniaux and Pierre Lagarde confirmed that the company would analyze and withstand any unfounded US data requests, but ultimately the company is legally obliged to comply with valid ones.
It is important that the company has never received a US data request for information stored in Europe, according to its transparency reports, but ongoing geopolitical tensions have sovereign nations concerned about it.
Microsoft cannot guarantee data sovereignty
Microsoft emphasized that there are systems in place to minimize data transfers to keep the EU customer data within the EU, but Carniaux acknowledged that he could not guarantee that the United States would not access French citizen data without the consent of French government and raised huge concerns.
Earlier this year, the EU data repayment for the Microsoft Cloud project was confirmed complete, with other hyperscaler rivals also investing heavily in European sovereignty, but recent developments have not made their efforts at all.
Interestingly, AWS, Microsoft and Google supported all the bill as it was adopted, so it’s not new news for them.
“UK or EU servers make no difference when jurisdiction is elsewhere, and local subsidiaries or ‘trusted’ partnerships do not change that reality,” explained Civo CEO Mark Boost.
Boost added that this weakness threatens national security, personal privacy and business competitiveness.
Ultimately, the bottom line is that data stays and location are not the same as jurisdiction – even European companies such as OvhCloud operating in the United States are subject to US requests for government data.
And even though the EU legislation steadily adds friction unless a provider is beyond US jurisdiction, or a customer is the only holder of an encryption key, absolute sovereignty cannot be guaranteed.
Via Registered
