In a pivotal moment for global data privacy, Microsoft has acknowledged its inability to guarantee that data stored in European Union (EU) data centers is immune from access by U.S. authorities. This admission, made under oath by Anton Carniaux, Microsoft's Director of Public and Legal Affairs in France, during a French Senate hearing on June 10, 2025, has ignited a worldwide debate on data sovereignty and the control of cloud infrastructure.

The crux of the issue lies in the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in 2018, which empowers U.S. law enforcement agencies to compel American companies to provide data stored on servers, regardless of their physical location. This legislation effectively means that data stored by U.S.-based cloud providers, even within the EU, remains subject to U.S. jurisdiction.

During the Senate inquiry, Carniaux was asked whether he could guarantee that French citizens' data would never be transmitted to U.S. authorities without explicit French government consent. He responded: "No, I cannot guarantee that." He further explained that while Microsoft is contractually committed to resisting unfounded requests, the company is legally obligated to comply with valid U.S. government orders.

This revelation has profound implications for European nations striving for digital sovereignty. Despite efforts to localize data storage within Europe, the jurisdictional reach of U.S. laws like the CLOUD Act undermines these initiatives. European leaders have been increasingly vocal about reducing dependence on American tech giants, emphasizing the need for homegrown solutions to ensure data privacy and security.

In response to these concerns, Microsoft has pledged to protect its European operations. In April 2025, Brad Smith, Microsoft's President, announced plans to expand data center operations across Europe and committed to contesting any U.S. government orders that could disrupt cloud services in the region. Smith emphasized that Microsoft would vigorously challenge such directives in court and implement business continuity plans, including hosting critical code in Switzerland.

However, critics argue that these measures may not be sufficient. Mark Boost, CEO of Civo, highlighted the limitations posed by the CLOUD Act, stating that it undermines claims by hyperscalers like Microsoft, Google, and Amazon that they provide true data sovereignty to European users. Boost called on other countries to follow France’s lead in rigorously questioning hyperscalers and reconsidering their dependence on U.S.-based cloud services.

The debate extends beyond Microsoft. Other U.S. cloud providers, including Amazon Web Services and Google Cloud, are subject to the same legal obligations under the CLOUD Act. This raises broader questions about the viability of achieving true data sovereignty while relying on infrastructure controlled by foreign entities.

European initiatives like the Gaia-X project aim to build a federated data infrastructure to reduce reliance on non-European providers. However, these efforts face challenges, including regulatory fragmentation and limited access to venture capital. Policymakers stress the need for increased investment in local technologies and the development of a robust digital ecosystem to achieve genuine digital autonomy.

In conclusion, Microsoft's admission underscores the complex interplay between global cloud services and national data sovereignty. As nations grapple with these challenges, the path forward will likely involve a combination of regulatory measures, investment in local infrastructure, and international cooperation to balance the benefits of cloud computing with the imperative of data privacy and security.