Microsoft's France officials told a Senate committee that they "cannot guarantee" French citizens’ data would never be transferred to U.S. authorities without French agreement. The June 2025 testimony, delivered under oath by Microsoft France’s director of public and legal affairs Anton Carniaux, pierced a long-standing industry narrative that technical and contractual measures could shield European cloud data from U.S. extraterritorial legal reach. "It's a question of trust," OVHcloud Chief Legal Officer Solange Viegas Dos Reis told The Register. "And because of this question of trust, we have been receiving a lot of questions from our customers."

For years, hyperscalers including Microsoft marketed regional data boundaries, customer-managed encryption keys (CMKs), and contractual promises as proof that data would stay local and beyond foreign government grasp. Carniaux’s one-word answer — "No" — exposed the legal reality that U.S. law trumps these safeguards. The admission sent a shockwave through boardrooms and procurement departments, forcing a reckoning over what cloud sovereignty actually means.

The CLOUD Act and the Illusion of Absolute Protection

The legal scaffolding that makes cloud services globally useful also creates jurisdictional tension. The U.S. Clarifying Lawful Overseas Use of Data Act — the CLOUD Act — allows U.S. law enforcement to compel U.S.-based companies to disclose data within their "possession, custody, or control," even when that data is physically stored outside the United States. While the law provides a narrow path for providers to challenge overly broad requests on comity grounds, it does not make U.S. jurisdictional reach disappear. This means any company subject to U.S. jurisdiction — including Microsoft’s parent corporation — can be forced to hand over data housed in European data centers if a valid U.S. court order demands it.

Microsoft has invested heavily in EU Data Boundary initiatives, encrypting data at rest and in transit, and offering customer-managed keys. It has also pledged to challenge invalid government demands and, where possible, redirect law enforcement to obtain data from the customer directly. But in the Senate hearing, Carniaux made clear that these measures are not legal firewalls. If a U.S. legal demand survives judicial scrutiny, compliance is mandatory. This is not a Microsoft-specific vulnerability; it applies to any U.S.-headquartered cloud provider.

OVHcloud’s Three Pillars of Sovereignty

OVHcloud, a European rival to hyperscalers, has seized the moment to articulate a more granular definition of sovereignty. Chief Legal Officer Solange Viegas Dos Reis breaks the concept into three distinct, actionable pillars — a taxonomy now influencing public-sector RFPs and enterprise risk assessments.

Data sovereignty covers legal compliance and the ability to keep data within chosen jurisdictions. It asks: Which country’s laws apply to my data? Can it be processed for secondary purposes without consent, such as training large language models? Achieving true data sovereignty requires not just data residency but a legal chain of custody that resists extraterritorial coercion.

Technical sovereignty addresses interoperability, reversibility, and control over the infrastructure supply chain. It means being able to move data and workloads between providers without prohibitive cost or technical lock-in. Open APIs, documented egress paths, and the ability to change components of the supply chain reduce dependency and risk.

Operational sovereignty focuses on who can access the data day-to-day. Even if data sits in a local data center, remote support staff in a third country could view sensitive information. Localized personnel, just-in-time access, and strict geo-fenced admin roles are essential to close this gap.

Viegas Dos Reis argues that sovereignty is "not cherry picking — it's a war, and it's all around the freedom of choice of the customer." The admission from Microsoft France, she says, merely confirmed what European privacy advocates have warned for years.

GDPR vs. CLOUD Act: A Compliance Collision

Two legal regimes collide in real terms. The GDPR prohibits transfers of personal data to third countries without adequate safeguards, while the CLOUD Act may compel U.S. companies to disclose data regardless of its physical location. Article 48 and subsequent guidance only partially reconcile these tensions. In practice, a provider facing a lawful U.S. demand may breach its EU contractual commitments with no practical recourse for the customer. This narrow, fact-specific friction makes blanket promises of inviolable sovereignty legally untenable.

What Microsoft Did — and Didn’t — Say

The testimony before the French Senate was precise:
- Microsoft has implemented technical measures to keep EU customer data within the EU/EFTA.
- It will analyze and challenge overly broad demands, and it joins transparency reports on government requests.
- However, if a U.S. legal demand is valid and survives a comity challenge, Microsoft may be obliged to comply.

Crucially, Carniaux stated that such compelled cross-border disclosures had "never happened before" for European commercial data, but he refused to offer an absolute guarantee for the future. That distinction — between historical fact and legal possibility — is the fulcrum of the trust crisis.

The Practical Fallout: What Enterprise Customers Must Do

The admission forces a hard truth: no cloud contract can legislate away U.S. statutory reach. Enterprises must layer mitigation strategies:
- Data mapping and classification: Identify which datasets carry high sovereignty risk — health records, proprietary R&D, national security information — and tag them accordingly.
- Tiered placement: Keep the most sensitive data in on-premises systems, sovereign clouds with no foreign legal footprint, or fully customer-controlled encryption where keys are held outside the provider’s reach.
- Cryptographic controls: Adopt customer-managed keys (CMK) or bring-your-own-key (BYOK) models, and consider confidential computing to protect data in use. But note that many cloud services require plaintext access, limiting full encryption.
- Contractual hardening: Negotiate explicit indemnities, audit rights, and transparency clauses. While these can’t override a court order, they establish legal posture and vendor accountability.
- Reversibility by design: Ensure open data formats, documented APIs, and planned migration paths with cost estimates. This weakens vendor lock-in and retains freedom to move if geopolitical risk shifts.
- Operational guardrails: Require local support staff for privileged access, implement strict role-based access controls, and demand geo-fenced administrative consoles.

What Parts of the Sovereignty Toolbox Actually Work?

Not all technical safeguards are equal. Customer-held encryption keys drastically reduce exposure because the provider never possesses the plaintext. But for many enterprise applications — SaaS, AI training, analytics — full end-to-end encryption isn’t feasible. Geographic controls (regional data centers) help compliance and prevent accidental exfiltration, yet they do not block a U.S. court order served on the parent company. Contractual residency assurances are meaningful until a statute intervenes. Transparency reports and litigation pledges are good governance signals but are purely defensive: they impose process friction but cannot bar a valid production order.

The Geopolitical Market Shift

Microsoft’s admission is accelerating an economic realignment. Governments and regulated industries — finance, healthcare, defense — now factor jurisdictional risk into cloud procurement scores. Sovereign cloud services are moving from a niche demand to a mainstream requirement, reshaping total cost of ownership calculations. European providers like OVHcloud, Deutsche Telekom, and others see a window, but they face scale and innovation gaps. Hyperscalers are responding with more granular sovereignty packages (local processing, localized support, contractual indemnities), yet their legal structure as U.S. entities remains the limiting factor.

This realignment will require procurement reforms, standardized sovereignty certifications, and possibly new executive agreements that reconcile foreign law-enforcement access with privacy safeguards. Without multilateral frameworks, the tension will persist.

A Pragmatic Bottom Line

The carnage isn’t that the CLOUD Act exists — specialists have long understood its reach. The shock is the public, unspinnable confirmation that technical marketing promises cannot override a U.S. statute. For organizations, the path forward isn’t panic but deliberate, layered defense. Assume neither perfect immunity nor total exposure. Design architectures, contracts, and operational protocols that minimize the attack surface while preserving the agility that cloud delivers. As OVHcloud’s Viegas Dos Reis told The Register, "Each company should have a clear strategy on the management of its data and of its dependencies, and each company should map the data, map the needs." The weeks ahead will test whether that mapping leads to true digital sovereignty or just more contractual theater.