Explosive revelation: How Microsoft extradites European officials to the USA

Dangerous dependency: When US laws simply override European data protection

TikTok vs. Microsoft: The bitter double standard regarding data sovereignty

A seemingly technical process has turned into a full-blown political scandal: Microsoft has handed over internal documents containing the unredacted names of European officials to the US Congress. Those affected are precisely the regulators tasked with enforcing the stringent Digital Services Act (DSA) against US tech giants. This incident ruthlessly exposes the dangerous illusion of so-called European "digital sovereignty." While European governments and authorities continue to rely on "sovereign cloud" solutions from American hyperscalers, legal reality proves that US laws like the Cloud Act and simple parliamentary subpoenas can easily undermine European safeguards. The case vividly demonstrates how, when push comes to shove, US technology companies must act as an extension of Washington – and forces Europe to the painful realization that true data sovereignty without its own independent infrastructure remains pure fiction.

Europe's digital sovereignty is not a promise – it is an illusion

In May 2026, the Dutch news magazine Vrij Nederland revealed an incident that, while not technically new, possesses an immense political ramification. Microsoft had passed on internal documents containing emails, meeting minutes, and invitations to a US House of Representatives investigative committee—without redacting the names of the Dutch officials mentioned. Those affected were employees of the Dutch Authority for Consumers and Markets (ACM) and the Dutch Data Protection Authority (AP), precisely the bodies responsible for enforcing the Digital Services Act (DSA).

Precision is crucial here to avoid oversimplification: Contrary to initial media reports, this incident is not a classic Cloud Act request, where US authorities access customer data stored in the cloud. The legal basis was a House subpoena, which compelled Microsoft to hand over its own internal business correspondence—that is, communication between Microsoft's own government relations team and European authorities. The failure to anonymize the names of the officials in these documents was, according to all available information, not an explicit part of the subpoena, but rather a corporate oversight on Microsoft's part.

This technical nuance, however, does not change the fundamental political explosiveness of the incident; in fact, it exacerbates it. The message is clear: It doesn't even require the Cloud Act in its full force for US political institutions to gain access to the identities of European regulators working on legislation that is a political thorn in the side of the US. A simple parliamentary subpoena is sufficient.

Dutch State Secretary Willemijn Aerdts described the disclosure of the names as "undesirable" and sought a meeting with US Ambassador Joe Popolo. State Secretary Eric van der Burg announced that he would have an investigation conducted into the precise channels by which the data was shared. These reactions demonstrate institutional unease – but fall far short of what the seriousness of the situation would demand.

The political motive: DSA as a battleground between Brussels and Washington

To fully understand the incident, the geopolitical context must be considered. The Digital Services Act, which has applied to the largest platforms since August 2023 and to all digital services since February 2024, obliges companies like Google, Meta, and Microsoft to meet stricter requirements regarding content moderation, transparency in algorithms, and the protection of users from illegal content. The Trump administration and large segments of the Republican-dominated House of Representatives view this law as a European-style censorship attempt that harasses US technology companies through regulation and harms free speech.

This hostility has already had tangible consequences: The US imposed an entry ban on former EU Commissioner Thierry Breton, whom they refer to as the "father" of the DSA. Reuters reported that Washington is considering imposing sanctions on individuals responsible for enforcing the DSA. Against this backdrop, the Dutch officials now identified have not only suffered abstract violations of their privacy—they could theoretically be placed on a sanctions list or subjected to entry bans to the US based on this unredacted data.

The House of Representatives specifically requested internal correspondence from technology companies like Google, Meta, and Microsoft regarding the implementation of European regulatory projects in order to bolster its criticism of the Data Security Agreement (DSA) with evidence. Microsoft complied with this order—a US corporation that must defer to its own legislature. Whether the fact that the names of European officials remained unredacted may have been negligent or a deliberate calculation; the effect is the same.

The Cloud Act: Anatomy of a law that Europe has underestimated to this day

Even though the specific incident in the Netherlands does not fall directly under the Cloud Act, an understanding of this law is essential for fully grasping the structural vulnerabilities of European institutions. The Clarifying Lawful Overseas Use of Data Act was passed by the US Congress on March 23, 2018. It expanded the Stored Communications Act of 1986 and clarified what had previously been a point of contention: US authorities—including the FBI, DOJ, and others—can demand that US technology companies hand over electronic data in their possession, custody, or control, regardless of whether that data is stored on servers in the US or in Europe.

Ironically, the trigger for the law was a lawsuit initiated by Microsoft itself. The company had refused to hand over a customer's data stored on a server in Ireland, arguing that then-current US law did not have extraterritorial effect. The Supreme Court was about to rule on the matter when the Cloud Act rendered the case moot by explicitly establishing extraterritorial scope in law. Microsoft's attempt to exploit a loophole in the law ultimately led to the legislative closing of that very loophole.

The law has two key mechanisms. First, it obligates US providers to immediately disclose data upon request from US authorities, provided there is a judicial search warrant that establishes sufficient grounds for a criminal offense. Second, it allows the US to conclude bilateral "Executive Agreements" with other countries to establish reciprocal direct data access—a framework the US has already implemented with the United Kingdom and Australia. No such agreement currently exists for the EU, which perpetuates the asymmetrical situation for European users of US cloud services.

Particularly problematic are the so-called gag orders: authorities can compel providers to refrain from informing affected customers about pending data requests for up to 180 days. This fundamentally contradicts the GDPR principle of transparency and creates a structural compliance dilemma for US corporations serving European customers.

The fundamental legal conflict between the Cloud Act and the GDPR

The conflict between the Cloud Act and the General Data Protection Regulation (GDPR) is not subtle—it is an open, unresolved legal dispute between two competing jurisdictions. The GDPR, specifically Article 48, stipulates that data transfers to third countries may only take place on the basis of an international agreement—such as a Mutual Legal Assistance Treaty (MLAT)—or another appropriate safeguard. The Cloud Act completely bypasses MLATs and allows US authorities unilateral, direct access without the involvement of European courts or data protection authorities.

This creates a classic compliance dilemma for affected companies: those who comply with a US government order risk violating the GDPR, which can result in fines of up to €20 million or four percent of global annual turnover. Those who refuse the US order risk sanctions under US law and potential legal repercussions in the US. US cloud providers are caught in this contradiction, and their European customers bear the risk without being parties to the proceedings themselves.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) clarified in a joint statement in 2019 that the Cloud Act has very limited options under EU data protection law to make data transfers to US authorities lawful. The European Court of Justice's 2020 Schrems II ruling reinforced this assessment by invalidating the Privacy Shield framework and clarifying that contractual safeguards alone cannot override foreign access rights.

Microsoft's public promises and the reality of systemic coercion

Microsoft has pursued a consistent communication strategy for years: It will take legal action against unjustified US government requests, has done so successfully in the past, and protects customer data by all available means. Brad Smith, Microsoft's vice chairman, told the Dutch broadcaster NOS: "A US court order may apply to information stored outside the US – but we would take this to court."

This assurance sounds reassuring, but it obscures the structural limitations of this position. The current incident was not a request that Microsoft could or would have challenged. The company simply complied with its own parliamentary subpoena, without exercising particular care in anonymizing third parties. Furthermore, Microsoft has admitted in various international contexts that ultimately, there can be no absolute guarantee of data sovereignty for European users. Before the French Senate, Microsoft's legal advisor, Anton Carniaux, testified under oath in June 2025 that he could not guarantee that the data of French citizens would never be transferred to US entities without the authorization of the French authorities. In a letter to Scottish police authorities, Microsoft stated that the company "cannot guarantee data sovereignty for M365.".

These admissions are not mere legal safeguards. They describe the structural reality in which a US technology company finds itself: It is subject to US law, regardless of where its servers are located, regardless of what its contracts with European customers promise.

A precedent with far-reaching consequences: The ICC incident

The Netherlands case is not an isolated incident, but rather part of a disturbing pattern. Also in 2025, Microsoft, acting on behalf of the Trump administration, blocked the official email account of Karim Khan, the chief prosecutor of the International Criminal Court (ICC), after Trump imposed sanctions against him. The ICC is based in The Hague – ironically, in the Netherlands. Microsoft implemented a US government order, thereby depriving an international legal institution of its highest representative of digital access.

Khan was subsequently forced to switch to the service of the Swiss provider Proton Mail. The reaction from European politicians and international legal experts was appalled – but the pattern is clear: A US technology company becomes an extension of US foreign policy as soon as the US government orders it to be. Service contracts, data protection commitments, and institutional neutrality are secondary considerations in this system.

Microsoft stated that the suspension was carried out in consultation with the ICC and applied solely to Khan as an individual being sanctioned, not to the institution as a whole. However, this distinction ignores practical reality: if an international agency's operational infrastructure relies on US cloud services, that agency is structurally vulnerable to US sanctions orders.

Industry focus areas: B2B, digitalization (from AI to XR), mechanical engineering, logistics, renewable energies and industry

More information here:

• Expert Business Hub

A thematic hub offering insights and expertise:

• Knowledge platform covering global and regional economies, innovation and industry-specific trends
• A collection of analyses, insights, and background information from our key areas of focus
• A place for expertise and information on current developments in business and technology
• A hub for companies seeking information on markets, digitalization, and industry innovations

The double standard argument: TikTok in America vs. Microsoft in Europe

At this point, a consideration is unavoidable that is too rarely made explicit in public debate. The US banned TikTok, or rather forced its sale, on the grounds that a Chinese parent company could theoretically be able to pass user data to the Chinese government or censor content. The measure was justified on the grounds of national security, based on a risk scenario, not on proven incidents.

At the same time, Europe is celebrating what is structurally the same model that the US is targeting with TikTok as a "sovereign cloud breakthrough": a foreign company operating local infrastructure but remaining subject to the jurisdiction of its home country. The only difference is that in the European case, the "foreign" country is the US – and that Europe lacks a comparable strategic resolve to identify and end this dependency.

US legislation considers the Cloud Act a legitimate law enforcement tool. China's comparable capabilities through companies like Huawei or ByteDance, however, are viewed as a national security risk. In both cases, Europe sits at the negotiating table without leverage because it has not built a competitive, independent digital infrastructure.

Europe's reaction: Between political insight and structural inertia

European institutions have recognized the gravity of the situation – at least rhetorically. As early as March 2025, a majority of the Dutch parliament called on the government to halt the migration of sensitive government data to US cloud services and to develop its own European solutions. An investigation by the Dutch Court of Auditors revealed that of 1,588 government cloud services, 700 were based on open US platforms.

In April 2026 – even before the DSA official incident became public – the Dutch government concluded a framework agreement with the German provider STACKIT (Schwarz Digits, the digital division of the Lidl Group). This agreement guaranteed legally compliant data storage exclusively within the EU and included audit rights for the government. The contract also contained a termination clause should control of the services be transferred outside the European Economic Area. This was a significant signal, even if it resembled a political statement more than a short-term operational solution, as the existing IT infrastructure of the Dutch authorities remains largely under US control for the time being.

At the EU level, the European Commission awarded contracts worth up to €180 million for sovereign cloud services to four European providers in April 2026: a Luxembourg-French consortium of Post Telecom, OVHcloud and CleverCloud; STACKIT; Scaleway; and Proximus with S3NS, Clarence and Mistral. The tendering process followed a specially developed cloud sovereignty framework with eight objectives, including data residency, legal immunity from third countries, and technological openness.

At the same time, the European Commission is preparing a comprehensive tech sovereignty package that is expected to prohibit US cloud providers from using their services for sensitive public sector data in areas such as healthcare, justice, and finance. Handelsblatt exclusively reported in May 2026 on a draft proposal stipulating that European AI and cloud providers should be given preference in public procurement. While US providers will not be categorically excluded, they will be left out of consideration for the highest security levels – because the Cloud Act makes absolute sovereignty certification structurally impossible.

The “Sovereign Cloud” Illusion: When contracts cannot replace the law

One of the most consequential misconceptions in European digital policy in recent years was the belief that physically storing data in European data centers of a US provider would offer sufficient protection against US government access. Microsoft, Amazon, and Google cultivated this misconception with considerable marketing effort: "EU Data Boundary," "European Sovereign Cloud," "Sovereign Controls"—the products have impressive names, but a fundamental design flaw.

The fundamental problem: Sovereignty follows ownership, not server location. Anyone using a US cloud provider is subject to US jurisdiction – regardless of whether the data is located in Frankfurt, Amsterdam, or Seattle. Microsoft Vice President Brad Smith explicitly confirmed this: "A court order in the United States can apply to information held outside the US." The European Court of Justice's Schrems II ruling in 2020 already clarified that standard contractual clauses alone do not provide sufficient protection if the law of the host country does not guarantee a comparable level of protection.

The "sovereign cloud" solutions offered by US hyperscalers address some legitimate needs, such as national data localization or compliance reporting, but they cannot eliminate the structural problem of US legal jurisdiction. External key management, data residency policies, and EU operating models are technical measures that reduce access risks, but cannot eliminate them entirely—as confirmed by Microsoft's own court and parliamentary testimony.

Economic dimension: The cost of digital dependency

Beyond the data protection and political dimensions, Europe's structural dependence on US cloud providers has a significant economic component that is rarely explicitly quantified. According to estimates by the European Commission, US providers control around 70 percent of the European cloud market, led by Amazon and Microsoft. This market dominance not only means dependence on companies subject to foreign law, but also a massive capital outflow from Europe to the US and a structural underdevelopment of the European technology ecosystem.

Entrusting your data to a US corporation funds its research and development budgets, provides training data for AI systems, and strengthens the market power of companies that can act as leverage in US foreign policy. The billions of euros earmarked in European budgets for Microsoft 365, Azure, AWS, or Google Cloud flow into an economic system that, when push comes to shove, prioritizes European interests over others. Furthermore, 44 percent of European companies cite a lack of sovereignty guarantees from providers as a key obstacle to cloud adoption, and 32 percent reported a "sovereignty incident" last year – most commonly unauthorized cross-border data transfers.

The European digital economy faces a structural dilemma: In the short term, US hyperscalers offer superior technological performance, deeper integration, and lower costs than European alternatives. In the long term, however, they cement a dependency that, with increasing geopolitical tension between the EU and the US, poses an existential governance risk to public institutions. The transition to European alternatives is not a political luxury, but a matter of institutional integrity.

Technical and legal options for European institutions

For public institutions and companies that genuinely strive for data sovereignty, rather than merely simulating it, the analysis reveals a clear set of requirements. First, using cloud services from European providers without a US parent company is the only way to structurally exclude the jurisdiction of the Cloud Act. Providers such as STACKIT, OVHcloud, Scaleway, Hetzner, and IONOS (1&1) offer GDPR-compliant services to varying degrees that are not subject to US law.

Secondly, client-side encryption with European-managed keys provides an additional layer of protection, which can theoretically also be applied with US providers. If data is encrypted before being transferred to the cloud and the provider has no access to the key, the raw data is unreadable to US authorities – even if the provider were obligated to hand over the encrypted files. Thirdly, every procurement decision should include a full Data Protection Impact Assessment (DPIA) that explicitly assesses and documents the Cloud Act risk.

Technological development increasingly makes it possible to achieve sovereignty not through isolation, but through architecture: federated systems, open-source platforms and zero-trust architectures that enforce control mechanisms technically, rather than promising them contractually.

A sober assessment: What this case means and what it does not mean

The Netherlands case is an important incident, but its specific mechanics are often misunderstood. It is not a classic case of Cloud Act infringement, where customer data is released from a cloud. It is a case in which a US corporation fulfilled its own parliamentary obligation to provide information but failed to anonymize third parties. This is initially less dramatic—and then more dramatic, because it demonstrates how many US legal mechanisms, not just the Cloud Act alone, can jeopardize European government data.

However, what this case undoubtedly proves is that Microsoft, as a US company, operates under US law and will apply it if necessary. No contractual arrangement, no server location, and no sovereign cloud marketing campaign can change that. Anyone who truly wants to protect the integrity of government data, sensitive trade secrets, or personal data cannot do so with absolute certainty on US infrastructures.

The Digital Freedom Bavaria initiative, Xpert.Digital, and other voices that have been pointing to these systemic issues for years have been structurally proven right in their analysis: The debate has been relegated to the comfort zone of appeasements and contractual promises for far too long. This case makes the structural dilemma visible – and the political consequences that would inevitably follow from genuine digital sovereignty unavoidable.

The answer to the question of whether Microsoft's software constitutes "spyware" is more nuanced: The company is not an active spy agent proactively monitoring European authorities. However, it is a company that is structurally unable, and possibly unwilling, to fully defend European data sovereignty against US government directives. This makes US cloud services structurally unsuitable for sensitive public and government data—regardless of how one defines the term "espionage" legally or morally.

Perspective: Europe's digital sovereignty as a key strategic issue

Europe's digital dependency is the result of two decades of political short-sightedness, a lack of investment in its own technology ecosystems, and an economic logic that prioritized efficiency gains over sovereignty risks. The Commission's allocation of €180 million for sovereign cloud services, the Netherlands' STACKIT framework agreement, and the announced tech sovereignty package are first steps in the right direction—but they remain modest given the scale of the problem and the speed of geopolitical escalation.

Digital sovereignty is not a demand for digital nationalism or for isolating global technology markets. It is the fundamental requirement that democratic institutions retain actual control over the systems on which their work is based – and that this control cannot be undermined by extraterritorial legislation from a third country. As long as Europe has not built competitive alternatives on a critical mass and public bodies still operate on thousands of US cloud-dependent systems, any assurance of data sovereignty is a political fiction – nicely packaged in server location marketing language.

The incident in the Netherlands is a wake-up call. Whether Europe wakes up remains the crucial question.

Xpert.Digital is a data-driven B2B industry hub led by Konrad Wolfenstein . The company acts as an external, quasi-in-house solution for industrial partners, closing operational gaps in marketing, content, and sales – without requiring additional resources on the client side.

More information here:

• The quasi-in-house solution: How Xpert.Digital closes operational gaps in B2B marketing and sales – Smart Content-Driven Business

☑️ Our business language is English or German

☑️ NEW: Correspondence in your native language!

 

I and my team are happy to be available to you as your personal advisor.

You can contact me by filling out the contact form here wolfenstein@xpert.digital:or simply call me at +49 7348 4088 965. My email address is

I'm looking forward to our joint project.

 

 

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the digital strategy and digitization

☑️ Expansion and optimization of international sales processes

☑️ Global & Digital B2B trading platforms

☑️ Pioneer Business Development / Marketing / PR / Trade Fairs