Microsoft confirms under oath: US authorities can access European data despite EU clouds

Why is Microsoft suddenly facing criticism again regarding data privacy?

Recent developments surrounding Microsoft have brought the issue of data sovereignty back into focus in Europe. In June 2025, Anton Carniaux, the chief legal officer of Microsoft France, made a statement in a public hearing before the French Senate that shook the foundations of the US corporation's previous security promises.

When directly asked by rapporteur Dany Wattebled whether he could guarantee under oath “that the data of French citizens entrusted to Microsoft via UGAP will never be disclosed at the behest of the American government without the express consent of the French authorities,” Carniaux answered unequivocally: “No, I cannot guarantee that, but it has never happened before.”.

This statement carries particular weight because it was made under oath, thus underscoring Microsoft's legal obligation. UGAP (Union des Groupements d'Achats Publics) is a central procurement agency for the French public sector, providing IT services to schools, town halls, and municipal administrations. Carniaux further explained that Microsoft only has the option of refusing information requests from the US government if they are formally "unfounded.".

Suitable for:

• Safe cloud and digital sovereignty in Europe: Are Microsoft's investments in Europe data -proof?

What legal basis compels Microsoft to disclose data?

The legal obligation to disclose data is based on several US laws that bind Microsoft as a US company. The Patriot Act of 2001 and the Cloud Act of 2018, which builds upon it, require all US cloud providers to cooperate with the US government, the NSA, and other US intelligence agencies – even abroad.

The Cloud Act (Clarifying Lawful Overseas Use of Data Act) resulted from a years-long legal battle between Microsoft and the US government. US authorities demanded access to data belonging to a US citizen, which was stored on Microsoft servers in Ireland. Microsoft initially refused, citing Irish and EU data protection laws, but ultimately had to concede when Congress passed the Cloud Act in 2018.

The Cloud Act grants US authorities broad powers to demand the release of data from US companies – regardless of where that data is physically stored. This means that data in European data centers operated by Microsoft, Amazon, or Google is also subject to US law.

Andreas Mundt, head of the German Federal Cartel Office, warned of these dependencies as early as July 2025: “There are already political interventions in the digital infrastructure in the USA. This demonstrates the power on the other side and how dependent we are on US companies.” As an example, he cited an order from US President Trump to Microsoft to revoke access to the Microsoft email account of Karim Khan, the chief prosecutor of the International Criminal Court (ICC).

What does this mean for Microsoft's European data protection promises?

The revelations from the French Senate hearing call into question Microsoft's years-long efforts to gain European acceptance. The company had made massive investments in its "EU Data Boundary"—a project that lasted over two years and was completed in February 2025. This initiative was intended to ensure that data from European customers was stored and processed exclusively in EU data centers.

Microsoft President Brad Smith had boldly announced in April 2025 that the company would "sue the US government if necessary to protect European customers' access to its services." Smith, Microsoft's vice chairman and chief legal officer, stated at an Atlantic Council meeting in Brussels that the company would "legally challenge any government order in the US to shut down cloud services for European customers.".

These assurances, however, prove worthless in light of legal realities. Even if Microsoft were to challenge government orders in court, the company would still have to implement them immediately, as experts point out – and in the best-case scenario, it would be decided months or years later that it was indeed unlawful. Furthermore, it is not even guaranteed that Microsoft would be allowed or willing to inform affected customers about the data access that has occurred.

How has the case of the International Criminal Court highlighted the problem?

The case of the International Criminal Court (ICC) dramatically illustrates the practical consequences of these dependencies. Following US sanctions against the ICC, Chief Prosecutor Karim Khan lost access to his Microsoft-based email account. The Associated Press reported that Khan also lost his bank accounts in Great Britain and had to switch to the Swiss email provider Proton Mail.

Microsoft denied having "physically blocked" the ICC's services, but could not explain who was responsible for the block. This confusion highlights the lack of transparency surrounding such interventions. Peter Ganten, chairman of the Open Source Business Alliance (OSBA), described Microsoft's actions as "unprecedented in this context and with this scope." The sanctions against the ICC, ordered by the US and implemented by Microsoft, should serve as "a wake-up call for all those responsible for the secure availability of governmental and private IT and communications infrastructures.".

Suitable for:

• Get out of the US cloud: Sovereign SaaS offers at overview + recommendations for action

What alternatives does Europe offer with Gaia-X?

In light of these obvious risks, European alternatives such as Gaia-X are coming into focus. Gaia-X is an initiative launched in 2019 by Germany and France to build a “high-performance and competitive data infrastructure for Europe.” The project aims to create a federated, secure data infrastructure in which data can be exchanged in accordance with European values ​​of transparency, openness, data protection, and security.

The core principle of Gaia-X is the preservation of data sovereignty: data owners should retain full control over their data and be free to decide with whom they share it or revoke access. In contrast to the centralized structures of the US hyperscalers, Gaia-X is based on a decentralized, federated system of interconnected nodes, built on open standards.

With the Gaia-X Digital Clearing Houses (GXDCH), the initiative has now entered an operational phase. These clearing houses act as control centers for Gaia-X services and certify compliance with Gaia-X standards. Four IT providers have already launched their first clearing houses: Aruba in Italy, T-Systems in Germany, and Aire Networks and Arsys in Spain. Other providers, such as OVH, Exaion, Orange, Proximus, A1.digital, KPN, and Pfalzkom, have announced plans to establish additional clearing houses.

Suitable for:

• Industry-X: Promoting European and global logistics and supply chains through industry initiatives Catena-X and Gaia-X

What is Catena-X and why is it important?

Catena-X represents the first major application of the Gaia-X principles and demonstrates how European data sovereignty can work in practice. The Catena-X Automotive Network is developing a collaborative, decentralized data and service ecosystem along the entire automotive value chain.

The project, funded with over €100 million by the Federal Ministry for Economic Affairs and Climate Action, runs from August 2021 to July 2024. More than 80 companies, primarily from the German automotive and IT industries, are collaborating on this project. The Federal Cartel Office has given its approval for this cooperation, emphasizing that “properly designed initiatives like this one are promising, as they can help strengthen competition in cloud services in the future.”.

Catena-X enables companies – from manufacturers and medium-sized suppliers to recycling companies – to benefit from data-driven management while being protected by European data sovereignty and privacy laws. The system is based on Gaia-X concepts and principles and extends them as needed.

Catena-X's core values ​​include:

• Trusted digital identity: Verified and unique corporate identities
• Interoperability: Uniform open-source-based standards and KITs
• Self-sovereignty: Decentralized architecture with full control over one's own data
• Industry Governance: A Global Operating Model and Framework

Integration of an independent and cross-data source-wide AI platform for all company matters-Image: Xpert.digital

Ki-Gamechanger: The most flexible AI platform-tailor-made solutions that reduce costs, improve their decisions and increase efficiency

Independent AI platform: Integrates all relevant company data sources

• This AI platform interacts with all specific data sources
  • From SAP, Microsoft, Jira, Confluence, Salesforce, Zoom, Dropbox and many other data management systems
• Fast AI integration: tailor-made AI solutions for companies in hours or days instead of months
• Flexible infrastructure: cloud-based or hosting in your own data center (Germany, Europe, free choice of location)

• Highest data security: Use in law firms is the safe evidence
• Use across a wide variety of company data sources
• Choice of your own or various AI models (DE, EU, USA, CN)

Challenges that our AI platform solves

• A lack of accuracy of conventional AI solutions
• Data protection and secure management of sensitive data
• High costs and complexity of individual AI development
• Lack of qualified AI
• Integration of AI into existing IT systems

More about it here:

• AI integration of an independent and cross-data source-wide AI platform for all company matters

What specific advantages do European alternatives offer?

The European cloud alternatives offer several crucial advantages over the US hyperscalers:

• Legal certainty: European providers are subject exclusively to European law and are not subject to extraterritorial laws such as the Cloud Act or Patriot Act. This means that data access can only take place on the basis of European mutual legal assistance agreements.
• GDPR compliance: Since the data does not leave the EU, the strict requirements of the General Data Protection Regulation (GDPR) are automatically met. This eliminates the risk of GDPR violations, which can result in fines of up to €20 million or four percent of global annual turnover.
• Data sovereignty: European solutions enable companies and public authorities to retain full control over their data. With open-source solutions, even the source code can be reviewed and adjustments made as needed.
• Economic independence: Utilizing European alternatives reduces dependence on a few dominant US corporations and strengthens the European economy. Money doesn't flow out but remains within the European economic cycle.

Why have previous efforts to achieve digital sovereignty failed?

Despite years of political commitments to digital sovereignty, Europe lags significantly behind in its practical implementation. The reasons for this are manifold:

• Lack of political resolve: Although the German government has declared digital sovereignty a strategic goal, there is a lack of a “consistent and strategic focus on open source software,” criticizes the Open Source Business Alliance. Instead, massive contracts continue to be concluded with US providers.
• Organizational deficiencies: The French Senate found that “the state was unable to rise to the challenges when it came to guaranteeing national sovereignty.” Three major state actors – the Direction des Achats de l'État (DAE), the Direction des Affaires Juridiques (DAJ), and the Commissariat Général au Développement Durable (CGDD) – all failed to implement a coherent governance strategy.
• Existing dependencies: Microsoft holds a market share of almost 70 percent in Germany for operating systems and office software. These historically grown dependencies significantly complicate the switch to European alternatives.
• Lack of awareness of European solutions: Although high-quality European alternatives exist, they are “less well-known” and often not as affordable or user-friendly as the established US offerings.

Suitable for:

• The digital dependence on the USA: cloud dominance, distorted trading balance sheets and lock-in effects

What European alternatives already exist?

Contrary to popular belief, numerous competitive European alternatives to the dominant US services already exist. The website European-Alternatives.eu offers a comprehensive overview of European counterparts to Microsoft Office, Google, Gmail, Microsoft Teams, Dropbox, and other services.

• Email and communication: ProtonMail from Switzerland, Posteo from Germany, and Tutanota offer compelling alternatives to Gmail and Outlook. These often even provide better security features such as end-to-end encryption.
• Cloud storage: European providers such as Proton Drive, pCloud from Switzerland, Internxt from Italy and OVHcloud from France are successfully competing with American solutions.
• Office software: German companies like Nextcloud and Ionos are jointly developing an office software alternative to Microsoft Office, based on open-source technology. LibreOffice is already established as an alternative to Microsoft Office.
• Messaging and collaboration: Threema from Switzerland offers a secure alternative to WhatsApp, which is experiencing continuously increasing user numbers.
• Cloud infrastructure: German providers such as IONOS, OVHcloud from France and other European providers offer Cloud Infrastructure as a Service solutions that can compete with AWS, Azure and Google Cloud.

What can Schleswig-Holstein and other pioneers teach us?

Schleswig-Holstein is the first German state to demonstrate how to practically break free from Microsoft dependency. Digitalization Minister Dirk Schrödter announced that the state is "well on track to have taken a major step towards independence with regard to Office applications by September 2025.".

Specifically, this means:

• Replacing Microsoft Office with LibreOffice
• Replacing Outlook with open-source solutions like Thunderbird
• Replacing Microsoft Exchange with Open Exchange
• Building our own, publicly controlled IT infrastructure

Schleswig-Holstein is not alone: ​​The Netherlands, Switzerland, and France are also working to reduce their dependence on Microsoft. The Netherlands, Germany, and France are even officially cooperating on the development of free office software.

Switzerland is already testing the German openDesk solution, while Denmark is having an intensified debate about its dependence on Microsoft following Trump's Greenland threats.

What role does open source play in digital sovereignty?

Open source software forms the foundation of true digital sovereignty. The Open Source Business Alliance (OSBA) defines digital sovereignty as "the ability to control, design, adapt, and, if necessary, replace and switch from one provider to another digital systems and infrastructures." This is only possible with open source software.

The four essential freedoms of open source software make this possible:

• Understanding the software (insight into the source code)
• To use these without restriction
• To change them
• To redistribute them in modified or unmodified form

Open source ensures that the systems used are independently verifiable, customizable, and interchangeable. In times of geopolitical turmoil, this is also "a question of resilience and internal and external security, in order to prevent critical failures in the economy and public administration.".

How can companies and authorities act?

The transition to European, sovereign IT solutions requires strategic planning and political will. Various measures are possible:

• In the short term: Companies can at least rely on EU servers when using existing US cloud providers, even though a residual risk remains due to the Cloud Act. At the same time, Standard Contractual Clauses (SCCs) with transfer impact assessments should be concluded.
• In the medium term: The gradual transition to European alternatives should be initiated. Less critical systems can be migrated initially to gain experience.
• In the long term: The goal should be to build a fully European IT infrastructure using Gaia-X principles and open-source software.
• Develop exit strategies: Companies should be prepared in case the EU-US Data Privacy Framework is suspended or other geopolitical disruptions occur.

Suitable for:

• Europe's future: Between US dominance and sovereign innovation

What does this mean for the future of Europe?

The recent revelations about Microsoft's inability to protect European data from US access mark a turning point in the debate on digital sovereignty. Europe faces a choice: either it accepts permanent digital dependence on geopolitically motivated US corporations, or it invests consistently in its own sovereign alternatives.

The infrastructure for European data sovereignty already exists with Gaia-X and its practical applications such as Catena-X. The Digital Clearing Houses are operational, European cloud providers are ready, and open-source alternatives to proprietary software are available and mature.

What's lacking is the political will for consistent implementation. As long as authorities and companies continue to rely on US providers out of convenience or perceived cost advantages, Europe will remain digitally vulnerable. The realization that Microsoft cannot guarantee the protection of European data should be the final wake-up call.

Europe must act now – not out of anti-American resentment, but out of rational concern for its own digital future. The alternative to Gaia-X and Catena-X is not the status quo, but increasing digital subjugation to foreign laws and interests. The choice is ours.

The path to digital independence

Microsoft France's sworn statement that the company cannot guarantee the protection of European data from US authorities ends years of false security. The Cloud Act and the Patriot Act render any technical security measures ineffective if US authorities demand access to data.

Gaia-X and Catena-X are not just theoretical concepts, but operational realities that offer genuine alternatives to US cloud dominance. With Digital Clearing Houses, over 200 member companies in European associations, and growing investments in sovereign infrastructures, the technological foundation for digital independence has been laid.

The transition to digital sovereignty is no longer a utopian vision, but a practical necessity. Europe has a choice: digital self-determination through its own solutions or permanent dependence on companies that are ultimately subject to foreign laws and interests. The time for half-hearted compromises is over – Europe must decide.

☑️ Our business language is English or German

☑️ NEW: Correspondence in your national language!

Konrad Wolfenstein

I would be happy to serve you and my team as a personal advisor.

You can contact me by filling out the contact form or simply call me on +49 7348 4088 965 (Munich) . My email address is: wolfenstein ∂ xpert.digital

I'm looking forward to our joint project.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the digital strategy and digitalization

☑️ Expansion and optimization of international sales processes

☑️ Global & Digital B2B trading platforms

☑️ Pioneer Business Development / Marketing / PR / Trade Fairs