Published on: July 21, 2025 / update from: July 21, 2025 – Author: Konrad Wolfenstein
Microsoft confirms under oath: US authorities can access European data despite EU clouds – Image: Xpert.digital
Under oath: Microsoft cannot prevent US access to EU cloud – data protection looks different despite the previous full-bodied promise
Why is Microsoft suddenly again criticized for data protection?
The latest developments around Microsoft have brought the topic of data sovereignty in Europe back into focus. In June 2025, Anton Carniaux, the chief judiciary of Microsoft France, made an explanation in a public hearing before the French Senate, which shook the foundation of the previous security promise of the US group.
On the direct question of the rapporteur Dany Wattebled, whether he could guarantee that the data of French citizens who have been entrusted with Microsoft via UGAP will never be passed on by order of the American government, without the express consent of the French authorities, "replied Carniaux unmistakably:" No, I cannot guarantee that before ".
This statement weighs particularly heavily because it was under oath and thus illustrates the legal bond for Microsoft. The UGAP (Union des Groupement d'achate Publics) is a central procurement site for the French public sector, which provides schools, town halls and municipal administrations with IT services. Carniaux further explained that Microsoft only had the opportunity to reject information requests from the US government if they were formally “unfounded”.
Suitable for:
What legal foundations do Microsoft do for data output?
The legal obligation to provide data is based on several US laws that Microsoft binds as US companies. The Patriot Act from 2001 and the cloud act of 2018 based on this sign all US cloud providers to work with the US government, the NSA and other US secret services – also abroad.
The Cloud Act (Clarifying Lawful Overseas Use of Data Act) emerged after years of litigation between Microsoft and the US government. The US authorities demanded access to data from a US citizen that were stored on Microsoft servers in Ireland. Microsoft initially refused, citing Irish and EU data protection law, but ultimately had to surrender when the 2018 Congress passed the cloud act.
The cloud act grants US authorities far-reaching powers to request the publication of data from US companies – regardless of where this data is physically stored. This means that data in European data centers from Microsoft, Amazon or Google are also subject to US laws.
Andreas Mundt, head of the Federal Cartel Office, warned of these dependencies as early as July 2025: "There are already political interventions in digital infrastructure in the USA. This demonstrates what power is on the other and how dependent on US companies". As an example, he cited an instruction from US President Trump to Microsoft, the chief banknote of the International Criminal Court (ICC), Karim Khan, to withdraw access to his Microsoft mail account.
What does this mean for Microsoft's European data protection promise?
The revelations of the French Senate hearing question Microsoft's years of efforts to accept European acceptance. The company had made massive investments in its “EU Data Boundary” – a project that lasted over two years and was completed in February 2025. This initiative should ensure that data from European customers are only stored and processed in EU computing centers.
Microsoft President Brad Smith had announced in April 2025 that "the US government would be sued if necessary to protect the access of European customers". Smith, the deputy chairman and supreme lawyer of Microsoft, said at a meeting of the Atlantic Council in Brussels that the provider will "contest every official order in the USA to hire cloud services for European customers".
However, these assurances prove to be worthless in view of the legal realities. Even if Microsoft complained against official orders, the company would have to “implement this immediately in case of doubt – in the best case, after months or years, it is decided that it was illegal,” as experts criticize. In addition, it is not even guaranteed that Microsoft may or wants to provide information about data access.
How did the case of the International Criminal Court illustrate the problem?
The case of the International Criminal Court (ICC) drastically illustrates the practical effects of these dependencies. After US sanctions against the ICC, chief junction Karim Khan lost access to his Microsoft-based email account. The Associated Press reported that Khan had also lost his bank accounts in Great Britain and had to switch to Swiss email provider Proton Mail.
Microsoft denied that he had "physically blocked" the services for the ICC, but could not explain who was then responsible for the blocking. This confusion illustrates non -transparency in such interventions. Peter Ganten, chairman of the Open Source Business Alliance (OSBA), described Microsoft's actions as “unprecedented in this context and with this scope”. The sanctions against the ICC, arranged by the United States and implemented by Microsoft, should be “a wake-up call for all those responsible for the safe availability of state and private IT and communication infrastructures”.
Suitable for:
What alternatives does Europe offer with Gaia-X?
In view of these obvious risks, the focus is on European alternatives such as Gaia-X. GAIA-X is an initiative initiated by Germany and France in 2019 to set up a “performance and competitive data infrastructure for Europe”. The project aims to create a fed, secure data infrastructure in which data can be replaced by transparency, openness, data protection and security in accordance with European values.
The core principle of GAIA-X is the preservation of data sovereignty: data owners should be able to keep full control over your data and freely decide who you share it or withdraw access. In contrast to the centralized structures of the US hyperscalers, Gaia-X is based on a decentralized, federated system of networked nodes based on open standards.
With the GAIA-X Digital Clearing Houses (GXDCH), the initiative has now entered an operational phase. These clearing houses act as control centers for GAIA-X services and certify compliance with the GAIA X standards. Four IT providers have already started their first clearing houses: Aruba in Italy, T-Systems in Germany as well as Aire Networks and Arys in Spain. Other providers such as OVH, Exaion, Orange, Proximus, A1.digital, KPN and Pfalzkom have announced the establishment of additional clearing houses.
Suitable for:
What is Catena-X and why is it important?
Catena-X represents the first major application of the GAIA X principles and shows how European data sovereignty can work in practice. The Catena-X Automotive Network develops a collaborative, decentralized data and service ecosystem along the entire automotive value chain.
The project was funded by the Federal Ministry of Economics and Climate Protection with over 100 million euros and runs from August 2021 to July 2024. More than 80 companies, mainly from the German automotive and IT industry, work together in this project. The Bundeskartellamt has given the green light for this cooperation and emphasized that “correctly attached initiatives such as the present are promising because they can help to strengthen the competition at cloud services in the future”.
Catena-X enables companies – from manufacturers to medium-sized suppliers to recycling companies-to benefit from the advantages of data-based administration, while at the same time protected by European law in terms of data sovereignty and data protection. The system is based on the GAIA X concepts and principles and expands them as required.
Catna-X's core values include:
- Trusting digital identity: verified and unique corporate identities
- Interoperability: uniform open source-based standards and kits
- Self -confidence: decentralized architecture with full control over your own data
- Industry governance: a global operating model and framework
Integration of an independent and cross-data source-wide AI platform for all company issues
Integration of an independent and cross-data source-wide AI platform for all company matters – Image: Xpert.digital
Ki-Gamechanger: The most flexible AI platform – tailor-made solutions that reduce costs, improve their decisions and increase efficiency
Independent AI platform: Integrates all relevant company data sources
- This AI platform interacts with all specific data sources
- From SAP, Microsoft, Jira, Confluence, Salesforce, Zoom, Dropbox and many other data management systems
- Fast AI integration: tailor-made AI solutions for companies in hours or days instead of months
- Flexible infrastructure: cloud-based or hosting in your own data center (Germany, Europe, free choice of location)
- Highest data security: Use in law firms is the safe evidence
- Use across a wide variety of company data sources
- Choice of your own or various AI models (DE, EU, USA, CN)
Challenges that our AI platform solves
- A lack of accuracy of conventional AI solutions
- Data protection and secure management of sensitive data
- High costs and complexity of individual AI development
- Lack of qualified AI
- Integration of AI into existing IT systems
More about it here:
Exit US corporations: The big switch to European cloud alternatives
What specific advantages do European alternatives offer?
The European cloud alternatives offer several crucial advantages over the US hyperscalers:
- Legal security: European providers are subject to only European law and are not subject to extraterritorial laws such as the cloud act or patriot act. This means that data access can only be carried out on the basis of European legal assistance agreements.
- GDPR conformity: Since the data does not leave the EU, the strict requirements of the General Data Protection Regulation are automatically met. This eliminates the risk of GDPR violations, which can result in fines up to 20 million euros or four percent of the global annual turnover.
- Data sovereignty: European solutions enable companies and authorities to keep complete control over their data. With open source-based solutions, even the source code can be checked and adjustments can be made if necessary.
- Economic independence: The use of European alternatives reduces the dependence on fewer US corporations and strengthens the European economy. Money does not flow off, but rather remains in the European Economic District.
Why do previous efforts to have digital sovereignty fail?
Despite years of political confession to digital sovereignty, Europe is lagging significantly after the practical implementation. The reasons for this are varied:
- Missing political consequence: Although the federal government has declared digital sovereignty as a strategic goal, there is no “consistent and strategic focus on open source software”, criticizes the open source business alliance. Instead, massive contracts with US providers continue to be concluded.
- Organizational deficits: The French Senate found that “the state was unable to go to the level of the challenges when it came to ensuring national sovereignty”. Three major state actors – the Direction of the Academ of the Academ of the Academy of the Affair Juridiques (DAJ) and the Commissariat Général au Développement Durable (CGDD) – would have failed to enforce a coherent control strategy.
- Existing dependencies: Microsoft holds a market share of almost 70 percent in operating systems and office software in Germany. These historically grown dependencies make it significantly more difficult to move to European alternatives.
- A lack of awareness of European solutions: Although high-quality European alternatives exist, they are “less known” and often not as inexpensive or user-friendly as the established US offers.
Suitable for:
What are the European alternatives?
Contrary to widespread assumptions, numerous competitive European alternatives to the dominant US services already exist. The website European- Alternativees.eu offers a comprehensive overview of European counterparts to Microsoft Office, Google, Gmail, Microsoft Teams, Dropbox and other services.
- Email and communication: With Protonmail from Switzerland, Posteo from Germany and Tutanota there are convincing alternatives to Gmail and Outlook. These often offer even better security features such as end-to-end encryption.
- Cloud memory: European providers such as Proton Drive, PCLOUD from Switzerland, Internxte from Italy and Ovhcloud from France successfully compete with American solutions.
- Office software: German companies like Nextcloud and Ionos together develop an office software alternative for Microsoft Office based on open source technology. LibreOffice is already established as an alternative to Microsoft Office.
- Messaging and collaboration: With Threema from Switzerland, there is a safe alternative to WhatsApp that continuously increasing user numbers.
- Cloud infrastructure: German providers such as Ionos, Ovhcloud from France and other European providers offer cloud infrastructure-a-service solutions that can compete with AWS, Azure and Google Cloud.
What can Schleswig-Holstein and other pioneers teach?
Schleswig-Holstein is the first German state to show how the exit from Microsoft addiction can be practically implemented. Digitization Minister Dirk Schrödter announced that the state is “on the best way to have taken a big step into independence in terms of office application by September 2025”.
Specifically, this means:
- Replacement of Microsoft Office by LibreOffice
- Replacement of Outlook with open source solutions such as Thunderbird
- Replacement of Microsoft Exchange with Open Exchange
- Building own, publicly controlled IT infrastructure
Schleswig-Holstein is not alone: the Netherlands, Switzerland and France are also working on reducing their Microsoft addiction. The Netherlands, Germany and France even officially cooperate in the development of free office software.
Switzerland is already testing the German Opendendk solution, while Denmark, according to Trump's Greenland threats, is increasingly debate about Microsoft addiction.
What role does open source play for digital sovereignty?
Open source software forms the foundation of real digital sovereignty. The Open Source Business Alliance (OSBA) defines digital sovereignty as “the ability to carry out control over one's own digital systems and infrastructures, design them, adapt and, if in doubt, also replace and switch from one provider to another”. This is only possible with open source software.
The four essential freedom of open source software enable it:
- To understand the software (insight into the source code)
- To use them without restrictions
- To change them
- To spread them in a changed or unchanged form
Open source ensures that systems used are independently checked, designable and interchangeable. In times of geopolitical turbulence, this is also “a question of resilience and internal and external security to prevent critical failures in business and administration”.
How can companies and authorities act?
The switch to European, sovereign IT solutions requires strategic planning and political will. Various measures are possible:
- In the short term: Companies can at least rely on EU servers with existing US cloud providers, even if there is a residual risk of the cloud act. At the same time, Standard Contractual Clauses (SCCS) should be completed with transfer impact assessments.
- In the medium term: The gradual change to European alternatives should be initiated. First, less critical systems can be migrated to gain experience.
- Long-term: The establishment of a completely European IT infrastructure using GAIA X principles and open source software should be sought.
- Develop exit strategies: Companies should be prepared in the event that the EU-US Data Privacy Framework is suspended or other geopolitical faults occur.
Suitable for:
What does this mean for the future of Europe?
The recent revelations about Microsoft's inability to protect European data from US access mark a turning point in the debate about digital sovereignty. Europe is facing the choice: either it accepts permanent digital dependence on geopolitically motivated US corporations, or it consistently invests in its own, sovereign alternatives.
The infrastructure for European data sovereignty already exists with GAIA-X and their practical applications such as Catena-X. The digital clearing houses are operational, European cloud providers are ready, and open source alternatives to proprietary software are available and mature.
What is missing is the political will for consistent implementation. As long as authorities and companies continue to rely on US providers due to convenience or supposed cost advantages, Europe remains digitally invalid. The realization that Microsoft cannot provide any guarantees for the protection of European data should be the final wake -up call.
Europe has to act now – not from anti-American resentment, but out of rational concern for your own digital future. The alternative to Gaia-X and Catena-X is not the status quo, but an increasing digital submission under foreign laws and interests. The choice is with us.
The way to digital independence
Microsoft France's explanation submitted under oath that the group cannot guarantee the protection of European data from US authorities, ends in sham security. The cloud act and the Patriot Act destroy any technical security measure when US authorities require data access.
Gaia-X and Catena-X are not only theoretical concepts, but also operational realities that offer real alternatives to the US cloud dominance. The technical basis for digital independence is laid with the digital clearing house, over 200 member companies in European associations and growing investments in sovereign infrastructures.
The transition to digital sovereignty is no longer a utopian vision, but a practical necessity. Europe has the choice: digital self -determination through their own solutions or permanent dependence on companies that are ultimately subject to foreign laws and interests. The time for half -hearted compromises is over – Europe has to decide.
Your global marketing and business development partner
☑️ Our business language is English or German
☑️ NEW: Correspondence in your national language!
Konrad Wolfenstein
I would be happy to serve you and my team as a personal advisor.
You can contact me by filling out the contact form or simply call me on +49 89 89 674 804 (Munich) . My email address is: wolfenstein ∂ xpert.digital
I'm looking forward to our joint project.
