Microsoft cannot protect European user data from access by United States authorities even when stored in European Union data centers, a senior company executive admitted under oath during testimony before the French Senate.
Anton Carniaux, Microsoft France’s director of public and legal affairs, made the acknowledgment on June 10 during a Senate inquiry examining how public procurement decisions affect national digital sovereignty. When asked directly whether he could guarantee that French citizen data would never be transmitted to American authorities without explicit authorization from the French government, Carniaux responded, “No, I cannot guarantee that, but, again, it has never happened before.”
The admission exposes a fundamental tension between American legal authority and European data protection aspirations, raising questions about the viability of so-called sovereign cloud solutions marketed by United States technology companies.
The testimony centered on Microsoft’s obligations under the Clarifying Lawful Overseas Use of Data Act, known as the Cloud Act, which Congress passed in 2018. The law empowers American authorities to compel technology companies under United States jurisdiction to provide user data regardless of where that information is physically stored. This extraterritorial reach applies to all American companies and their subsidiaries worldwide.
Carniaux explained during the hearing that Microsoft challenges data requests it considers unfounded and attempts to redirect authorities to affected clients when possible. “If we must communicate, we ask to be able to notify the client concerned,” he said. He emphasized that the company employs what he described as “a very rigorous system” for evaluating government demands.
The Microsoft legal director pointed to the company’s twice-yearly transparency reports, which he said show no European company or public sector body has been affected by such requests. However, he acknowledged that if confronted with a legally justified American government order, Microsoft must ultimately comply and provide the requested information.
Pierre Lagarde, Microsoft’s technical director for the public sector, attempted to reassure the committee by outlining technical safeguards the company has implemented. “Since January 2025, under contractual guarantee, the data of our European clients does not leave the EU, whether at rest, in transit, or being processed,” Lagarde stated during the hearing.
Yet these technical protections cannot override the legal reality created by American jurisdiction. Even with data centers located in Germany, France, or other European nations, Microsoft cannot invoke local data protection laws if United States authorities demand access under the Cloud Act.
Simon Uzenat, the Socialist Party senator who chairs the inquiry committee, challenged Carniaux’s assurances, calling the transparency reports “purely declarative” with no external oversight. The hearing revealed broader concerns about France’s continued reliance on American cloud providers despite the availability of European alternatives.
The Senate inquiry emerged following controversies surrounding France’s Health Data Hub platform, which uses Microsoft Azure to host sensitive health information about French citizens. The platform’s reliance on American infrastructure has sparked sustained criticism from privacy advocates and lawmakers concerned about data sovereignty.
Mark Boost, chief executive of cloud provider Civo, characterized Carniaux’s testimony as a watershed moment. “One line of testimony just confirmed that the US hyperscaler providers cannot guarantee data sovereignty in Europe,” Boost told The Register following the hearing. He emphasized that server location matters little when legal jurisdiction lies elsewhere, noting that “UK or EU servers make no difference when jurisdiction lies elsewhere and local subsidiaries or ‘trusted’ partnerships don’t change that reality.”
The Cloud Act was designed to resolve legal challenges American authorities faced when seeking data stored overseas. Microsoft itself had previously challenged a 2016 government warrant for emails stored on the company’s servers in Ireland, arguing that American warrants did not apply to data held abroad. The Cloud Act closed that legal gap, and major technology companies including Microsoft, Amazon Web Services, and Google supported the legislation when it became law.
The admission comes as American technology giants have invested billions in marketing sovereign cloud solutions to European customers. Microsoft has been particularly aggressive in this effort, completing its EU Data Boundary initiative in February 2025 to ensure customer data for core services remains stored and processed entirely within the European Union and European Free Trade Association regions.
In April, Microsoft President Brad Smith announced five European Digital Commitments, stating, “we recognize that our business is critically dependent on sustaining the trust of customers, countries, and governments across Europe.”
Amazon Web Services has pursued a similar strategy, announcing its own multi-billion euro AWS European Sovereign Cloud just weeks before Carniaux’s testimony. That initiative promises to keep all data and operations within the European Union, managed by a new German-based corporate structure led entirely by European Union citizens.
However, these infrastructure investments and corporate restructuring cannot alter the underlying legal framework. In a blog post published shortly after the Microsoft testimony, Amazon Web Services acknowledged that the Cloud Act applies to any provider with American operations, including European companies with a presence in the United States.
The same legal constraints apply to other American cloud providers. Amazon Web Services, Google Cloud, and other major hyperscalers operate under identical legal obligations, regardless of where they physically store customer data.
A June 2025 European Parliament report on technological sovereignty found that American companies control approximately 69 percent of the cloud infrastructure market share in Europe, while European Union suppliers hold only 13 percent. The report also noted that 92 percent of Western data is stored in the United States on infrastructure owned and operated by American firms.
Peter Ganten, chairman of the Open Source Business Alliance, described Microsoft’s situation as unprecedented in scope. He argued that the constraints revealed in the testimony should serve as a warning for those responsible for government and private information technology infrastructure.
The French government continues to award substantial contracts to American technology companies despite these sovereignty concerns. In March 2025, the Ministry of Education signed a 74 million euro agreement with an American company for departmental and university equipment. The elite engineering school École Polytechnique also decided earlier this year to migrate its information technology system to Microsoft.
These procurement decisions have drawn sharp criticism from French lawmakers. A 2025 economic analysis estimated that Europe sends 265 billion euros annually to American companies, supporting nearly two million jobs in the United States while leaving Europe economically dependent and strategically vulnerable.
French officials have acknowledged implementation delays for sovereignty requirements established under recent legislation. Despite growing recognition of the problem among member states, progress toward genuine digital autonomy remains limited.
