Not sovereign: Microsoft cannot guarantee the security of EU data
In a hearing, the Chief Legal Officer of Microsoft France had to admit: There is no guarantee that EU data is safe from being transferred to the USA.
(Image: iX)
Microsoft gives no guarantee that EU data will never be passed on to the US government: Anton Carniaux, General Counsel of Microsoft France, testified at a hearing before the French Senate of Parliament. Specifically, it was about data that Microsoft receives from the Union des Groupements d'Achats Publics (UGAP), the central public sector procurement body for schools, town halls, and municipal administrations. When asked whether the company would never transfer their information to the US government without the express consent of the French authorities, Carniaux replied that he could not guarantee this under oath.
Request for information must be formally correct
However, he added that the situation had never occurred. Carniaux explained that Microsoft can only refuse requests for information from the USA if they are formally unfounded. Accordingly, Microsoft would check the validity of all requests very carefully – the US government cannot make requests that are not precisely defined. However, in the case of correct requests, Microsoft must in any case fulfill its obligation and pass on the requested data. The company also wants to inform the affected customers about this but must first ask the US authorities for permission to do so.
Whether cloud, AI or M365: hardly any company today can do without software and services from the USA. In view of the political upheavals since the start of Donald Trump's presidency, more and more IT managers are asking themselves: How can I reduce dependencies and make my own IT more sovereign, more resilient and therefore more future-proof? The answers can be found at the IT Summit by heise 2025 on November 11 and 12 in Munich.
Obviously, the significance of Carniaux's statements at the hearing goes beyond the scope of the UGAP and France: there is uncertainty throughout the EU about the use of US cloud services – In addition to Microsoft, the business of large hyperscalers such as Amazon AWS is particularly affected. Critics are focusing on the CLOUD Act and the Patriot Act, which allow the US government to request information from cloud providers, among other things. However, it is not just data transfers that are feared, but measures up to and including the shutdown of cloud services in the EU.
Videos by heise
Trust advertising and open-source competition
Hyperscalers such as Amazon are therefore setting up new subsidiaries in Europe that promise independence from the US parent company. AWS promises that it is technically impossible to pass on data. Microsoft, on the other hand, wants to install the cloud infrastructure directly on the customer's premises so that services such as M365 remain completely under their control. The systems will continue to be maintained by Microsoft, but by local employees. However, it is questionable how successful these promises of sovereignty will be: providers such as Nextcloud have seen a significant increase in demand since the start of the year.
A transcript of Carniaux's public hearing can be found here. It took place on June 10.
Digitalization and the use of cloud technologies present companies with key questions of sovereignty. How do they retain control over data and systems, keep dependencies under control and also meet regulatory requirements?
This workshop offers a compact introduction to the topic of cloud sovereignty, presents different cloud models and provides an overview of current market trends and offerings. The opportunities and risks of multi-cloud strategies will be examined in a practical way and participants will develop a future-proof IT strategy.
Registration and dates at heise.de/s/nlrBA
(fo)
