Microsoft can't protect French data from US government access

Microsoft France's legal director conceded under sworn testimony that the company cannot guarantee French citizen data stored in EU datacenters remains protected from US agency access. The June 10, 2025 French Senate hearing marked a significant moment in European digital sovereignty discussions as Microsoft executives addressed concerns over extraterritorial data access.

During proceedings before the Senate inquiry commission investigating public procurement's role in promoting digital sovereignty, Anton Carniaux, Microsoft France's director of public and legal affairs, admitted fundamental limitations regarding data protection guarantees. When asked directly whether he could guarantee under oath that French citizen data would never be transmitted to US authorities without explicit French authorization, Carniaux responded: "No, I cannot guarantee it."

The testimony contradicts years of Microsoft's security assurances regarding European data hosting. Despite implementing encryption and technical safeguards, the company acknowledged that US legislation ultimately supersedes protective measures when federal agencies issue valid data requests.

Legal framework creates compliance obligations

Microsoft operates under the Cloud Act, which grants US authorities broad powers to compel American companies to provide data regardless of storage location. According to Carniaux's testimony, Microsoft maintains a rigorous process for evaluating government requests but ultimately must comply with legally valid demands.

"From a legal standpoint, we engage contractually with our clients, including those in the public sector, to resist requests when they are not well-founded," Carniaux explained. The company has implemented procedures requiring precise justification for any data requests and attempts to redirect authorities to clients when possible.

However, the testimony revealed critical limitations. Microsoft has published transparency reports showing no European company has been affected by such requests in recent years, according to Carniaux. Yet this statistical reassurance does not eliminate the fundamental vulnerability created by US legal jurisdiction over Microsoft operations.

Pierre Lagarde, Microsoft's technical director for the public sector, outlined the company's technical approach to data protection. Since 2022, Microsoft has implemented systems to minimize data transfers and maintain information within European borders. "Since January 2025, under contractual guarantee, the data of our European clients does not leave the EU, whether at rest, in transit, or being processed," Lagarde stated.

Senate investigation reveals sovereignty concerns

The French Senate inquiry emerged following controversies surrounding the Health Data Hub (HDH) platform's use of Microsoft Azure hosting. Created in 2019 to advance French medical research, the platform houses sensitive health data that senators argue should remain under sovereign control.

Commission President Simon Uzenat emphasized the contradiction between sovereignty objectives and foreign hosting arrangements: "We are confronted with a particular case that illustrates the ambiguities, delays, and contradictions of public action regarding digital sovereignty."

The testimony addressed Microsoft's involvement in the Bleu cloud project, a joint venture with Orange and Capgemini designed to provide sovereign cloud services. Microsoft serves as technology provider while remaining excluded from capital ownership. This arrangement aims to create separation from extraterritorial effects, though concerns remain about technological dependencies.

The inquiry revealed procurement decisions favoring Microsoft despite available European alternatives. Multiple French cloud providers, including OVH and Scaleway, claim they possessed sufficient capabilities to host government data but received only cursory consultation during decision-making processes.

Technical limitations challenge sovereignty claims

The Senate hearing exposed tensions between sovereignty rhetoric and practical implementation. While French officials promote digital independence, procurement decisions consistently favor non-European solutions for critical infrastructure projects.

Education ministry contracts worth 74-152 million euros with Microsoft for productivity software highlighted ongoing dependencies. These agreements cover millions of workstations across educational institutions, creating substantial exposure to foreign technological control.

Microsoft's testimony acknowledged that any disruption of US technological links would impact Bleu operations, despite sovereignty claims. Technical infrastructure dependencies mean European "sovereign" solutions often rely on American foundational technologies.

The company's admission about potential US data access contradicts years of marketing messages emphasizing European data protection. Cloud customers across Europe have made procurement decisions based on assurances that now appear qualified by legal realities.

Industry implications extend beyond Microsoft

The Senate testimony's implications reach beyond Microsoft to encompass broader digital sovereignty questions affecting European markets. Similar vulnerabilities likely exist across other US technology providers serving European governments and enterprises.

Amazon Web Services, Google Cloud, and other hyperscale providers operate under identical legal frameworks, potentially exposing European data to extraterritorial access. The testimony suggests widespread vulnerability in European digital infrastructure built on American technological foundations.

French startup Alan, which won public health insurance contracts, hosts data on AWS infrastructure subject to the same extraterritorial concerns. These arrangements demonstrate how sovereignty vulnerabilities permeate even newer European companies through infrastructure dependencies.

European alternatives exist but often lack the scale and features of established American providers. OVH, Scaleway, and other European cloud providers offer sovereignty-compliant alternatives but require significant investment to match hyperscaler capabilities.

Regulatory response shapes future directions

The Senate inquiry reflects growing European awareness of digital sovereignty vulnerabilities. France's SREN law mandates migration of sensitive data to SecNumCloud-certified providers, though implementation has proceeded slowly.

European Union regulations increasingly address data sovereignty concerns, building on existing GDPR foundations. The Cloud Act's extraterritorial reach creates ongoing tensions with European privacy principles despite technical compliance measures.

French authorities have begun requiring sovereign hosting for specific government applications, though enforcement remains inconsistent across ministries. The June testimony suggests stronger implementation of existing rules rather than new regulatory frameworks.

Competition authorities across Europe examine how dominant platforms' privacy implementations affect market competition. France's Competition Authority previously fined Apple 150 million euros for anticompetitive privacy practices, demonstrating regulatory willingness to challenge big tech claims.

Market response anticipates procurement changes

Cloud providers anticipate increased demand for European sovereignty solutions following the Senate testimony. SecNumCloud certification has become essential for serving French government clients, driving investment in compliant infrastructure.

Microsoft's Bleu partnership represents one approach to sovereignty concerns, though technical dependencies limit independence. Pure European alternatives like OVH and Outscale may benefit from procurement preference shifts toward genuine sovereignty.

The testimony may accelerate European cloud investment programs designed to reduce American technological dependencies. France 2030 includes significant cloud infrastructure funding aimed at developing competitive European alternatives.

Timeline

• 2019: Health Data Hub created with Microsoft Azure hosting despite sovereignty concerns
• March 2019: Government officials arbitrate in favor of Microsoft over European alternatives
• 2022: Microsoft implements enhanced European data residency measures
• 2024: SREN law mandates sovereign hosting for sensitive government data
• June 10, 2025: Microsoft executives testify under oath to French Senate
• Present: Government officials acknowledge implementation delays for sovereignty requirements

Terms Explained

Digital Sovereignty: This concept refers to a nation's ability to control its digital infrastructure, data, and technology systems without external interference or dependency. Digital sovereignty encompasses data residency requirements, technological independence from foreign providers, and the capacity to regulate digital services according to national interests. In the context of this article, France seeks digital sovereignty by requiring government data to remain under national or European control, free from foreign surveillance or access. This objective conflicts with practical realities where American technology companies dominate cloud infrastructure markets, creating dependencies that compromise sovereign control over sensitive information and critical digital systems.

Extraterritorial Legislation: These are laws that extend a country's legal jurisdiction beyond its physical borders, allowing governments to regulate the activities of their citizens and companies worldwide. The US Cloud Act represents prime extraterritorial legislation, empowering American authorities to compel US companies to provide data stored anywhere globally, regardless of local privacy laws or data protection regulations. This creates complex legal conflicts when American companies operating in Europe must choose between complying with US data requests or respecting European privacy rights, ultimately undermining host country sovereignty over data protection and creating vulnerabilities in supposedly secure European digital infrastructure.

SecNumCloud Certification: This French security qualification, issued by ANSSI (National Agency for Information Systems Security), establishes stringent requirements for cloud service providers handling sensitive government data. SecNumCloud certification requires providers to demonstrate immunity from extraterritorial legislation, implement advanced security controls, maintain data processing exclusively within authorized territories, and submit to rigorous technical audits. The certification represents France's attempt to create sovereign cloud alternatives by establishing standards that effectively exclude most American providers while enabling qualified European alternatives to serve government clients with enhanced security guarantees.

Hyperscaler Infrastructure: Hyperscalers are massive cloud computing providers like Microsoft Azure, Amazon Web Services, and Google Cloud Platform that operate globally distributed infrastructure serving millions of customers simultaneously. These platforms achieve unprecedented scale through enormous data center networks, sophisticated automation systems, and vast technical resources that smaller providers cannot match. Hyperscaler dominance creates market concentration where European organizations depend on American technological infrastructure for critical operations, making it extremely difficult for sovereign alternatives to compete on features, reliability, and global reach while maintaining independence from foreign technological control.

Data Residency Requirements: These regulations mandate that specific types of information must be stored and processed within designated geographic boundaries, typically national borders or approved regional jurisdictions. Data residency extends beyond simple storage location to encompass data processing, backup systems, administrative access, and technical support operations. European data residency requirements aim to prevent sensitive information from reaching jurisdictions with weaker privacy protections or hostile surveillance capabilities, though technical implementation proves complex when cloud providers operate globally integrated systems where data processing occurs across multiple international locations regardless of primary storage location.

Cloud Act Compliance: The Clarifying Lawful Overseas Use of Data Act enables US law enforcement and intelligence agencies to compel American technology companies to provide customer data stored anywhere worldwide, including Europe. Cloud Act compliance creates unavoidable conflicts between US legal obligations and European privacy rights, forcing American companies to choose between criminal liability in their home jurisdiction or violating European data protection laws. This legal framework undermines European digital sovereignty by creating backdoor access mechanisms that bypass local privacy protections, making genuine data security impossible when using American cloud providers regardless of contractual assurances or technical safeguards.

Transparency Reports: These periodic publications detail government requests for user data, legal process compliance statistics, and data access patterns that technology companies receive from law enforcement and intelligence agencies. Transparency reports aim to provide accountability regarding how often and under what circumstances companies surrender customer information to authorities. However, these reports often exclude classified requests, national security letters, and other confidential legal processes, creating incomplete pictures of actual government access to private data. Microsoft's transparency reports showing no European company data requests may reflect reporting limitations rather than genuine protection from surveillance access.

Technology Stack Dependencies: This refers to the layers of software, hardware, and infrastructure components that modern digital systems require to function effectively. Technology stack dependencies create vulnerability chains where European "sovereign" solutions often rely on American foundational technologies, processors, operating systems, or development frameworks. Even seemingly independent European cloud providers may depend on American technologies for critical functions like virtualization, security software, or network management tools. These dependencies mean that technological sovereignty requires controlling entire technology stacks rather than simply changing hosting providers, making genuine independence extremely expensive and technically challenging to achieve.

Procurement Arbitrage: This describes the process where government purchasing decisions systematically favor established international providers over domestic alternatives, often based on perceived technical superiority, cost advantages, or risk aversion among procurement officials. Procurement arbitrage undermines industrial policy objectives by directing government spending toward foreign suppliers rather than supporting domestic technological development through public purchasing power. The phenomenon occurs when procurement rules prioritize immediate technical capabilities over long-term strategic considerations, creating self-reinforcing cycles where domestic providers cannot achieve the scale necessary to compete effectively against established international competitors.

Cross-Border Data Transfers: These involve moving personal or sensitive information between different national jurisdictions, each with distinct privacy laws, security requirements, and government access provisions. Cross-border data transfers create complex legal challenges because information crossing jurisdictional boundaries becomes subject to multiple, sometimes conflicting, regulatory frameworks simultaneously. European organizations transferring data to American cloud providers must navigate GDPR requirements while acknowledging that US authorities may access the same information under Cloud Act provisions. This regulatory complexity makes it virtually impossible to guarantee consistent privacy protection when data crosses international boundaries, particularly involving jurisdictions with expansive surveillance authorities.

Summary

Who: Microsoft France's legal director Anton Carniaux and technical director Pierre Lagarde testified before the French Senate commission investigating public procurement and digital sovereignty.

What: Under sworn testimony, Microsoft executives admitted they cannot guarantee that French citizen data stored in EU datacenters will remain protected from US agency access, acknowledging that valid US government requests must ultimately be honored despite technical safeguards.

When: The testimony occurred on June 10, 2025, during ongoing French Senate hearings examining how public procurement decisions affect national digital sovereignty objectives.

Where: The hearing took place at the French Senate in Paris as part of a broader investigation into government technology procurement decisions, particularly regarding the Health Data Hub platform hosting arrangement.

Why: The inquiry emerged from concerns that French government agencies consistently choose non-European technology providers for critical infrastructure, creating vulnerabilities to foreign surveillance and undermining stated digital sovereignty objectives despite available European alternatives.