Microsoft can't guarantee data sovereignty – OVHcloud says 'We told you so' European cloud provider OVHcloud has long warned about the risks of relying on foreign tech giants for critical infrastructure – especially when it comes to data sovereignty. Those warnings seemed to gain fresh credibility in June, when Microsoft admitted it could not guarantee that customer data would remain protected from US …
What? You don't trust Trump wouldn't overstep an agreement or The Law?
Oh wait...
Anyone who thinks the host country won't try to access data on datacenters physically within their borders if they feel the need, is delusional. Any organization who allows sensitive data on a cloud server that's not already locally encrypted before it's sent to the datacenter, even when dealing with the data center hosting a real-time database, it just an idiot. All the cloud provider (or anyone accessing their servers) should see is an encrypted Binary Large OBject (BLOB).
You are the only one you can trust.
The UK is worse than the US and cannot be trusted. In the case of the EU references, you are just plain wrong.
If EU police want access to any EU citizen info, they must have a court order. If not, they can go to jail and be out of pocket for massive fines. Whether you wear a uniform or carry a badge, the law applies. The US wholesale collects everyone's data including their own citizens. Everything that passes through their sight is captured and indexed.
Encrypt everything you have at rest or in motion with the strongest algorithm the Americans ban on their Department of Commerce site. Avoid AES.
I will take GDPR over American 'assurances' any day of the week.
> The UK is worse than the US and cannot be trusted. In the case of the EU references, you are just plain wrong.
Chortle.
The UK is not great, but you can bet your life that if Doge or Trump want something, legal oversight will be the last thing to occur.
> The US wholesale collects everyone's data including their own citizens. Everything that passes through their sight is captured and indexed.
Exactly. And the UK is worse, how?
There is a difference between my own government spying on me, and a foreign government spying on me. Both are bad. Both are very bad. Both are things I want to defend against. But they are not the same thing.
I'm afraid that explaining exactly how and why they are not the same thing is beyond the scope of a message board post, but I hope to at least prompt some thought. One somewhat simplistic example would be law enforcement; legitimate cases exist for the police to be able to snoop on someone's systems, but there are no legitimate cases for some other nation's police to snoop on someone's systems. It's much more complicated than that, of course.
There are dual nationals who are citizens of multiple countries and therefore have multiple "my own governments". There are also immigrants who are citizens of one country and residents in another country. The whole concept of my government can do this to me, but some other government cannot seems pretty poor to me.
If someone comes to the UK fleeing persecution in their home country, and is granted asylum, you seem to think that the country that persecuted them should be able to access all their data. If someone goes on holiday to a sex tourism destination and makes videos of their unpleasantness with kids, you seem to think the foreign country they went on holiday with should never be able to access those videos.
The fact is there are loads of legitimate reasons why governments should be able to access private individuals (or companies) data this covers spying, law enforcement, regulators, public enquiries and also things like legal discovery (the government grants party A full access to party B's data in order to fairly litigate a case). In many respects there should also be access to government data by the public (e.g. whistleblowing).
Overall I think protecting data (via encryption) is the easy part. The hard part is removing the technical and operational dependencies. Imagine the chaos that would ensue if USA stopped allowing Microsoft to sell it's products/services in Europe, or worse ordered them to disable all the non-US operated products. Amazon and Oracle could have similar impact, maybe also Google. But combined they could plausibly stop an economy from functioning; as there mostly is no domestic alternative.
I think you are reading too much in to "my own government". he did say it was too much detail to cover in a forum post, so I'll give him the benefit of the doubt and assume that by "my own government" he was generalizing meant the more wide definition "the government of the country in which I reside". Hell, even being a dual national should not give the "other" country an automatic right to data you generate in your county of residence other than by legal treaties, court orders etc.
Yeah, that's why I put a lot of caveats in my post. There are dual citizenships, and there are asylum seekers, and there's diplomatic personnel, and there are a whole lot of corner and not-so-corner cases. Going to the bottom of this argument would require a treatise, not a message board post.
The only point I really wanted to make was an answer to the OP, who was explicitly wondering what's the difference between the NSA and European spy agencies. The short answer is that jurisdiction matters. That's all.
Forgive me, but I'm a little bit triggered by arguments that are based on nothing more than "they are all the same thing anyway". I find them to be horribly slippery slopes, leading to all kinds of dark places. Complexity must at least be acknowledged.
Imagine the chaos that would ensue if USA stopped allowing Microsoft to sell it's products/services in Europe, or worse ordered them to disable all the non-US operated products. Amazon and Oracle could have similar impact, maybe also Google.
Like forcing people to buy new computers/phones because ...profit?
Hmmm, let's see. Windows and Office? Amazon bazaar? Java? Gmail and Android? Plenty of alternatives.
Oh, you mean their cloud? Well, tough luck for those lazy/stupid/complacent. Nobody got fired for buyin IBM, right?
The other side of the coin is that foreign snooping could be less damaging than home government spying.
The average Joe is more likely to have used the wrong colour bag for recycling, or attended a local anti-government protest than hold state secrets useful to a foreign entity.
And one particular government is run by a demented old bigot who'd getting less coherent by the day. The one that's striding towards facism. The one your whataboutery is trying to normalise.
Well done!
No really, well done!!
Your rebuke is unwarranted.
He/she mentioned Trump, because the subject was Microsoft, an American company.
They then said "Anyone who thinks the host country won't try to access data on datacenters physically within their borders if they feel the need, is delusional"
While you're not wrong, Trump is decades late to this party. Amazing how many people fail to remember why HTTPS took off. Part of the push came from Google after finding their comms tapped. Not seeing much point in re-hashing the discussion about the timetables on this with forced public disclosures, admissions from the US government, and how some of it was made (more or less) legal after the fact. Just boggles me how thin some of the pretexts are that get accepted.
>Anyone who thinks the host country won't try to access data on datacenters physically within their borders if they feel the need, is delusional.
It's even worse than that. Any data that is hosted on a machine which is managed by someone within their borders is fair game. That's why Microsoft locating the data center in Europe is utterly meaningless. Someone in Redmond can access that data, and someone in Washington can "access" that someone in Redmond.
>All the cloud provider (or anyone accessing their servers) should see is an encrypted Binary Large OBject (BLOB).
That is only feasible if the cloud provider is only providing mere storage. Unfortunately, these days, a lot of computing is done on the cloud, and that strictly requires the cleartext.
If capgemini and sap are resellinfg access too ms365cloud, then there is no data soveringty.
If sap and capgemini bought ms365 licenses and their own servers, and put those servers on european territory, and installed the ms365 sw on them and administer it themselves, that scheme has as much sovernigty as an openstack cloud deployed in europe by an european company.
Lucky for everyone involved, microsft allows BOTH business models for any interested party.
Also, for on premises, if you get an extension of MS cloud in your DC (a-lá amazon outpost) or if you get the sw on your own servers but ms administers them, not much soverngty there. But if you install on your own servers in your own DC and administer that yourselfm then full so verngty.
Again, MS allows the three licensing models.
It all seems to me that using the "cloud" is tantamount to agreeing that the "provider" may commit Industrial (or other) espionage on data. This is with the data owners complicit agreement, of course, iaw EULAs.
I don't consider US tech entities any different to Chinese, Iranian, North Korean or Russian, and certainly not with the current US Dictator in office. Hell, I don't even trust our own (UK) government, whatever the colour.
It all seems to me that using the "cloud" is tantamount to agreeing that the "provider" may commit Industrial (or other) espionage on data.
If that's your situation you should have consulted your lawyer before you signed the contract. It's possible that provider may do that possibility does not signify agreement. Agreeing would give you no legal comeback if they do. It's a significant difference.
Quote: "...The sovereignty problem, however, is difficult to solve...."
There NEVER was a "sovereignty problem".......the "problem" was invented by "cloud" providers..............
......so.....if YOUR data is held on drives managed and controlled by YOU........no problem.....
.....but if YOUR data is managed and controlled by SOMEONE ELSE (say M$, Amazon, ORACLE, Google.....), then you have ALWAYS been CLEAN OUT OF LUCK.
.....no matter what lies you were told!
"Cloud" == "No Control"
"Anton Carniaux, director of public and legal affairs at Microsoft France" would have no knowledge that US gov had issued an NSL to get one off or continuous access the foreign data. So his statement that the scenario had "never happened before." is BS, because he would not have been in the loop, and he surely knows that.
"No, I can't guarantee it," but added that the scenario had "never happened before."
The problem with this statement is that he's not legally permitted, by a National Security Letter (NSL) to tell you that Microsoft has complied with an NSL requesting data on French citizens in the EU.
Strictly speaking there's little to say he would have to comply with an NSL, except keeping his job and maybe not going anywhere under US control anytime soon - either voluntarily or involuntarily.
But do we know for sure that there is no French equivalent of NSL? After all, nobody would be able to speak about it....
In France you need a court order so there is judicial oversight. French laws are also subsidiary to European ones, which means that fundamental rights – already pretty strongly protected by the French constitution – can't simply be rescinded by law.
But, in all discussions, there are two key differences: jurisdiction, the French government has no jurisdiction over computers owned by French companies in different countries; and legal process, the need for a court order to prevent general snooping. America does not recognise the legal sovereignty of other countries over its subjects, and it routinely passes laws to avoid judicial oversight.
Some UK government services are outsourced to French companies that the French govt. has interests in. I'm sure that isn't an issue with the recent problems that the UK govt. has had, handing tonnes of cash to the French to police those 'small boats migrants'. I'm sure the French state never even considered doing anything unethical with any access they might theoretically have.
If your data is encrypted, all the US can do is what a ransomware group can do and lock it from you. If you have back-ups, this is merely an annoyance.
Europe is never going to win this one, as the EU is not a sovereign nation. If you are in Spain, there isn't any real difference in having your data in the US or France. If the French courts have a go, the EU will not ride to your rescue on a unicorn.
Some companies may be best placed storing their data, anywhere beyond the legal jurisdiction of their own government, as it is your own government that will come gunning for you and spying on you more than any other.
But ideally, you should keep your data encrypted, on your own servers, with no possible connection between your intranet and the public internet. The light and fluffy stuff can go on a second network that does connect to the public internet.
If we were honest, it really doesn't matter where your data is, if you are running a US operating system and have a connection to the internet. The Americans will be able to access your data if they really want to, before E2EE kicks in and before you encrypt stored data.
The biggest threat to your data will always be a connection between it and the public internet. This is magnified by the amount of data you hold - the bigger the honey pot, the more bears you attract. Hold the least you can and archive as much as you can on offline storage or on paper in a locked room. The Big Data Mining = Higher Revenue stuff is a scam and always was.
All that MS needs to do to make any pesky EU (or other sovereign nation) regulation, law or whatever go away is complain to Daddy Trump. The Orange Jesus has threatened any nation that hinders US companies from raping, pillaging and stealing info from their customers.
He'll threaten to invade and make them the 51st state OR impose 1000% tariffs on the nation... Remember that the US consumers are the ones that pay the tariffs.
@Steve_Davis_3
Quote: "Remember that the US consumers are the ones that pay the tariffs."
Not quite.......remember that the EU, the UK, India and others are thinking about RETALIATORY tariffs!
Revised quote: ""Remember that consumers are the ones that pay the LOCAL tariffs - whether in the US or in another country."
There....fixed!!!!
@Woodnag
Quote: "...the whole point of the GDPR...."
.....is for politicians to be able to say "We are doing something"...............
Except for all those occasions when NOTHING was done. For example:
- 1.6 million medical records handed over to Google/DeepMind - zero consent and zero action
(see: https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act)
- https://www.theguardian.com/uk-news/2018/sep/13/gchq-data-collection-violated-human-rights-strasbourg-court-rules
- https://www.theregister.com/2021/10/11/data_guardian_police_bill/
- https://www.ft.com/content/6954971e-5d3a-11e9-939a-341f5ada9d40
.....and so on. What was that about GDPR?
The UK has never taken data protection seriously though, compare with other countries.
"Now GDPR no longer applies to UK"
Untrue. GDPR still exists and is applicable in the UK. It may be the UK version of GDPR but that's part of what forms the Data protection laws of the UK.
And yes, I'm saying this as someone who has to deal with GDPR on a regular basis, and has to attend regular GDPR training both for my volunteering and my work.
Now, you might argue that the differences between UK and EU versions of GDPR mean they're not the same thing - but the core principles do remain aligned so... would argue they're variations rather than different things entirely.
It's no longer the EU GDPR, it's the UK law, while it can still be alike GDPR, UK can change that unilaterally whenever it likes. While a single EU country can't change it the same way.
Nor a UK citizen or entity can now ask EU courts to enforce it. For example, any ruling NYOB can obtain in EU does not apply to UK.
And you already see pressure in UK to change it and allow far more freedom to businesses to collect and process citizens' data.
Now, it may happen or not, since decreased protection in UK will hinder the transfer of EU data, but money pressure can achieve it, especially with the actual climate in US, and especially if Farage wins...
A company might have very good reasons for data never leaving a particular geographic zone - privacy, secrecy, & other legal guarantees. If a cloud provider cannot guarantee that data is siloed and NEVER leaving that silo then that needs to be a very serious cause for concern. It potentially means any guarantees a company makes about GDPR compliance, or anything else, aren't worth the bytes they're encoded with.
So it's a major cause for concern. And the easiest way to ensure data is siloed is indigenous cloud providers who operate and run from Europe and not outside interests.
UK Civil Service is using Onedrive and Office 365 (sharepoint etc, cloud based) and that sensitive GDPR-protected taxpayer data could be hoovered up by Microsoft to train Copilot etc......
Yes, yes, and yes - but they (MS) promise not to do so, honest !
Not just personal information, sensitive defence data as well - the MoD has gone "all in" with the MS way of life. Oh how I'd have loved to be a fly on the wall when the security case for that was being discussed.
"Viegas Dos Reis acknowledges that a migration from the hyperscalers would be "a very long and complex project." After all, it can be costly to leave a hyperscaler, and the services of one provider are not necessarily matched by another."
It's 2025 and companies still allow themselves to be vendor-lockedin.
You don't need the cloud.
Use the money to pay your own people to maintain some servers and data centers.
It's not hard and there's a line out the door of people who want to do it and are actually loyal to your country.
It may not be the best and shiniest new crap out there but it will be yours.
The struggle and "wasted" resources build expertise in your population and breaks dependency on US technology companies for things as simple as *****ing email.
You don't need the cloud. You're just lazy.
Thank you.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
