Microsoft's data sovereignty: Now with extra sovereignty! Microsoft is again banging the data sovereignty drum in Europe, months after admitting in a French court it couldn't guarantee that data will not be transmitted to the US government when it is legally required to do so. Under the CLOUD Act, US authorities can compel access to information held by American cloud providers …
Even when you run that MS stuff locally, how do you guarantee that your data will not be exfiltrated by them(*)?
See for example the whole Windows 7, 8, 10, 11 adventures that constantly sends data to MS' servers, with increasing volume every update you get. Just wait for it and your data will be gone before you can say shutdown in one strategic update.
(*) for quality assurance only, really, we promise.
It is not about Trump. Data sovereignty is about governments protecting their citizens against losing their privacy to third parties, to whom never consent was given for data sharing. EU should not build data-centers, but prohibit export of data to providers operating under different jurisdictions outside of EU, and on top introduce laws enabling citizens to receive significant compensations from organizations ignoring this mandate. But this will never happen, any hospital in the EU can happily dump medical records in Azure. and the US puppet regimes in Netherlands, UK and Germany won't move a finger to end this abuse.
"Data sovereignty is about governments protecting their citizens against losing their privacy to third parties,"
From the point of view of home governments, yes. But I'm more troubled by the endless snooping powers my own government awards itself regarding my data than I am by the prospect that foreign governments might get their hands on my data.
prohibit export of data to providers operating under different jurisdictions outside of EU
The best way of achieving that is by:
• ensuring that the data-canter owner is not beholden to non EU laws, ie is an EU company
• does not run software that it does not know what it does - ie not use closed source code. Who knows what Microsoft telemetry does ? (Ditto for not MS s/ware). Open source is the only way to go
Even this is no guarantee but is a good start.
Does Microsoft have to remain an American company? A quick check suggests $39b US vs $37b non-US quarterly revenue.
Departure would certainly be viewed dimly in some quarters, but those customers would face the same problem Europeans do in finding a credible alternative to the desktop application monopoly.
They would also have the same assurance that their data would remain hosted in their case within the continental US. All MS need is a legal home that does not assert the sovereign right to issue a writ for any data it pleases. Candidates?
And of course any of the tech giants might do this, especially if they "fall out of favour" with any given US administration.
I think we'll save full extraterritoriality and private armies for the next decade.
Does Microsoft have to remain an American company?
Well they'd need to retain a US stock market listing, because that offers much higher prices for a given performance than say LSE or Euronext. In theory they could move their legal HQ but keep a US listing, but even that won't actually help because the scope of the CLOUD act (according to AWS) is "all electronic communication service or remote computing service providers that operate or have a legal presence in the U.S." So even an EU company that operates in the US such as SAP is in scope, and their data in Europe could be demanded by the US authorities under the CLOUD Act.
The only protection is either that you're a foreign company whose government will say no to Uncle Sam (not a long list there), or not to do business in the US, nor to have any legal presence there. And even then, do you think they wouldn't use a few zero days if it suited them?
It's practically an Indian company now, but do you think that's any better? The whole data suck increased exponentially when the Indians took it over, and make no mistake - your data was safer in US hands. Too many here only have an issue with US access to data right now because of an irrational hatred of Trump (yes, you leftists may thumb me down now, no need to read further), but there's been no real change in the US so far as data handling goes for 20 years. Our big problem started when the 9/11 changes started hitting. The Indians, on the other hand, will think nothing of sifting your data to get what they can out of it, copyrighted or not.
Ultimately, the safest place for your data is on your machine. If you must have a cloud, a national native cloud programmed by someone who has no presence outside your nation should be your preference. This will be expensive, and will require duplicating what others have done. A sugestion from me - get a law passed in your nation that concurrently developed software copyrighted in another nation is not protected if natively written and only used in your nation. Then reverse engineer what the big US players provided, stripping out the phone home suckware portions, and deploy it. Really, it shouldn't take many changes to make it into completely new software just by removing the Hoover.
Personally, I welcome European nations who dare to go out on your own. I'd love to see many alternatives to the current status quo, and for those overly large companies to be knocked back. If even small nations can make a go of it, corporations might decide that ditching Redmond wouldn't be so bad after all.
A simple question:
On your planet,
Can you dislike Herr Trump, for a rational reason, WITHOUT being a 'Leftist' ???
Do only left wing people dislike Herr Trump ???
[Hint: After the 'Tariffs playbook' enacted by Herr Trump many political sides are not 'his friend' !!!]
Overall hint/suggestion:
If you should make a reasoned argument on ANY subject without posting a 1st strike insult at anyone who may disagree, you may find that your argument is considered more favourably on its merits rather than being ignored as biased propaganda hidden under a veil of feigned reasonableness.
:)
It's not just about Trump. Imagine if one day an unscrupulous politician became President of the USA. Somebody who didn't have a deep respect for the law and Constitution. Somebody who was perhaps beholden to nasty corporate billionaires. Somebody who was even prepared to abuse the office for personal financial gain
Errrmmm... I don't think a dislike of Trump is particularly irrational. And I'm not a leftist (basically a hard-line moderate). I'm seeing my country fall apart and into the hands of a doddering lunatic. I consider that sufficient grounds to be disgruntled.
That aside, it's a pity many (most) will see that part of your post and ignore the rest. The basic points (the problems predate 2016; the US has been prying through data since at least 9/11; the only real difference is that some people are finally waking up to that fact) are quite valid.
Before 2016, I think you could say that the US recognized the value of having friends in the world, and the surveillance was not quite as thorough as it is now. You put those two things together, and non-US people are starting to recognize the value of digital sovereignty. But you are, of course, correct in saying that the problem predates Trump.
Let's call this what it is. EU leaders have been caught pants down, hopelessly locked into the US tech ecosystem. Now they need a political excuse to keep using it, even though their own courts have said it's illegal.
This "sovereign cloud" is that excuse. It's commercial "copium."
The fundamental, unchangeable fact is this: If a company is ultimately controlled from the US, no technical or contractual "solution" can make it immune to the CLOUD Act.
All these new features are just Microsoft scattering Lego pieces on the floor. The hope is that a US data request would be difficult and painful. But it absolutely will not stop them from taking the data.
MS is an American company. America thinks and acts like it owns the world. The USA is not Europe's friend.
>> it couldn't guarantee that data will not be transmitted to the US government when it is legally required to do so
That is being generous. Let me reword it for you. MS effectively said it would break EU law to comply with US law. On that basis, MS should be considered to be a hostile state-backed actor.
When the US is providing the bulk of your national security, US law matters. Why do you think that despite the screaming by EU lawmakers, ultimately the US gets what it wants from Europe?
The alternative would be for Europe to ask the US to close all military bases and leave Europe. Right now the US spends about 106 billion Euros on European defense. Until Ukraine, Europe was only spending around 88 billion Euros on defense. If the US leaves, Europe will have to come up with that extra 106 billion a year. That will have to come from an increase in taxes. And, it'll likely be a lot more than 106 billion you have to come up with combined with a cut in social services to help reduce the new tax amount. Enjoy your new taxes. I know I'll enjoy my tax cut.
This post has been deleted by its author
Most of that US defence money is spent within the US ecosystem, never making it to the host countries at all.
The US flies in food, general merchandise (including white goods), cars, and heck, even fuel for use on it's bases, they have schools on base, they have housing on base for the majority of the military personnel working there, one could spend an entire 3-4 year deployment never once buying anything from the local community. And of course they pay no taxes to the local community except sales taxes if they do buy something locally.
Most communities which have US military bases don't see much positive impact apart from the occasional parade or "cultural event".
Then we get to the, what strongly appear to be, abject lies about the location of UK data.
For example, take Microsoft 365 SharePoint Online and configure it for "UK" and then check where it is actually operating using GeoIP lookups and the locations quickly switch from lonXX.ntwk.msn.net, which is recorded as being located in London - UK to IP addresses that are recorded as being located in Redmond - USA. This very strongly indicates that UK data, despite the claims of Microsoft 365 SharePoint Online Administration Centre, is being stored in a different country, in this case the US where the regime has no worthwhile data protection laws whatsoever.
Just in case this could just be administration related, and these IP addresses are in fact located in the UK where Microsoft claim, I also ran speed tests from various locations throughout the world. London and UK based speed tests all operated somewhat slower than USA originating speed tests.
Failures within Microsoft 365 infrastructure, of which there have been a few in the last month, that affect North America also tend to affect "UK" services too.
All of which indicates that Microsoft are lying when it comes to the location of UK data.
WTF is the matter with them? Building a Gov file storing DC is not difficult (plenty of companies willing to do that) and then open standards compute on that isn’t difficult either. The difficult bit is the front end Service ordering and linking that to the back end orchestration. But for services that can be ordered a bit in advance (you know roughly when an election is coming) that means work can be done in advance to set that up and nail it down.
The only way that MS or any of the American based tech companies can actually deliver on digital sovereignty would be to set up a EU based company which is completely independent of the US one, so no infrastructure, staff, or money flowing between them. And that would essentially split Microsoft into two companies, but for obvious reasons the shareholders would not go along with that option so its never going to happen.
From a technical level they could by give their EU customers the ability to encrypted all their data stored on Microsoft servers with a encryption key unknown to MS and that would at least then mean they couldn't provide unencrypted data to the US if legally requested to do so. But of course they would still be required to hand over the encrypted data which could then possible be decrypted at a later date. So it not a solution as good as actually using a EU host who doesn't have any US presence at all.
While encrypting data at rest in the servers of a regime with no data protection laws (USA) is a route, it also makes the entire operation pointless because almost all the add-on activity happens at server level. Want to search or index data? Can't happen without the servers having access. When the servers have access, so does the hostile regime where the servers are located.
In effect, anything more than a huge blob data store is insecure - because even if every file was individually encrypted, the metadata such as filename is not - and the file names are often quite important.
Although Microsoft says it has published transparency reports and no European customers, private or public, were yet the subject of any requests, the threat of the law remains and this is making some nervous.
Pity the author's naivette doesn't acknoledge that an NSL can be issued to Microsoft, and that Microsoft will refrain from noting this in their transparency reports. Please stop, there are no benevolent governments.
Given that this has been done after all the uproar about it, then this seems like they are trying to close the stable door, well after the horse has bolted.
Can customers be 100% certain - in some form of independantly verifable manner, that the data is not already in the USA.
Without that, then this announcement is meaningless for any existing customers
If Europeans are serious about data sovereignty, they cannot have an American company host their data. This follows exactly the same argument that Americans have been making about China for years - storage providers will surrender data to the host government if the government demands it.
‘In a hearing before the French Senate committee on June 10, 2025, Microsoft admitted under oath that U.S. authorities could gain access to EU data. Anton Carniaux, Legal Counsel at Microsoft France, was asked directly whether he could guarantee under oath that the data of French citizens stored in Microsoft’s cloud would never be passed to US authorities without the approval of the French authorities. Carniaux responded clearly: “Non, je ne peux pas le garantir” – “No, I cannot guarantee that”’
If you think about it , sending your data anywhere but an internal server or storage exposes it to corporate greed. Corps have no interest in keeping your data safe , even less from them. There's regulations , laws and all your files / data on any server anywhere on the planet is subject to being searched. Why on earth would anyone want private patient data , or corporate documents be anywhere but on their internal private network ? It's totally idiotic to think your data is safe as soon as it leaves your building. Even inside the building it ain't. The Desjardins leak in Quebec is an example. Not only does one have to fight greedy corps outside but we have to deal with inside threats also. Even if MS swears your data is safe with them we all know it's a boldface lie.
I get that you hate the current president. But what about this particular administration matters? You know that the Clipper chip was dreampt up during a Democratic administration, right?
I get that you envy the power to the US. But issues of sovereignty are the same everywhere.
If you do business with a Russian entity, expect that entity to do what ever the Russian authorities say.
If you do business with a Chinese entity, expect that entity to do what ever the Chinese authorities say.
If you do business with a Croatian entity, expect that entity to do what ever the Croatian authorities say.
What is so special about the US?
That we have created, and largely still control, ubiquitous technologies that allow you to, without a second thought, do things unimagined seventy years ago.
If you don't want the US government asserting its sovereignty over you, then quit doing business with US entities. Honestly, I would be happy if you did. These companies are FAR too powerful (and meddlesome). Shutting them out of the EU & India would trim their wings significantly.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
