In a hearing before the French Senate committee on June 10, 2025, Microsoft admitted under oath that U.S. authorities could gain access to EU data. Anton Carniaux, Legal Counsel at Microsoft France, was asked directly whether he could guarantee under oath that the data of French citizens stored in Microsoft’s cloud would never be passed to US authorities without the approval of the French authorities. Carniaux responded clearly: “Non, je ne peux pas le garantir” – “No, I cannot guarantee that” (senat.fr).
This statement underscores that, despite data being stored in EU data centers, there is no absolute protection against U.S. access. The question was raised in the context of the U.S. CLOUD Act, which allows American authorities to demand data from U.S. companies, even if that data is stored on servers in Europe. During the hearing, Carniaux confirmed that if presented with a legally justified U.S. order, Microsoft is ultimately obliged to hand over the requested data (senat.fr). This openness marks a turning point in the debate over Europe’s digital sovereignty, as Microsoft officially revealed the limits of its data protection commitments.
Microsoft-access to EU data is confirmed by further official sources.
Similar admissions can be found in other official sources. Released government documents in the United Kingdom reveal that Microsoft has also acknowledged to authorities that it cannot guarantee full data sovereignty. In a letter addressed to Scottish police authorities, it was stated: “Microsoft have advised that they cannot guarantee data sovereignty for M365” (whatdotheyknow.com).
In practical terms, this means that data, even when hosted locally, cannot be fully protected from foreign access. These admissions emerged in response to a Freedom of Information request, which revealed correspondence between Microsoft and public authorities. This highlights that international data access requests are an inherent part of the cloud architecture used by U.S.-based providers. (computerweekly.com). Microsoft’s legal representatives thus acknowledged in discussions that even with contractual and technical safeguards in place, a residual risk remains due to global support and backup processes, during which EU data may be processed outside the designated region (computerweekly.com). These official documents reinforce Microsoft’s statement that a 100% guarantee against foreign (especially U.S.) access cannot be provided.
US CLOUD Act: Legal basis for extraterritorial data access
Similarly clear admissions can be found in other official sources. Declassified government documents in the United Kingdom reveal that Microsoft itself has acknowledged to authorities that it cannot guarantee full data sovereignty. In a letter to Scottish police authorities, it was confirmed: “Microsoft have advised that they cannot guarantee data sovereignty for M365”.
According to a white paper published by the US Department of Justice, the law explicitly states that companies under US jurisdiction can be compelled to produce data “regardless of whether such data is located within or outside the United States” (justice.gov). This extraterritorial scope of US law was also emphasised in the French Senate, where it was clearly stated that Microsoft, as a US company, is subject to the CLOUD Act, which permits US authorities to access data stored in Europe (senat.fr).
Although Microsoft stresses that it has robust review processes in place and rejects unjustified requests, the company must comply and provide data in the case of legally valid and specific US orders (senat.fr). Even advanced measures such as data encryption and regional storage ultimately offer no absolute protection, as US laws take precedence in the event of conflict – a fact that Microsoft has now publicly acknowledged. This serves as a clear example of how real the risk of U.S. access to EU data via Microsoft is – and why companies should reconsider their cloud strategy now.
Minimising risks with the right partner
Absolute protection from foreign access cannot currently be guaranteed – but companies are not powerless. With the right cloud architecture and a strong partner, risks can be significantly reduced without sacrificing the benefits of modern cloud platforms.
CONVOTIS, as an experienced IT service provider, has already implemented numerous projects involving secure and sovereign cloud solutions. Our data centres are located exclusively in Switzerland, Germany and within the EU – we combine the highest security standards with the scalability and performance you expect from the major hyperscalers.
We will work with you to develop a cloud strategy that strengthens your data sovereignty – without compromising on security or performance. Contact us today for a personal consultation and learn how we can help you build a sovereign and secure cloud future.