Microsoft has admitted under oath that it cannot guarantee that European users’ data will remain within Europe. Despite various measures, US legislation could force the hyperscaler to pass the data on to the authorities.
This was the conclusion reached by Microsoft France CEO Anton Carniaux and his colleague Pierre Lagarde in a hearing before the French Senate. The duo repeated Microsoft’s (and other US cloud players’) well-known claim that it would challenge a requirement from Washington regarding European data. In other words, governments, municipalities, and critical businesses can use Microsoft 365 or Azure on the assumption that Microsoft will protect their data as best it can. How good that protection is remains debatable.
A sham
We have already called Microsoft’s sovereign plans a bit of a sham. At least, we have long been convinced (based on the expertise of many in the field) that Microsoft, AWS, Google, Oracle, and other US players simply have to respect US law. The Cloud Act can force organizations to provide data outside US territory to the US government.
In fact, the statement by Microsoft France employees is not big news. Nevertheless, it is a good reminder that critical data is never 100 percent secure with a US cloud player. This does not mean that it is a worse option than the alternatives. On-premises solutions may cost more money or require more expertise, and smaller European cloud providers may not be able to achieve the same advanced security standards as Microsoft, AWS, or Google Cloud.
Real response
The responses from Carniaux and Lagarde do provide a little more detail than before about Microsoft’s exact approach. Carniaux stated that, after an initial check, Microsoft only responds to very specific requests from the government. The company also always asks whether it can inform the client about invoking the Cloud Act.