Thought Leadership
Explosive testimony before the French Senate: Microsoft cannot guarantee that European user data is safe from US authorities despite EU hosting.
Microsoft cannot protect European user data from access by US authorities – even if it is stored in EU data centers. This was admitted under oath by the legal director of Microsoft France, Anton Carniaux, at a hearing before the French Senate on June 10, 2025.
“No, I can’t guarantee that”
When asked directly whether he could guarantee that French citizens’ data would never be transferred to US authorities without explicit authorization, Carniaux replied unequivocally: “No, I cannot guarantee that.” This statement has considerable implications for all EU countries that rely on Microsoft services.
The Cloud Act grants US authorities far-reaching powers to compel American companies to hand over data – regardless of where it is stored. Microsoft’s technical protection measures and EU hosting cannot overcome this legal reality.
European infrastructure under US control
The Senate hearing, which originally investigated the controversial use of Microsoft Azure by France’s Health Data Hub, revealed an EU-wide problem: European governments and companies are heavily dependent on US technology providers, whose data is ultimately subject to US laws.
Pierre Lagarde, Microsoft’s technical director, assured that since January 2025 “our European customers’ data will not leave the EU”. However, this technical guarantee is undermined by the legal reality of the Cloud Act.
The admission does not only concern Microsoft: Amazon Web Services, Google Cloud and other US hyperscalers are subject to the same legal framework.
What is the Cloud Act?
The Clarifying Lawful Overseas Use of Data Act (Cloud Act) of 2018 significantly expands the powers of US law enforcement agencies. The law obliges US companies to hand over user data at the request of the FBI, NSA and other authorities – regardless of where it is physically stored.
Crucially, the Cloud Act applies to all US companies and their subsidiaries worldwide. Even if Microsoft stores the data in German or French data centers, the company cannot invoke local data protection laws if US authorities demand access.
Although the law provides for procedures to challenge “unfounded” requests, the final decision lies with US courts. For European users, this means that their data is ultimately always subject to US law.
