Microsoft Admits Uncertainty Over EU Data Security Amid US Requests

In a recent hearing before the French Senate, Microsoft's Chief Legal Officer for France acknowledged the lack of guarantees that data from the European Union remains secure from potential transfer to the United States. This admission specifically pertains to data received from the Union des Groupements d'Achats Publics (UGAP), which is the central procurement body for public sector entities, including schools and local governments.

When questioned about whether the company could assure that it would never share this information with the US government without explicit consent from French authorities, the legal officer stated that he could not provide such a guarantee under oath.

However, he clarified that Microsoft has never faced a situation where such data was requested. He explained that the company is able to refuse information requests from the US government if they are deemed formally invalid. Microsoft commits to thoroughly assessing the validity of any requests, noting that the US government cannot issue vague or undefined inquiries. Nevertheless, if a request is legitimate, Microsoft is obliged to comply and provide the requested data. The company also indicated that it seeks to inform affected customers about such requests but must first obtain permission from US authorities to do so.

The implications of this testimony extend beyond the UGAP and France, as uncertainty regarding the use of US cloud services prevails across the European Union. Major cloud service providers, including Microsoft and Amazon AWS, are facing scrutiny related to US legislation such as the CLOUD Act and the Patriot Act, which allow the US government to issue information requests to cloud providers. Concerns are rising not only about the transfer of data but also about the potential for US authorities to shut down cloud services operating in the EU.

In response to these challenges, US-based hyperscalers like Amazon are establishing new subsidiaries in Europe that promise independence from their US parent companies. They claim that transferring data is technically impossible within these European entities. Microsoft, on the other hand, is proposing to install cloud infrastructure directly at client sites, allowing services like Microsoft 365 to remain under the clients' control. While system maintenance would still be handled by Microsoft, it would be performed by local staff. The effectiveness of these sovereignty assurances remains in question, as alternatives such as Nextcloud are reportedly experiencing increased demand.

The public hearing with the Microsoft executive took place on June 10 and is now available in a transcript format for interested parties.