Sitting before the French Senate Microsoft France, legal chief, Anton Carniaux was asked if he could guarantee that US law enforcement would not access data hosted in France.

His answer was “No, I cannot guarantee it.”

This shredded years of marketing waffle about “trusted EU clouds” and confirms what privacy advocates have warned about. Under the US CLOUD Act, American firms like Microsoft, Amazon and Google are legally obliged to hand over data whenever Washington says so. It does not matter if the server is in Paris, Frankfurt or the moon.

Microsoft France, legal chief, Anton Carniaux tried to soften the blow with talk of contesting vague or dodgy requests. But he admitted that if a demand is legally valid the company has no choice but to comply. Worse still, Microsoft might not even be allowed to tell the affected customer.

He said Vole operates under the Cloud Act, which grants US authorities broad powers to compel American companies to provide data regardless of storage location. According to Carniaux's testimony, Microsoft maintains a rigorous process for evaluating government requests but ultimately must comply with legally valid demands.

"From a legal standpoint, we engage contractually with our clients, including those in the public sector, to resist requests when they are not well-founded," Carniaux said.

Vole claims to have implemented procedures requiring precise justification for any data requests and attempts to redirect authorities to clients when possible.

However, the testimony revealed critical limitations. Microsoft has published transparency reports showing no European company has been affected by such requests in recent years, according to Carniaux. Yet this statistical reassurance does not eliminate the fundamental vulnerability created by US legal jurisdiction over Microsoft operations.

Microsoft's technical director for the public sector Pierre Lagarde, outlined the company's technical approach to data protection. Since 2022, Microsoft has implemented systems to minimise data transfers and maintain information within European borders.

"Since January 2025, under contractual guarantee, the data of our European clients does not leave the EU, whether at rest, in transit, or being processed," Lagarde stated.

However, Civo, CEO, Mark Boost said: “One line of testimony just confirmed that the US hyperscaler providers cannot guarantee data sovereignty in Europe."  

“Microsoft has openly admitted what many have long known. Under laws like the CLOUD Act, US authorities can compel access to data held by American cloud providers, regardless of where that data physically resides. UK or EU servers make no difference when jurisdiction lies elsewhere and local subsidiaries or ‘trusted’ partnerships don’t change that reality.”

Boost warned: “This is a real-world issue that can impact national security, personal privacy and business competitiveness. We’ve already seen examples like the Scottish police case, where sensitive data was transferred out of jurisdiction and beyond intended control. The recent Microsoft testimony demonstrates how this can now happen on demand by US authorities. ” 

The French Senate is now demanding answers, but Europe’s sovereignty problem is laid bare. Hyperscalers’ “EU data regions” are little more than marketing spin when the real jurisdiction lives across the Atlantic. The question is whether UK and EU governments will finally stop pretending data residency equals data sovereignty and build proper homegrown alternatives.