US laws beat European data protection rules
What was only suspected for a long time has now been officially confirmed: Microsoft cannot guarantee that your data as an EU citizen is protected from access by the US government - even if it is stored in European data centers. Anton Carniaux, Chief Legal Officer of Microsoft France, admitted this openly at a hearing before the French Senate in June 2025.
When asked specifically by reporter Dany Wattebled whether Microsoft could guarantee that the data of French citizens would never be passed on to US authorities without the consent of the French authorities, Carniaux replied dryly: "No, I can't guarantee that, but it has never happened before."
This turns an open secret into the official truth: the so-called Cloud Act also allows the US to access data that is physically located in Europe - as long as it is held by a US provider.
Patriotism beats data protection - even in the cloud
Carniaux made it clear that Microsoft could theoretically refuse requests from the US government - but only if they were unfounded. If the request is formulated in a legally correct manner, "Microsoft is obliged to transfer the data in any case". And even then, customers do not always find out about it - Microsoft can only try to inform those affected "as far as possible".
In concrete terms, this means that public institutions, authorities and even courts in Europe - as in France via the UGAP - may store data that can be legally accessed by the FBI, NSA & Co. Without the consent of the respective national government. Without warning those affected.
The case of the International Criminal Court - a political data scandal
Andreas Mundt, President of the German Federal Cartel Office, made a particularly sensitive case public. He said that US President Donald Trump had instructed Microsoft to block the access of the chief prosecutor of the International Criminal Court (ICC), Karim Khan, to his email account.
Microsoft denies this - at least officially. Carniaux said under oath: "We have never suspended or blocked access to ICC services." However, according to the AP news agency, Khan did indeed no longer have access to his Microsoft account and also lost access to his bank accounts in the UK. He then switched to Proton Mail, a Swiss provider - apparently for good reason.
However, Microsoft did not say who, if not itself, blocked access. The question remains open. The uncertainty remains.
Europe is asleep - and the USA is typing along
It is frightening how far the arm of the US government reaches - and how little our European data protection efforts can do about it. Whether it's the GDPR, European cloud initiatives or national IT security laws, we end up in the digital living room, while Washington is the master of the house. And this affects not only large organizations, but also every school, every city administration and every citizen who trusts a US service.
Europe must wake up! What we need are genuine European cloud solutions - independent, transparent and legally immune to foreign interference. Anything else is an invitation to digital surveillance - nicely packaged in friendly terms and conditions.
After all, what good is the European flag on the data center if the key is in Washington?
