The Cloud Act

Microsoft admits it ‘cannot guarantee’ data sovereignty

Under oath in French Senate, exec says it would be compelled to pass local customer info to the Trump US administration

 Microsoft says it “cannot guarantee” data sovereignty to customers in France – and by implication the wider European Union and the UK – should the Trump administration demand access to customer information held on its servers.

The Cloud Act is a law that gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil. It is said to compel these companies, via warrant or subpoena, to accept the request.

The 2018 CLOUD Act signed into law by Donald Trump, primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

The law has been viewed as a parallel to China’s National Intelligence Law.

This is more than a technicality. It is a real-world issue that can impact national security, personal privacy and business competitiveness. We’ve already seen examples, like the Scottish police case, where sensitive data was transferred out of jurisdiction and beyond intended control – Mark Boost, CEO at Civo

Tech giant Microsoft is declining to share key information with Police Scotland about where the sensitive data it uploads to Office 365 will be processed, leaving the force unable to comply with UK-wide data protection laws. Without this information, the policing bodies are unable to satisfy the law enforcement-specific data protection rules laid out in Part 3 of the Data Protection Act 2018 (DPA18), which places strict limits on the transfer of policing data outside the UK.

Sovereignty isn’t just about where data is stored, it’s about who controls it

The Cloud act grants U.S. authorities the power to access personal, corporate or even classified data with a warrant, without prior notice to affected users or European regulators. US Cloud providers like Microsoft, Google and Amazon, communication tools like Teams or Slack or any U.S.-owned platform storing data globally are not safe.

In France, the CNIL had expressed concerns about the risk of data transfer to the United States due to the Cloud Act. Several associations, health professionals, and researchers have, in turn, appealed to the Council of State, claiming that the operation of the Health Data Hub on Azure violated the GDPR. The latter, in its Article 48, explicitly prohibits the transfer of personal data to foreign authorities without a clear and consensual legal framework.

What does this mean for the privacy of chatbot interactions? Or the sovereignty of Governments and democracies?

Agentic AI systems are penetrating everywhere: Palantir runs the NHS’s data platform. DeepMind conducts medical research and drug discovery. Israel’s Lavender program generates targeting decisions with minimal human oversight. Amazon Web Services manages government infrastructure while Google and Microsoft AI systems handle energy grids and financial markets. The embedding looks slow because these systems need time to trial, tweak, and integrate. But exponential growth means going from slow “experimental deployment” to suddenly “critical infrastructure dependency” overnight. The iceberg effect is real: what appears minimal above the surface represents massive systematic penetration below – Di Rifai