Your home country can tell you "Give us your data" and you have to comply.
"I will never give up customer data" is a very tough promise to keep, if the government threatens you with your business license being revoked, your servers and domains being forcibly seized by the police, and you personally going to jail.
(Under the current US administration, we can add "A close examination of the immigration status of all foreign nationals employed by your company, followed by probable deportation or jail" to the list of potential consequences for resisting the government.)
Of course. But what if the holding lives in a country that don't enforce this (or is too weak to). Then all the subsidiaries are really sovereign from the host country perspective.
It seems the solution is ages old. Don't have the holding incorporated in an empire...
Specifically here, he is under oath in France so an American gag order wouldn't protect him from the French justice system.
This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.
This is exactly the system the US Congress accused TikTok of having set up.
If the data center is operated by a "trusted subsidiary" as the article mentions and everyone in key roles is a French citizen with no connection to the US then there is no one to give a gag order.
In practice the US HQ could mandate a security update that secretly uploads all data to the US but that's a whole other can of worms that I don't think anyone is ready to open.
the data center which runs software written and controlled by the US companies and likely has a 24/7 software related support team which is distributed across the world....
in a modern cloud dater center you don't need someone physically plugging a USB stick in a server, you just need a back door in a cloud software stack many times the size then any modern operating system which often even involves custom firmware for very low level components and where the attacker has the capabilities to convince your CPU vendor to help them...
Less likely doesn't say much though. He may have simply weighed the chances of the French government ever finding out that he lied.
> It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law.
I would think that is not just a possibility, but a certainty.
Until this happened MS was still going around trying to convince lawyers to use their Cloud and telling them that there is no issue.
Including certain contractual "standard"(1) agreements which would make some of their higher management _personally_ liable for undue data access even under Cloud act from the US!!!
(1) As in standard agreements for providers which store lawyer data, including highly sensitive details about ongoing cases etc.
So you can't really trust MS anymore at all, even if personal liability (e.g. lying under oath) is at stack. And the max ceiling for the penalties for lying under oath seem less then what you can run into in the previous mentioned case...
You also have to look a bit closer at what it even means if "the french MS CEO swears they are complying" it means he doesn't know about non compliance and did tell his employees to comply and hired someone to verify it etc.
But the US doesn't need the French CEO to know, they just need to gain access to the French/EU server through US employees, which given that most of the infra software is written in the US and international admin teams for 24/7 support is really not that hard...
And even if you want to sue the French CEO after a breach/he (hypothetically) lied he would just say he didn't because he also was lied too leading to an endless goose chase and "upsi" by now the French CEO somehow is living in the US.
And that is if you ever learn about it happening, but thanks to the US having pretty bad gag orders/secret court stuff the chance for that is very low.
So from my POV it looks like MS has knowingly and systematically lying and deceiving customer, including such with highly sensitive data, and EU governments about how "safe" the data is even if it lead to personal legal liabilities of management.
And I mind to remember that AWS was giving similar guarantees they most most likely can't hold, but I'm not fully sure. Idk. about Google.
Oh and if you hope that the whole Sovereign Cloud things will help, it wont. It's a huge mage pretend theater moving millions over millions into the hands of US cloud providers while not providing a realistic solutions to the problem it is supposed to solve and neglecting local competition which actually could make a difference, smh.
The max penalty for things like this is actually life inprisonment though. If you, to aid a foreign power without authorization gather certain types of information, it's espionage.
There wouldn't be any lawsuit. If you do this kind of things you get arrested, get a trial and then you are in prison forever.
Anyone who've read the law has known this for years.
The GDPR is incompatible with the Cloud Act, and so the only legal (or so it should be) way to use US companies is to treat them like unsafe third countries - no matter the data center location.
But everyone wants to continue like before. Having to ensure that Amazon and Azure never touches unincrypted personal data is hard. So one "compromise" after another has been tried - never solving the actual problem.
As a EU citizen I think it's entirely embarrassing. Either the EU should have the power to force European subsidiaries to be exempted from the cloud act, or everyone should be forced to abide the law, which would greatly boost EU tech. Instead we are just rolling over.
Yup. I always thought it was a way just to get business in EU. Do some performative dance of "hey, look! a separate DC building with EU employees only" and then hope nobody would ask too many questions.
Then the next level is regulators in EU also have to care and can't just say "ok, you have a separate DC building with EU employees only. Good. My job is done, I checked" and move on.
The separation is even in the URLs, all the locales are using paths, except the US, which lives under us.ovhcloud.com. All locales use a customer console hosted at ovh.com, except the US, which has it under us.ovhcloud.com.
You can't just spin up an LLC and call it a separate company. OVHCloud is still OVHCloud US' subsidiary company.
From the FAQ page I linked:
> In accordance with our Privacy Policy, OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that could include data stored outside of the United States. OVHcloud will consider the availability of legal mechanisms to quash or modify requests as permitted by the CLOUD Act.
I think we'll see a lot of companies moving away from public cloud providers in the future, but I don't think it'll be because of any privacy-related concerns.
It rarely makes economic sense to deploy workloads onto the public cloud unless you have critical uptime requirements or need massive elasticity.
FISA and the Stored Communications Act as modified by the CLOUD Act don't distinguish between (i) parent company overseas + US subsidiary and (ii) parent company in US + foreign subsidiary. In both instances the US asserts personal jurisdiction, extending to wherever the data is stored geographically.
The US by and large can (and does) assert authority outside of its jurisdiction, from which another country can choose to capitulate.
Most of the time countries do, because they are all swapping data on their citizens between themselves to skirt various laws.
In the case where the US really wants something, and the country won't yield, they'll fund contras or destabilize the government (if small enough to be bullied) or impose sanctions so drastic it's effectively a soft act of war.
This is all to say that, the US has nearly unlimited authority while it stands as the world's defacto superpower.
Pretty much yes. From Saas to authentication systems to OS to chips. The EU infra is entirely dependent on the US. All documents, emails, chat messages, and most forms of storage are directly or indirectly linked to an American service.
On top of that, the US can update it all remotely, including the hardware now thanks to things like intel ME.
Or at least have everything they need to develop such a capability. And it's not like the current people in power care much about alienating other countries.
Microsoft tried architecting a "surveillance shelter" in Ireland. It worked. That's actually why the CLOUD Act even exists[0]: it was passed specifically to prohibit Microsoft from doing this.
I wouldn't think "sovereign" EU data would be protected from US snooping either, unless the Five Eyes Plus alliance is going to be dissolved. Even then...
I don't believe that's the case because the intelligence pooling is meant to remove cross-border friction. A general breakdown of western alliances would probably be required (and maybe that's where we're headed.)
An inevitable consequence of this administration destroying US foreign influence and power at an unprecedented rate is that (IMHO) it is inevitable that the EU builds their own cloud and mandates its use for EU data. It is becoming a matter of national security.
The interesting thing is that the US is acting in the exact way that they accuse China of acting. Companies like Huawei are forbidden from installing telecom infrastructure for "national security" reasons [1]. One of justifications for first banning then forcing a sale of Tiktok was because of possible Chinese government interference. It's only a matter of time before the EU and China start making the same determination against US tech giants (eg Meta executive brags about silencing dissent [2]).
This administration really is killing the golden goose.
I don't think that YouTube video is a good supporting piece for your point. The spokesperson says they don't want to propagate harmful stereotypes. "brag about silencing dissent" seems like a strawman interpretation
A better faith interpretation is that people are free to criticize Israel and Zionism on Meta, just not using racist tropes.
Oh if that were only true. It's been made apparent in the last 2 years in particular that fighting antisemitism from the perspective of the ADL and figures like Jordana Cutler (who previously worked for the Israeli Prime Minister's Office) simply means silencing critcism of Israel, even when that means siding with actual antisemites (up to and including neo_nazis and outright Nazis). Examples:
- Ben Shapiro excuses antisemitic remarks by Ann Coulter because she's pro-Israel [1];
- ADL defends Elon Musk for making the Nazi salute (twice) on stage [2]
- We brutalized people with the police for organizing peaceful protests to say "maybe we shouldn't bomb children" or to get their respective universities to divest their endowments from the state doing the bombing;
- We went so far as trying to deport legal permanent residents for organizing said peaceful protests (ie Mahmoud Khalil); and
- The IHRA definition of antisemitism includes criticisms of the state of Israel.
I was replying to the claims on big tech company policies. Jordana Cutler appears to be an internal advocate for reducing antisemitism on the Meta platform. They don't set policy. There are many similar roles for many different groups, it's how the company tries to hear more points of view before making policy changes.
We can only judge big tech company policy based on its declaration or application. So far I see no supported criticisms of either, though I am open to them.
Governments are not exempt from Cloud Act and US providers can be under gag order, so from EU or UK government perspective, they will never know if data has been accessed by 3rd country and what happened to it.
This is actually amazing that all the tenders have not been rejected under national security grounds or simply security services (yet again) have not done the job tax payers pay them to do.
I think many already started, the only reason it's starting to appear in the news is because people are making progress with the moves, and US companies are noticing it, but it's been planned and organized for a lot longer than just the last year.
This applies to any company, doesn't it?
Your home country can tell you "Give us your data" and you have to comply.
"I will never give up customer data" is a very tough promise to keep, if the government threatens you with your business license being revoked, your servers and domains being forcibly seized by the police, and you personally going to jail.
(Under the current US administration, we can add "A close examination of the immigration status of all foreign nationals employed by your company, followed by probable deportation or jail" to the list of potential consequences for resisting the government.)
Of course. But what if the holding lives in a country that don't enforce this (or is too weak to). Then all the subsidiaries are really sovereign from the host country perspective.
It seems the solution is ages old. Don't have the holding incorporated in an empire...
> Carniaux did say that the situation had never arisen.
That's what he would say if the company was under a gag order in the US. So I would take anything they say with a mountain of salt.
Specifically here, he is under oath in France so an American gag order wouldn't protect him from the French justice system.
This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.
This is exactly the system the US Congress accused TikTok of having set up.
If the data center is operated by a "trusted subsidiary" as the article mentions and everyone in key roles is a French citizen with no connection to the US then there is no one to give a gag order.
In practice the US HQ could mandate a security update that secretly uploads all data to the US but that's a whole other can of worms that I don't think anyone is ready to open.
the data center which runs software written and controlled by the US companies and likely has a 24/7 software related support team which is distributed across the world....
in a modern cloud dater center you don't need someone physically plugging a USB stick in a server, you just need a back door in a cloud software stack many times the size then any modern operating system which often even involves custom firmware for very low level components and where the attacker has the capabilities to convince your CPU vendor to help them...
... a backdoor that is a necessity anyway, because it is constantly used to upgrade the cluster software.
Less likely doesn't say much though. He may have simply weighed the chances of the French government ever finding out that he lied.
> It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law.
I would think that is not just a possibility, but a certainty.
> This is exactly the system the US Congress accused TikTok of having set up.
"Every accusation is a confession" remains undefeated
Until this happened MS was still going around trying to convince lawyers to use their Cloud and telling them that there is no issue.
Including certain contractual "standard"(1) agreements which would make some of their higher management _personally_ liable for undue data access even under Cloud act from the US!!!
(1) As in standard agreements for providers which store lawyer data, including highly sensitive details about ongoing cases etc.
So you can't really trust MS anymore at all, even if personal liability (e.g. lying under oath) is at stack. And the max ceiling for the penalties for lying under oath seem less then what you can run into in the previous mentioned case...
You also have to look a bit closer at what it even means if "the french MS CEO swears they are complying" it means he doesn't know about non compliance and did tell his employees to comply and hired someone to verify it etc.
But the US doesn't need the French CEO to know, they just need to gain access to the French/EU server through US employees, which given that most of the infra software is written in the US and international admin teams for 24/7 support is really not that hard...
And even if you want to sue the French CEO after a breach/he (hypothetically) lied he would just say he didn't because he also was lied too leading to an endless goose chase and "upsi" by now the French CEO somehow is living in the US.
And that is if you ever learn about it happening, but thanks to the US having pretty bad gag orders/secret court stuff the chance for that is very low.
So from my POV it looks like MS has knowingly and systematically lying and deceiving customer, including such with highly sensitive data, and EU governments about how "safe" the data is even if it lead to personal legal liabilities of management.
And I mind to remember that AWS was giving similar guarantees they most most likely can't hold, but I'm not fully sure. Idk. about Google.
Oh and if you hope that the whole Sovereign Cloud things will help, it wont. It's a huge mage pretend theater moving millions over millions into the hands of US cloud providers while not providing a realistic solutions to the problem it is supposed to solve and neglecting local competition which actually could make a difference, smh.
The max penalty for things like this is actually life inprisonment though. If you, to aid a foreign power without authorization gather certain types of information, it's espionage.
There wouldn't be any lawsuit. If you do this kind of things you get arrested, get a trial and then you are in prison forever.
Anyone who've read the law has known this for years.
The GDPR is incompatible with the Cloud Act, and so the only legal (or so it should be) way to use US companies is to treat them like unsafe third countries - no matter the data center location.
But everyone wants to continue like before. Having to ensure that Amazon and Azure never touches unincrypted personal data is hard. So one "compromise" after another has been tried - never solving the actual problem.
As a EU citizen I think it's entirely embarrassing. Either the EU should have the power to force European subsidiaries to be exempted from the cloud act, or everyone should be forced to abide the law, which would greatly boost EU tech. Instead we are just rolling over.
The whole concept of big cloud somehow setting up sovereign clouds in Europe seems incredibly naive to me.
Every AWS employee knows where his bread is buttered - Seattle not Brussels
Apparently someone buys it, otherwise AWS would not invest 8+ billions in Germany: https://www.aboutamazon.eu/news/aws/aws-plans-to-invest-7-8-...
"If it's certified, it must be good".
Yup. I always thought it was a way just to get business in EU. Do some performative dance of "hey, look! a separate DC building with EU employees only" and then hope nobody would ask too many questions.
Then the next level is regulators in EU also have to care and can't just say "ok, you have a separate DC building with EU employees only. Good. My job is done, I checked" and move on.
But then who can? No global cloud providers, including Hetzner and OVH, are free from CLOUD act because they have US presence[1].
1. https://us.ovhcloud.com/legal/faqs/cloud-act/
OVHCloud US is a different company from the rest of the world.
https://blog.ovhcloud.com/cloud-data-act/
The separation is even in the URLs, all the locales are using paths, except the US, which lives under us.ovhcloud.com. All locales use a customer console hosted at ovh.com, except the US, which has it under us.ovhcloud.com.
You can't just spin up an LLC and call it a separate company. OVHCloud is still OVHCloud US' subsidiary company.
From the FAQ page I linked:
> In accordance with our Privacy Policy, OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that could include data stored outside of the United States. OVHcloud will consider the availability of legal mechanisms to quash or modify requests as permitted by the CLOUD Act.
> OVHCloud is still OVHCloud US' subsidiary company.
It’s the other way around.
> From the FAQ page I linked:
Which is for the US company.
>You can't just spin up an LLC and call it a separate company.
You can actually. Becton Dickson did it and shafted loads of their employees by saying they no longer have pensions with them.
https://www.alibabacloud.com/en?_p_lc=1
Who? You can use Hetzner and OVH proper instead of US subsidiaries. Using AWS/Azure/GC in Europe these days is pretty risky for more than one reason.
I think we'll see a lot of companies moving away from public cloud providers in the future, but I don't think it'll be because of any privacy-related concerns.
It rarely makes economic sense to deploy workloads onto the public cloud unless you have critical uptime requirements or need massive elasticity.
FISA and the Stored Communications Act as modified by the CLOUD Act don't distinguish between (i) parent company overseas + US subsidiary and (ii) parent company in US + foreign subsidiary. In both instances the US asserts personal jurisdiction, extending to wherever the data is stored geographically.
The US has no authority whatsoever over a foreign parent company. The US subsidiary also has no access to "foreign" data.
The US by and large can (and does) assert authority outside of its jurisdiction, from which another country can choose to capitulate.
Most of the time countries do, because they are all swapping data on their citizens between themselves to skirt various laws.
In the case where the US really wants something, and the country won't yield, they'll fund contras or destabilize the government (if small enough to be bullied) or impose sanctions so drastic it's effectively a soft act of war.
This is all to say that, the US has nearly unlimited authority while it stands as the world's defacto superpower.
They can assert what they want, they have no way to enforce it.
Pretty funny you're jumping straight to warfare. This proves why Americans cannot be trusted.
In any case, it's better for me that the Americans will need to start a war with the EU to get at my data instead of just giving it to them.
I'd argue that placing faith in any large institution is folly. Especially when that institution has a bunch of perverse incentives to act immorally.
Any nation with any amount of leverage has abused it.
We agree, I'm not saying anything is good or desirable. Just pointing out, this is how they achieve overreach: coercion.
Possibly only their US subsidiaries though?
I'm guessing: Russia?
This is known. The problem is that the EU is hooked on us technology. I don’t see this untangling soon which is a big strategic weakness
Pretty much yes. From Saas to authentication systems to OS to chips. The EU infra is entirely dependent on the US. All documents, emails, chat messages, and most forms of storage are directly or indirectly linked to an American service.
On top of that, the US can update it all remotely, including the hardware now thanks to things like intel ME.
Let's hope we never get into a conflict with them, because even without bombs, they can basically shut us down with a few keystrokes: https://www.bitecode.dev/p/the-eu-can-be-shut-down-with-a-fe...
Or at least have everything they need to develop such a capability. And it's not like the current people in power care much about alienating other countries.
A bit of a "hoist by their own petard" situation since the US has been raising this specter about Chinese tech for quite some time.
Yes. For Europe there isn't a real alternative other than to painstakingly re-grow our independence. That will take a long time.
Of course they can’t. U.S. companies are under U.S. jurisdiction, no matter where their data centers are located.
This is a French company owned by a US company though which makes things complex.
Luckily we have great European cloud companies like UpCloud https://upcloud.com
I can't imagine the Cloud Act being effective without Microsoft (and French gov) complicity.
If they can make successful tax shelters they can architect the entities and the architecture to remove this option.
There's some 9-eyes thing where this is a feature not a bug
Microsoft tried architecting a "surveillance shelter" in Ireland. It worked. That's actually why the CLOUD Act even exists[0]: it was passed specifically to prohibit Microsoft from doing this.
[0] https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_Stat...
I wouldn't think "sovereign" EU data would be protected from US snooping either, unless the Five Eyes Plus alliance is going to be dissolved. Even then...
Well, not relying on US cloud would already be a giant step in the right direction, by making it significantly harder to snoop on the data.
I don't believe that's the case because the intelligence pooling is meant to remove cross-border friction. A general breakdown of western alliances would probably be required (and maybe that's where we're headed.)
Not just headed, it is already in the process.
> A general breakdown of western alliances would probably be required
Hearing a distant shout of "hold my beer" from the White House...
With UK out there's no Five Eyes members in EU.
I suspect the other 4 eyes are somewhat less willing to do the US regime's bidding these days
On what basis?
It’s an old new (July 22)
after this whopping great vulnerability in Azure, anything there prior to that being fixed should be considered public anyway:
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id...
Don't forget when Azure had it's root cert compromised. Which... maybe is still a thing?
An inevitable consequence of this administration destroying US foreign influence and power at an unprecedented rate is that (IMHO) it is inevitable that the EU builds their own cloud and mandates its use for EU data. It is becoming a matter of national security.
The interesting thing is that the US is acting in the exact way that they accuse China of acting. Companies like Huawei are forbidden from installing telecom infrastructure for "national security" reasons [1]. One of justifications for first banning then forcing a sale of Tiktok was because of possible Chinese government interference. It's only a matter of time before the EU and China start making the same determination against US tech giants (eg Meta executive brags about silencing dissent [2]).
This administration really is killing the golden goose.
[1]: https://www.reuters.com/business/media-telecom/us-fcc-bans-e...
[2]: https://www.youtube.com/watch?v=7eO8byuv6PE
I don't think that YouTube video is a good supporting piece for your point. The spokesperson says they don't want to propagate harmful stereotypes. "brag about silencing dissent" seems like a strawman interpretation
A better faith interpretation is that people are free to criticize Israel and Zionism on Meta, just not using racist tropes.
Oh if that were only true. It's been made apparent in the last 2 years in particular that fighting antisemitism from the perspective of the ADL and figures like Jordana Cutler (who previously worked for the Israeli Prime Minister's Office) simply means silencing critcism of Israel, even when that means siding with actual antisemites (up to and including neo_nazis and outright Nazis). Examples:
- Ben Shapiro excuses antisemitic remarks by Ann Coulter because she's pro-Israel [1];
- ADL defends Elon Musk for making the Nazi salute (twice) on stage [2]
- We brutalized people with the police for organizing peaceful protests to say "maybe we shouldn't bomb children" or to get their respective universities to divest their endowments from the state doing the bombing;
- We went so far as trying to deport legal permanent residents for organizing said peaceful protests (ie Mahmoud Khalil); and
- The IHRA definition of antisemitism includes criticisms of the state of Israel.
[1]: https://x.com/benshapiro/status/644505141299671041
[2]: https://www.aljazeera.com/news/2025/1/22/adl-faces-backlash-...
I was replying to the claims on big tech company policies. Jordana Cutler appears to be an internal advocate for reducing antisemitism on the Meta platform. They don't set policy. There are many similar roles for many different groups, it's how the company tries to hear more points of view before making policy changes.
We can only judge big tech company policy based on its declaration or application. So far I see no supported criticisms of either, though I am open to them.
Governments are not exempt from Cloud Act and US providers can be under gag order, so from EU or UK government perspective, they will never know if data has been accessed by 3rd country and what happened to it.
This is actually amazing that all the tenders have not been rejected under national security grounds or simply security services (yet again) have not done the job tax payers pay them to do.
> they will never know if data has been accessed by 3rd country and what happened to it.
They should have arranged to get a 100 euro refund every time it happens, or 440 euros if the UK does it.
What difference, at this point, does it make? The EU has already surrendered any notion of sovereignty to the US in the fields of military and energy.
Time to pull away all EU data from the Trump USA.
I think many already started, the only reason it's starting to appear in the news is because people are making progress with the moves, and US companies are noticing it, but it's been planned and organized for a lot longer than just the last year.
Can assure you it has been happening for a while.