A few months ago, I discussed the fundamental legal challenge posed by the Cloud Act to our digital sovereignty (https://exadvize.com/is-corporate-ai-policy-just-a-smokescreen-hiding-the-real-challenges-of-digital-sovereignty/).
The June 10, 2025 hearing before the French Senate inquiry commission closes the debate:
“If we are compelled, we hand over the data.”
These were the words of Anton Carniaux, General Counsel at Microsoft France, publicly acknowledging his subsidiary’s powerlessness in the face of a US court order.
🔍 A quick refresher:
The Cloud Act (Clarifying Lawful Overseas Use of Data Act), enacted in 2018, requires American companies to provide authorities with requested data, even if the data is stored outside the United States.
In contrast, Article 48 of the GDPR prohibits transferring data to a foreign authority outside of a bilateral legal framework.
➡️ This creates a structural incompatibility, placing French companies and public entities between two conflicting legal regimes.
🔹 The Health Data Hub (HDH) is a perfect example:
As early as 2020, concerns were raised over its hosting by Microsoft Azure due to Cloud Act risks. The CNIL expressed reservations, and the French Council of State was seized.
The 2024 SREN law formally acknowledged the issue: sensitive data must be hosted on SecNumCloud-certified infrastructure effectively excluding providers subject to US law.
🔹 What changes today is Microsoft France’s public recognition of the problem.
This is no longer doctrinal analysis. It’s no longer a technical concern.
It’s an acknowledged legal reality: 📆 A US-based company cannot guarantee the sovereignty of data stored in France.
So, at a time when European courts are demanding high standards for cross-border data compliance (see the 2020 CJEU “Schrems II” ruling), and digital transformation depends on massive volumes of sensitive data, the issue becomes central.
