German data center operators, in particular, know firsthand the high value their customers place on the integrity and security of their data. However, it should now be clear to everyone that security is an illusion as long as European companies and public bodies rely on cloud services from US providers – and yes, this also applies when providers advertise data centers in Europe.
With unusual clarity, Microsoft has now once again confirmed what many do not want to admit: there is no protection against access by US authorities to data stored in Europe if it resides with US companies. Microsoft France’s General Counsel, Anton Carniaux, recently had to concede in a hearing before the French Senate: there is no guarantee that European user data will not be passed on to US authorities. Despite GDPR and technical measures, Microsoft states that it cannot rule out access by US institutions, and this explicitly applies even to data stored exclusively in the EU.
The Cloud Act obliges US providers to hand over data upon a corresponding order, even if this would violate European data protection law. However, customers often do not receive information about this. This situation clearly shows: Europe’s legal control and data sovereignty end where US law applies. This is the case for every US provider, regardless of where the servers are physically located. I therefore consider it urgently necessary to refocus on European solutions. Because only European data center operators are exclusively subject to the European legal framework. Only they can ensure that the data of business, research, and public administration are not under the influence and access of foreign legal systems.
It is therefore important to stop debating technical facades and clearly define where true digital sovereignty begins: namely, with the choice of infrastructure. Those who want to protect personal and sensitive data must rely on European providers. Anything else remains a compromise at the expense of security and self-determination over our data.
