Can the Cloud Be Sovereign?
Microsoft’s 2025 Testimony, UK Legal Gaps, and the Fight for Digital Control
On June 10, 2025, before the French Senate, Microsoft’s Director of Public and Legal Affairs for France admitted under oath that they could not guarantee data held in European data centers—including those serving UK citizens and businesses—would be immune to secret US government access. This story, little reported in broad media but widely discussed in tech, legal, and policy circles, has enormous implications for the United Kingdom’s data sovereignty, regulatory environment, and digital future.
This article unpacks that testimony and guides UK readers through its far-reaching consequences, particularly amid post-Brexit legal realities and the UK’s ambitions for tech leadership and data independence.
The Microsoft Testimony: What Was Actually Admitted?
The Hearing
During a high-profile French Senate inquiry into digital sovereignty, Anton Carniaux, Microsoft France’s legal head, responded to pointed questioning:
“No, I cannot guarantee it.”
Anton Carniaux, when asked if EU cloud data could never be shared with US authorities without French authorities being notified.
This statement was not a mistake. It was a legally informed, cautious admission that even data stored within Europe can be subject to US law—particularly the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed by the United States in 2018. The act obliges US tech companies to provide access to data, regardless of where it is stored, if requested under valid US legal process.
For UK businesses, this raises an immediate question: If even EU-hosted data isn’t safe, what protections do UK organisations truly have—especially post-Brexit?
Understanding the Legal Framework: CLOUD Act, UK-US DAA, and UK GDPR
🔍 The US CLOUD Act (2018)
Applies to all US companies, regardless of data location.
Authorises secret access (via gag orders).
Has global reach over any data held by Microsoft, Google, Amazon, and others.
🔍 The UK-US Bilateral Data Access Agreement (DAA)
Entered into force in 2020, this treaty complements the CLOUD Act by enabling direct cross-border data requests between UK and US law enforcement, sidestepping traditional processes like Mutual Legal Assistance Treaties (MLATs).
⚖️ Key Facts:
US agencies can serve orders on UK providers without UK judicial approval.
UK agencies must still obtain UK court approval for requests to US providers.
UK data subjects are not notified if their data is accessed by US authorities.
Applies to both content and metadata, with broad targeting criteria including crimes punishable by 3+ years imprisonment.
Either party may terminate the agreement with 30 days’ written notice.
📄 Verified Source: Baker Botts Legal Review of the DAA (2020)
🔍 UK GDPR and the Data Protection Act 2018
While UK GDPR mirrors much of its EU predecessor, its protections can be overridden by international treaties like the DAA or extraterritorial laws like the CLOUD Act—particularly where US companies are concerned.
Why This Matters for the United Kingdom
Even after Brexit, most UK organisations rely heavily on cloud services owned by US tech giants. Whether the servers reside in London, Dublin, or Frankfurt, they fall within the crosshairs of US law.
Sectoral Risk: Who’s Most Exposed?
In practical terms, the legal vulnerabilities impact some sectors more severely than others—particularly those handling sensitive, regulated, or high-value data.
The Illusion of Local Data Centres
One of the most common misconceptions in UK cloud procurement is that data stored in British or European data centres is safe from foreign access.
It isn’t.
US companies—even when operating data centres in the UK—are still governed by US law. Microsoft’s “UK Data Boundary” initiative is a contractual and technical solution, not a legal one. As Carniaux confirmed, physical location is irrelevant if the company is headquartered abroad.
This aligns with longstanding warnings from the European Court of Justice, which in its 2020 Schrems II ruling invalidated the EU-US Privacy Shield precisely because US surveillance laws were too broad and lacked redress for Europeans.
📄 Verified Source: Court of Justice of the EU – Schrems II Decision, July 2020
While the UK’s own “Data Bridge” with the US seeks to streamline transfers, it does not protect against CLOUD Act access or ensure notification when surveillance occurs.
📄 Verified Source: UK-US Data Bridge Factsheet – GOV.UK (2023)
Analysing the Risks: What Could Happen?
Scenarios
Commercial Espionage
UK-based innovations or contracts stored on US clouds could be compromised if foreign authorities access them, deliberately or through broad data sweeps.
Targeted Criminal Investigations
Lawful US subpoenas might pull UK citizen data into American courts without prior notice to the individuals or British authorities.
Undermining Trust
UK citizens, especially in health, finance, and government sectors, lose confidence that their private data is genuinely ‘sovereign’.
What Can the UK Government Do?
Policy Options
Push for Open Notification: Mandate that UK citizens and companies be informed if their data is accessed under foreign (US) orders, unless approved by a UK judge operating under UK law.
Strengthen Independent Cloud: Invest in British or UK-domiciled cloud infrastructure—run entirely by UK-owned companies.
Negotiate New Bilateral Treaties: Forge stronger, post-Brexit data agreements that force mutual notification and limit extraterritorial reach without UK judicial review.
Existing Moves
The UK government reviews data infrastructure for “sovereign cloud” status, but no fully independent national alternative currently exists.
Some arms of the UK public sector develop in-house or on-premises solutions as a workaround, but most government projects still rely on Microsoft or AWS.
Obstacles
British companies choose US providers for their reliability, innovation, and economies of scale.
Creating a homegrown cloud ecosystem will be expensive, take time, and may not match US giants on cost or capability.
Implications for Business
Corporate Responsibility
UK companies should inform clients of possible US legal access if hosted on US cloud platforms.
Sensitive sectors—law, health, defence—should consider shifting mission-critical data to UK-controlled environments.
Security Compliance
Regulators may increase scrutiny and audits of cross-border data flows.
Data protection officers should actively monitor updates to both US and UK legal codes.
Technical guidance for UK Businesses
The UK’s Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) offer concrete steps businesses can take to mitigate data sovereignty risks:
🔐 End-to-End Encryption (E2EE)
Encrypt sensitive data at rest and in transit.
Ensure encryption and decryption happen only within UK jurisdiction.
📄 NCSC Guidance: “Protecting Data in the Cloud” (2022) – ncsc.gov.uk
🗝️ Bring Your Own Key (BYOK)
Use encryption key models where you retain full control—never delegate key management to the provider.
Consider on-premises HSMs or UK-based key management services.
📄 Verified Source: ICO Recommendations on Cloud Encryption – 2023
📑 Contract Clauses
Include specific language on data access disclosure, encryption ownership, and breach notification.
Clarify legal jurisdiction and choice of law.
📄 Source: ICO Template Clauses for International Transfers (2022)
🇬🇧 Data Localisation for High-Risk Workloads
Store data critical to national interest (health, defence, justice) with UK-domiciled providers or on-premises infrastructure.
Use global clouds for less sensitive workloads where encryption and key control are strong.
Data Sovereignty: The Broader Debate
What Does “Sovereignty” Mean in the Cloud Age?
True digital sovereignty means more than just data residency. It combines:
Legal control: Only the domestic courts can compel disclosure.
Operational independence: The hardware, code, and teams are all UK-based, with clear, domestically enforceable oversight.
Transparency and notification: Citizens and companies know when and why their data is accessed.
Current Gaps
Right now, most British data is subject to overlapping and often conflicting foreign legal claims.
Can True Cloud Sovereignty Be Achieved? A Pragmatic Perspective
The Challenge of Matching US Providers
When policymakers and technologists discuss “cloud sovereignty,” the conversation often turns aspirational—yet the hard truth is that the UK and EU are still far behind US giants like Microsoft, Amazon, and Google in several critical dimensions:
Scale: US providers have invested hundreds of billions in global data centre networks, providing elastic compute, storage, and advanced digital services that are extremely difficult to replicate regionally.
Innovation Pace: American tech giants drive rapid advancements in artificial intelligence, security, developer platforms, and integrated ecosystems—features European and UK providers struggle to match.
Service Breadth: The US majors offer an integrated suite of services, APIs, and tools for every industry, making them a one-stop shop for all digital infrastructure needs.
Why Are UK/EU Sovereign Clouds Lagging?
The barriers are both financial and strategic:
Insufficient Investment: Public and private sector investment in UK and EU-based cloud infrastructure remains modest compared to the limitless resources of US tech titans. Core sectors—compute, networking, software, AI—require capital and talent on a scale that is rarely matched by regional players.
Fragmented Market: European efforts are often dispersed among many national champions or public initiatives (like GAIA-X), leading to a lack of critical mass, complicated governance, and slow delivery.
Regulatory and Procurement Hurdles: Complex procurement rules and risk-averse government cultures hinder large-scale public contracts for homegrown solutions, while startups often lack the runway or incentives to build competitive products.
Talent and R&D Deficit: UK and EU firms face a shortfall of top cloud engineers, enterprise architects, and R&D resources—further compounded by global competition for technical expertise.
The Current Reality
Dependency on US Clouds: The vast majority of UK organizations—including government agencies—depend on US-based platforms for core operations.
Domestic Offerings: A few UK and European firms do provide “sovereign cloud” platforms, but these typically lag in scalability, service richness, and cost-competitiveness.
Slow Progress in Funding: Recent years have seen announcements of public-private funds and “sovereign cloud” initiatives, but the amounts invested are a fraction of what US hyperscalers spend each quarter.
Is True Cloud Sovereignty Realistic?
Not in the Near Term. While the aspiration is strong—driven by security, privacy, and strategic autonomy—current market realities make full sovereignty impractical for now:
The investments required to rival US hyperscalers are enormous and will take a generation to manifest, even with unified pan-European effort and dramatic policy shifts.
Homegrown efforts are important and should be supported with targeted funding, streamlined regulation, and incentives for talent development, but these will only narrow the gap incrementally, not close it.
Hybrid solutions—where the most sensitive workloads are kept on local or European clouds, and the rest run on global providers—are likely to remain the pragmatic norm for years.
What Must Change?
For authentic sovereignty, the UK and EU would need:
Massive, sustained public and private investment—tens of billions annually—to build, scale, and continuously upgrade independent cloud infrastructure.
Unified policy and procurement, reducing market fragmentation and giving sovereign providers the anchor customers required for scale.
Talent acceleration, making cloud engineering, cybersecurity, and data science a strategic national priority.
Conclusion: A Pragmatic Path Forward for UK Data Sovereignty
The recent Microsoft courtroom admission has laid bare a critical truth: UK data sovereignty is more vulnerable than many realise. Local data centres are no safeguard when US laws still reach across borders, and the UK’s post-Brexit protections are showing cracks under global legal pressure.
While the dream of full digital independence is valid—and necessary in an era of geopolitical uncertainty—the UK’s continued reliance on US cloud giants is inevitable for now. The scale, innovation, and infrastructure offered by American tech firms far outstrip what domestic or EU alternatives currently provide.
So what’s next? True sovereignty will take decades—not just better contracts or UK-based servers. It demands:
Massive public-private investment
Legal reform
A coordinated UK strategy
Upskilling the digital workforce
Until then, a hybrid model offers the most realistic path: blending the efficiency of global cloud platforms with strong local data protections, encryption, and legal safeguards around foreign access.
This isn’t about isolation. It’s about visibility, governance, and choice. And it’s time the UK treats data sovereignty not as a marketing slogan—but as a long-term national imperative.