Microsoft’s claims of data sovereignty have been called into question after a recent hearing revealed that the company cannot guarantee that customer data will not be transferred to US authorities upon request. This raises concerns about the effectiveness of cloud providers’ promises of sovereignty and the potential risks to EU customers.
Experts weigh in on the issue, with one researcher stating that Microsoft’s concession is not surprising but highlights the lack of protection mechanisms for transatlantic data exchange. The researcher warns that companies’ decisions on secure data storage depend heavily on advertising promises, which are now being revealed as flawed.
However, a lawyer takes a different view, arguing that EU subsidiaries of US cloud providers are bound by European law and cannot be forced to hand over data to the US parent company. According to GDPR regulations, non-European laws like the CLOUD Act do not apply, and EU subsidiaries must only comply with requests from their parent company if they meet specific requirements.
The revelation has significant implications for companies and authorities weighing up cloud procurement decisions. As a US company, Microsoft must comply with US jurisdiction, regardless of its advertising promises. The fact that the EU also has powers of access comparable to US law does not change this fundamental reality.
Ultimately, the official admission of Microsoft’s limitations highlights the need for clarity and transparency in cloud data transfer practices. Companies and authorities must now take this into account when making decisions about secure data storage, ensuring that they understand the potential risks and benefits of using US-based cloud providers.
Source: https://www.heise.de/en/news/Microsoft-s-sovereignty-debacle-Between-flowery-advertising-and-no-panic-10495215.html