Your home country can tell you "Give us your data" and you have to comply.
"I will never give up customer data" is a very tough promise to keep, if the government threatens you with your business license being revoked, your servers and domains being forcibly seized by the police, and you personally going to jail.
(Under the current US administration, we can add "A close examination of the immigration status of all foreign nationals employed by your company, followed by probable deportation or jail" to the list of potential consequences for resisting the government.)
The trick is to collect as little data as possible and to get rid of what you need to collect as quickly as you can. This is in direct opposition to the practices of companies like Microsoft which wants to spy on their users and profit from the data they collect though.
There's also an open question of how possible it is to run a system that doesn't collect/store data in a way that makes it possible to be collected by the government. The US government can force companies to compromise their systems or shut down their services if they refuse. In the past they've even threatened that shutting down a service instead of compromising it could still get operators in legal trouble.
At this point anyone who wants to keep the US government out of their data should avoid using any US company.
Well this is especially significant because Microsoft is currently building a sovereign datacenter in France (nicknamed "Bleu"). I'm wondering what the consequence of that testimony will be.
> Not all countries have an equivalent to the USA CLOUD Act.
Not yet, anyway. Unfortunately, pretty much every country seems to be getting less and less open and free over time. Some are better than others, but it does feel like everyone is regrettably rowing in same direction.
Your home country can tell you "Give us your data" and you have to comply
Not according to both Amazon's and Microsoft's historic marketing materials. They have always claimed that data stored in your local jurisdiction is not accessible to law enforcement abroad. And the US judiciary initially agreed with that: https://petri.com/microsoft-wins-appeal-data-stored-abroad-s...
...which then led to the US CLOUD act and here we are, once again, proving that the past is alterable; just like Oceania has always been at war with Eurasia.
Of course. But what if the holding lives in a country that don't enforce this (or is too weak to). Then all the subsidiaries are really sovereign from the host country perspective.
It seems the solution is ages old. Don't have the holding incorporated in an empire...
How would this work in practice? If the empire wants to get at your data, why do you think it would shy away from pressuring a country so weak that it can't afford to enforce this on their companies?
Then the empire just says that they want the data or you won't be allowed to operate in the empire, which would be bad for profits and anger shareholders.
That's not so. In a democratic state of law, the police can not unilaterally decide to seize you servers, and the politicians cannot tell the police to do so. Separation of powers is a thing.
I've never understood this take. A lot of people were saying this sort of thing when Proton Mail turned over some user data to authorities in Europe a while back.
If you're running a tech company and run afoul of the law in some or another jurisdiction, it doesn't matter how much spine you think you have. When a group of men with guns, i.e. the police, shows up at your door and gives you the option of turning over some customer data or spending the next 10 years of your life in a steel cage, I'm betting that practically no one is going to choose the cage, spine or not.
The only way to keep user data safe is to not collect it in the first place.
In theory, there is rule of law, the intention of which is to prevent government's access to your property and body without a court order and any emergency access such as use of force at crime scenes being subject to public scrutiny.
I guess that was the idea when the USA was established as a country, but people forgot what their ancestors where fighting for.
Specifically here, he is under oath in France so an American gag order wouldn't protect him from the French justice system.
This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.
This is exactly the system the US Congress accused TikTok of having set up.
If the data center is operated by a "trusted subsidiary" as the article mentions and everyone in key roles is a French citizen with no connection to the US then there is no one to give a gag order.
In practice the US HQ could mandate a security update that secretly uploads all data to the US but that's a whole other can of worms that I don't think anyone is ready to open.
Until this happened MS was still going around trying to convince lawyers to use their Cloud and telling them that there is no issue.
Including certain contractual "standard"(1) agreements which would make some of their higher management _personally_ liable for undue data access even under Cloud act from the US!!!
(1) As in standard agreements for providers which store lawyer data, including highly sensitive details about ongoing cases etc.
So you can't really trust MS anymore at all, even if personal liability (e.g. lying under oath) is at stack. And the max ceiling for the penalties for lying under oath seem less then what you can run into in the previous mentioned case...
You also have to look a bit closer at what it even means if "the french MS CEO swears they are complying" it means he doesn't know about non compliance and did tell his employees to comply and hired someone to verify it etc.
But the US doesn't need the French CEO to know, they just need to gain access to the French/EU server through US employees, which given that most of the infra software is written in the US and international admin teams for 24/7 support is really not that hard...
And even if you want to sue the French CEO after a breach/he (hypothetically) lied he would just say he didn't because he also was lied too leading to an endless goose chase and "upsi" by now the French CEO somehow is living in the US.
And that is if you ever learn about it happening, but thanks to the US having pretty bad gag orders/secret court stuff the chance for that is very low.
So from my POV it looks like MS has knowingly and systematically lying and deceiving customer, including such with highly sensitive data, and EU governments about how "safe" the data is even if it lead to personal legal liabilities of management.
And I mind to remember that AWS was giving similar guarantees they most most likely can't hold, but I'm not fully sure. Idk. about Google.
Oh and if you hope that the whole Sovereign Cloud things will help, it wont. It's a huge mage pretend theater moving millions over millions into the hands of US cloud providers while not providing a realistic solutions to the problem it is supposed to solve and neglecting local competition which actually could make a difference, smh.
> This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.
It's also possible that US employees had access to French servers without anyone in France knowing.
Less likely doesn't say much though. He may have simply weighed the chances of the French government ever finding out that he lied.
> It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law.
I would think that is not just a possibility, but a certainty.
An inevitable consequence of this administration destroying US foreign influence and power at an unprecedented rate is that (IMHO) it is inevitable that the EU builds their own cloud and mandates its use for EU data. It is becoming a matter of national security.
The interesting thing is that the US is acting in the exact way that they accuse China of acting. Companies like Huawei are forbidden from installing telecom infrastructure for "national security" reasons [1]. One of justifications for first banning then forcing a sale of Tiktok was because of possible Chinese government interference. It's only a matter of time before the EU and China start making the same determination against US tech giants (eg Meta executive brags about silencing dissent [2]).
This administration really is killing the golden goose.
I don't think that YouTube video is a good supporting piece for your point. The spokesperson says they don't want to propagate harmful stereotypes. "brag about silencing dissent" seems like a strawman interpretation
A better faith interpretation is that people are free to criticize Israel and Zionism on Meta, just not using racist tropes.
Oh if that were only true. It's been made apparent in the last 2 years in particular that fighting antisemitism from the perspective of the ADL and figures like Jordana Cutler (who previously worked for the Israeli Prime Minister's Office) simply means silencing critcism of Israel, even when that means siding with actual antisemites (up to and including neo_nazis and outright Nazis). Examples:
- Ben Shapiro excuses antisemitic remarks by Ann Coulter because she's pro-Israel [1];
- ADL defends Elon Musk for making the Nazi salute (twice) on stage [2]
- We brutalized people with the police for organizing peaceful protests to say "maybe we shouldn't bomb children" or to get their respective universities to divest their endowments from the state doing the bombing;
- We went so far as trying to deport legal permanent residents for organizing said peaceful protests (ie Mahmoud Khalil); and
- The IHRA definition of antisemitism includes criticisms of the state of Israel.
The separation is even in the URLs, all the locales are using paths, except the US, which lives under us.ovhcloud.com. All locales use a customer console hosted at ovh.com, except the US, which has it under us.ovhcloud.com.
You can't just spin up an LLC and call it a separate company. OVHCloud is still OVHCloud US' subsidiary company.
From the FAQ page I linked:
> In accordance with our Privacy Policy, OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that could include data stored outside of the United States. OVHcloud will consider the availability of legal mechanisms to quash or modify requests as permitted by the CLOUD Act.
I think we'll see a lot of companies moving away from public cloud providers in the future, but I don't think it'll be because of any privacy-related concerns.
It rarely makes economic sense to deploy workloads onto the public cloud unless you have critical uptime requirements or need massive elasticity.
FISA and the Stored Communications Act as modified by the CLOUD Act don't distinguish between (i) parent company overseas + US subsidiary and (ii) parent company in US + foreign subsidiary. In both instances the US asserts personal jurisdiction, extending to wherever the data is stored geographically.
Well no, but Bezos, Zuckerberg and Tim Apple will come grovelling when they are called... that's all it takes.
If you do something that the EU doesn't like it's response will be relatively rational and proportional. While the US government is currently run by unpredictable and volatile people. So risk/reward wise it's rather obvious whose orders they will be following.
Yup. I always thought it was a way just to get business in EU. Do some performative dance of "hey, look! a separate DC building with EU employees only" and then hope nobody would ask too many questions.
Then the next level is regulators in EU also have to care and can't just say "ok, you have a separate DC building with EU employees only. Good. My job is done, I checked" and move on.
Governments are not exempt from Cloud Act and US providers can be under gag order, so from EU or UK government perspective, they will never know if data has been accessed by 3rd country and what happened to it.
This is actually amazing that all the tenders have not been rejected under national security grounds or simply security services (yet again) have not done the job tax payers pay them to do.
Readit News
Your home country can tell you "Give us your data" and you have to comply.
"I will never give up customer data" is a very tough promise to keep, if the government threatens you with your business license being revoked, your servers and domains being forcibly seized by the police, and you personally going to jail.
(Under the current US administration, we can add "A close examination of the immigration status of all foreign nationals employed by your company, followed by probable deportation or jail" to the list of potential consequences for resisting the government.)
There's also an open question of how possible it is to run a system that doesn't collect/store data in a way that makes it possible to be collected by the government. The US government can force companies to compromise their systems or shut down their services if they refuse. In the past they've even threatened that shutting down a service instead of compromising it could still get operators in legal trouble.
At this point anyone who wants to keep the US government out of their data should avoid using any US company.
Deleted Comment
Deleted Comment
https://blogs.microsoft.com/on-the-issues/2025/04/30/europea...
Not all countries have an equivalent to the USA CLOUD Act.
Not yet, anyway. Unfortunately, pretty much every country seems to be getting less and less open and free over time. Some are better than others, but it does feel like everyone is regrettably rowing in same direction.
Not according to both Amazon's and Microsoft's historic marketing materials. They have always claimed that data stored in your local jurisdiction is not accessible to law enforcement abroad. And the US judiciary initially agreed with that: https://petri.com/microsoft-wins-appeal-data-stored-abroad-s...
...which then led to the US CLOUD act and here we are, once again, proving that the past is alterable; just like Oceania has always been at war with Eurasia.
It seems the solution is ages old. Don't have the holding incorporated in an empire...
If you don't have a spine, sure
That's what US companies are seen as from a European perspective: Spineless and untrustable
It's a great sales argument for locally grown software though, so I'm not complaining :)
I've never understood this take. A lot of people were saying this sort of thing when Proton Mail turned over some user data to authorities in Europe a while back.
If you're running a tech company and run afoul of the law in some or another jurisdiction, it doesn't matter how much spine you think you have. When a group of men with guns, i.e. the police, shows up at your door and gives you the option of turning over some customer data or spending the next 10 years of your life in a steel cage, I'm betting that practically no one is going to choose the cage, spine or not.
The only way to keep user data safe is to not collect it in the first place.
That's what he would say if the company was under a gag order in the US. So I would take anything they say with a mountain of salt.
This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.
This is exactly the system the US Congress accused TikTok of having set up.
In practice the US HQ could mandate a security update that secretly uploads all data to the US but that's a whole other can of worms that I don't think anyone is ready to open.
"Every accusation is a confession" remains undefeated
Including certain contractual "standard"(1) agreements which would make some of their higher management _personally_ liable for undue data access even under Cloud act from the US!!!
(1) As in standard agreements for providers which store lawyer data, including highly sensitive details about ongoing cases etc.
So you can't really trust MS anymore at all, even if personal liability (e.g. lying under oath) is at stack. And the max ceiling for the penalties for lying under oath seem less then what you can run into in the previous mentioned case...
You also have to look a bit closer at what it even means if "the french MS CEO swears they are complying" it means he doesn't know about non compliance and did tell his employees to comply and hired someone to verify it etc.
But the US doesn't need the French CEO to know, they just need to gain access to the French/EU server through US employees, which given that most of the infra software is written in the US and international admin teams for 24/7 support is really not that hard...
And even if you want to sue the French CEO after a breach/he (hypothetically) lied he would just say he didn't because he also was lied too leading to an endless goose chase and "upsi" by now the French CEO somehow is living in the US.
And that is if you ever learn about it happening, but thanks to the US having pretty bad gag orders/secret court stuff the chance for that is very low.
So from my POV it looks like MS has knowingly and systematically lying and deceiving customer, including such with highly sensitive data, and EU governments about how "safe" the data is even if it lead to personal legal liabilities of management.
And I mind to remember that AWS was giving similar guarantees they most most likely can't hold, but I'm not fully sure. Idk. about Google.
Oh and if you hope that the whole Sovereign Cloud things will help, it wont. It's a huge mage pretend theater moving millions over millions into the hands of US cloud providers while not providing a realistic solutions to the problem it is supposed to solve and neglecting local competition which actually could make a difference, smh.
It's also possible that US employees had access to French servers without anyone in France knowing.
> It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law.
I would think that is not just a possibility, but a certainty.
The interesting thing is that the US is acting in the exact way that they accuse China of acting. Companies like Huawei are forbidden from installing telecom infrastructure for "national security" reasons [1]. One of justifications for first banning then forcing a sale of Tiktok was because of possible Chinese government interference. It's only a matter of time before the EU and China start making the same determination against US tech giants (eg Meta executive brags about silencing dissent [2]).
This administration really is killing the golden goose.
[1]: https://www.reuters.com/business/media-telecom/us-fcc-bans-e...
[2]: https://www.youtube.com/watch?v=7eO8byuv6PE
A better faith interpretation is that people are free to criticize Israel and Zionism on Meta, just not using racist tropes.
- Ben Shapiro excuses antisemitic remarks by Ann Coulter because she's pro-Israel [1];
- ADL defends Elon Musk for making the Nazi salute (twice) on stage [2]
- We brutalized people with the police for organizing peaceful protests to say "maybe we shouldn't bomb children" or to get their respective universities to divest their endowments from the state doing the bombing;
- We went so far as trying to deport legal permanent residents for organizing said peaceful protests (ie Mahmoud Khalil); and
- The IHRA definition of antisemitism includes criticisms of the state of Israel.
[1]: https://x.com/benshapiro/status/644505141299671041
[2]: https://www.aljazeera.com/news/2025/1/22/adl-faces-backlash-...
1. https://us.ovhcloud.com/legal/faqs/cloud-act/
https://blog.ovhcloud.com/cloud-data-act/
From the FAQ page I linked:
> In accordance with our Privacy Policy, OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that could include data stored outside of the United States. OVHcloud will consider the availability of legal mechanisms to quash or modify requests as permitted by the CLOUD Act.
It rarely makes economic sense to deploy workloads onto the public cloud unless you have critical uptime requirements or need massive elasticity.
(I work there.)
Dead Comment
Every AWS employee knows where his bread is buttered - Seattle not Brussels
"If it's certified, it must be good".
If you do something that the EU doesn't like it's response will be relatively rational and proportional. While the US government is currently run by unpredictable and volatile people. So risk/reward wise it's rather obvious whose orders they will be following.
Then the next level is regulators in EU also have to care and can't just say "ok, you have a separate DC building with EU employees only. Good. My job is done, I checked" and move on.
Dead Comment
s/U.S./Chinese/
Tomato <=> Tomato
This is actually amazing that all the tenders have not been rejected under national security grounds or simply security services (yet again) have not done the job tax payers pay them to do.
They should have arranged to get a 100 euro refund every time it happens, or 440 euros if the UK does it.