On June 10, 2025, France’s Senate held a hearing examining how public-sector technology procurement impacts data sovereignty. Microsoft France’s Director of Public and Legal Affairs, Anton Carniaux, was invited to testify. During questioning, senators asked him directly: could Microsoft guarantee that data belonging to French citizens would never be transferred to U.S. authorities without approval from French regulators?
Carniaux admitted he could not make such a promise. He explained that if the U.S. government submitted a valid legal request, Microsoft would be obligated to comply—even if that conflicted with French or European Union data protection laws.
The CLOUD Act’s Global Reach
This admission centers on the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), a U.S. law passed in 2018. The act requires American companies to provide data requested by U.S. authorities, no matter where the data is stored. For companies like Microsoft, Amazon, or Google, this means information housed on servers in Europe or Canada can still be accessed under American jurisdiction.
Even though France and the EU enforce some of the strictest privacy protections worldwide, Carniaux’s testimony underscored that those safeguards can be overridden by U.S. law.
Implications for Canada
The issue extends far beyond Europe. Canada, for instance, formally defines data sovereignty as “Canada’s right to control access to and disclosure of its digital information subject only to Canadian laws.”
Yet Microsoft’s statement suggests that Canadian citizens’ information—whether stored on local servers or abroad—could still be handed over to U.S. authorities if demanded. This undermines Canada’s long-standing efforts to shield domestic data from foreign intrusion and calls into question the effectiveness of its existing policies.
The Limits of Data Residency Rules
Like many countries, Canada has introduced data residency requirements, ensuring that certain sensitive information is stored domestically. For years, this was seen as a strong safeguard against foreign access.
However, Microsoft’s testimony revealed a crucial flaw: residency does not equal sovereignty. If servers are owned by a U.S. company, their contents remain subject to U.S. legal demands, regardless of physical location.
Microsoft’s Legal Processes
Microsoft has emphasized that it has strict legal procedures to challenge any request it considers unlawful or unconstitutional. But critics say this amounts to asking countries to trust Microsoft’s discretion, rather than relying on their own national legal frameworks.
For governments like France and Canada, this raises pressing questions about who truly controls critical data—the sovereign nation where it resides or the foreign company managing it.
A National Security Concern
The stakes are particularly high in sectors like defense. Canada’s Department of National Defence (DND) and the Canadian Armed Forces (CAF) rely heavily on Microsoft 365 for communication and collaboration through their tailored cloud system, Defence 365.
In theory, data exchanged through these platforms could be accessed under a U.S. legal order. While Canada might object, Microsoft, as an American company, would be legally compelled to comply.
Politicized Requests and Transparency Gaps
The concern is not only about compliance but also about how such requests might be used. Critics note that U.S. administrations, past and present, have sometimes pursued foreign and economic policies on shaky grounds. This raises fears that data requests may not always be based on clear security needs.
Compounding the problem, affected governments or individuals might never know their data was accessed. Unless the U.S. government or Microsoft discloses it, Canada—or any other country—could remain entirely in the dark.
Encryption as a Defense
For highly sensitive systems, encryption offers some protection. Canada requires encryption for military and most government data, meaning even if Microsoft turned information over, it would be unreadable without decryption.
Yet encryption is not a perfect shield. The U.S. government has a history of attempting to weaken or bypass encryption standards. Strong security can make unauthorized access extremely difficult but not entirely impossible.
Difficult Choices for Nations
Microsoft’s testimony highlights a hard reality: nations that rely heavily on American technology cannot fully protect their data from U.S. jurisdiction. The only surefire solutions would be to adopt non-U.S. technology providers or disconnect critical systems from the global internet.
For countries like Canada and France, both deeply reliant on U.S.-based infrastructure, such moves would be expensive and disruptive. But continuing as is means ceding a degree of sovereignty over sensitive information.
