Big Tech is Making Data Sovereignty Promises it Can’t Keep

Microsoft CEO Satya Nadella is putting the best foot forward possible in an impossible situation. Microsoft is investing significant effort and resources into “private” and “sovereign” service offerings and curation to reassure EU customers that their data will be secure. In a recent LinkedIn post, Satya announced new sovereign offerings that he says reflect Microsoft’s commitment to giving customers choice, control, and security. 

There is no reason to doubt the authenticity of Nadella's and Microsoft's commercial and internal motivations. After all, the EU is a vast market, and every business wants to please customers and meet their needs. But there’s just one problem.

It’s a promise that Microsoft can’t keep. And neither can any of the other big tech companies. 

This is not necessarily Microsoft or any other company’s fault. But it’s still reality. 

The reason is quite simple: U.S. surveillance laws and control over its tech sector are ironclad. Nothing Microsoft or any big tech company can announce or promise will change that fact.

The State of the U.S. Surveillance State

U.S. surveillance laws - including the Foreign Intelligence Surveillance Act (FISA), the CLOUD Act, and Executive Order 12333 - create sweeping obligations for American tech companies, regardless of where their infrastructure or customers are located. These laws enable U.S. authorities to compel access to data, even when that data is stored outside the United States or belongs to non-U.S. persons.

FISA Section 702 allows U.S. intelligence agencies to conduct warrantless surveillance on foreign individuals using U.S. electronic communication services. Critically, this law applies to any company "subject to U.S. jurisdiction," which includes all U.S.-headquartered firms and their global subsidiaries. It requires compliance in secret, often via gag orders.

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) expands this reach further by explicitly granting U.S. law enforcement the right to demand data stored abroad by U.S. companies, even in conflict with foreign privacy laws.

Executive Order 12333 introduces another layer, permitting the bulk collection of communications data intercepted overseas without judicial oversight, which poses risks, especially when U.S. companies operate under opaque legal obligations and face national security demands.

These U.S. laws supersede any local protections provided by the EU's General Data Protection Regulation (GDPR) regarding actual control over access. Even in cases where EU entities host their data on “EU-based infrastructure” provided by U.S. companies like Microsoft, Google, or Amazon, the underlying jurisdictional authority remains American. That means European customers are exposed to foreign surveillance regimes they cannot audit or control.

In short, legal jurisdiction, not physical data location, determines access and control. This reality renders it impossible for U.S. tech firms to provide genuine digital sovereignty to EU organizations, despite marketing claims about "sovereign" or "European" cloud offerings.

Closed Source + Surveillance Laws = Big Risks

In general, big tech software is closed source, with no transparency about what’s happening under the hood. By law, the U.S. government could demand backdoors into any software to harvest encryption keys, customer data, and metadata.  And no customer would ever know, since the demand would need to be kept secret.

There is real evidence that this type of intrusion is already happening, even more than before. The red flag for many EU governments and enterprises was raised when Microsoft, under U.S. government pressure, blocked access to its services for the chief prosecutor of the International Criminal Court due to U.S. government sanctions. This sort of arbitrary denial of service is absolutely in conflict with GDPR.

A New Geopolitical Landscape Requires Serious Revaluation

In the past, despite the fact that U.S. surveillance laws were able to override any political agreements to attempt adherence with EU data privacy frameworks, EU organizations and governments were willing to exercise trust because there was at least a spirit of cooperation as close allies. However, the geopolitical landscape has changed dramatically.

The U.S. administration’s effective dismantling of the Privacy and Civil Liberties Oversight Board (PCLOB) has significant implications for EU organizations concerned with data privacy and transatlantic trust. Originally established to provide independent oversight of U.S. surveillance activities, the PCLOB was a key mechanism cited in EU-U.S. data transfer agreements - like the now-defunct Privacy Shield - as a safeguard ensuring proportionality and redress.

Without a functioning PCLOB, there is no credible independent body reviewing U.S. surveillance practices or ensuring that they align with privacy principles comparable to GDPR. This undermines the core claim that U.S. surveillance is subject to checks and balances and weakens assurances in frameworks like the Data Privacy Framework (DPF), which already faces legal scrutiny in the EU.

For European organizations, this means significant legal and reputational risk when transferring or entrusting data to U.S.-based service providers, especially those subject to laws like FISA and the CLOUD Act.

Out with Magical Thinking. In with EU Sovereign Solutions.

U.S. tech giants’ claims about delivering sovereign solutions to EU are magical. Believing in them means indulging in magical thinking. But neither Microsoft nor any other U.S. tech company possesses a magical “get ouf of surveillance” card. 

Trust cannot be founded on marketing declarations, or gauzy feelings over what used to be. It requires demonstrable legal, institutional, and technical accountability. 

EU governments and enterprises must insist on a higher standard–legally binding, non-overridable compliance with EU data privacy laws. Anything less means yielding sovereignty, not protecting it.

In practice, this means choosing EU technology providers that operate under EU privacy laws. It also means favoring EU tech companies that offer open source transparency, so organizations can trust as well as verify.

The good news is that there are credible, strong EU technology solutions available across the spectrum of applications and use cases.