Microsoft has admitted that it can't protect EU data from U.S. snooping.

In sworn testimony before a French Senate inquiry into the role of public procurement in promoting digital sovereignty, Anton Carniaux, Microsoft France's director of public and legal affairs, was asked whether he could guarantee that French citizen data would never be transmitted to U.S. authorities without explicit French authorization. And, he replied, "No, I cannot guarantee it."

He said that the company resisted requests from the US authorities "when they are not well-founded", but that under the U.S. Cloud Act, U.S. companies can be forced to hand over data, regardless of where it is stored.

Carniaux did say that the situation had never arisen. However, the admission raises serious concerns around European data sovereignty.

“Microsoft has openly admitted what many have long known: under laws like the Cloud Act, US authorities can compel access to data held by American cloud providers, regardless of where that data physically resides. UK or EU servers make no difference when jurisdiction lies elsewhere, and local subsidiaries or ‘trusted’ partnerships don’t change that reality," commented Mark Boost, CEO of cloud provider Civo.

“This is more than a technicality. It is a real-world issue that can impact national security, personal privacy and business competitiveness."

The inquiry centers around Project Bleu - a partnership between Microsoft, Orange and Capgemini. There were concerns about the Health Data Hub medical research platform, which is hosted on Microsoft Azure. Senate members said they couldn't be sure that the two platforms were sufficiently separated, and that sensitive health data wouldn't be shared.

Carniaux's admission will increase concerns that the EU can't afford to be reliant on the big U.S. cloud providers such as Microsoft and AWS - even when they claim to be offering sovereign cloud services.

“The French Senate has set a precedent by demanding answers, and the UK and Europe have an opportunity to do the same," said Boost. "We’re already seeing a shift towards building homegrown solutions that support true data sovereignty rather than data residency."

However, a recent European Parliament report found that U.S. firms account for 69% of the cloud infrastructure market share in Europe, while EU suppliers hold only 13%.