On June 10th, Microsoft France was heard by the Senate inquiry commission on the effective costs and modalities of public procurement. The company's representatives, Anton Carniaux (legal director) and Pierre Lagarde (public sector technical director), attempted to reassure senators about their data protection policy. However, they admitted they cannot oppose an American injunction targeting data hosted in our country, a confirmation that undermines France's digital sovereignty.
The Cloud Act, enacted on March 23, 2018, under the Trump administration, allows American authorities to demand access to data held by companies under American jurisdiction, even if stored outside the United States: Microsoft, like any American company, must comply with it.
"If we are compelled, we provide the data"
During the hearing, Anton Carniaux was questioned by the rapporteur about the guarantee that French public administrations' data, managed via UGAP (Union des groupements d'achats publics) framework contracts, would never be transmitted to American authorities. He admitted that if a legitimate American judicial order is issued, Microsoft is legally required to provide this data.
However, he sought to nuance this by highlighting that no European company or public body had, to date, been affected by such a transmission since the implementation of transparency reports. These reports, published by Microsoft since 2013, detail government requests and legal challenges undertaken by the company when a request is deemed abusive or non-compliant.
After Microsoft's representatives, the commission heard several government officials, including Clara Chappaz, Minister Delegate for Digital Affairs, and Agnès Buzyn, former Minister of Health, regarding the Health Data Hub (HDH), hosted since its creation in 2019 on Microsoft Azure, despite the government's commitment to repatriate the data to a European platform by the end of 2022. The Ministry of Health and Prevention had then considered that there were no operational European alternative solutions.
The CNIL had expressed concerns about the risk of data transfer to the United States due to the Cloud Act. Several associations, health professionals, and researchers have, in turn, appealed to the Council of State, claiming that the operation of the Health Data Hub on Azure violated the GDPR. The latter, in its Article 48, explicitly prohibits the transfer of personal data to foreign authorities without a clear and consensual legal framework. Despite these reservations, the high court maintained the platform in operation, due to its role deemed essential in managing the health crisis.
Clara Chappaz recalled that the SREN law (Secure and Regulate the Digital Space), adopted in 2024, now mandates the hosting of sensitive data on infrastructures providing sovereignty guarantees. The HDH should therefore migrate to a SecNumCloud qualified cloud, effectively excluding those subject to the Cloud Act. A call for tenders was launched on July 1st for this repatriation.