Breaking news

"Sovereign cloud" or "sovereign washing"? A Trojan Horse at Europe's digital gates.

AWS, Microsoft, Google - they all launched "sovereign clouds" recently. But the truth is, all US companies are subject to US data sharing legislation. Let's explore whether it's safe to use US clouds or whether it's just "sovereign washing".

Sovereign clouds or sovereign washing? A Trojan Horse at Europe's digital gates.

Europe’s ambition for digital sovereignty is more urgent than ever. But instead of backing truly European, privacy-first services, many European businesses and even EU and local authorities still rely on US tech, and might consider the brand-new and shiny "sovereign cloud" offerings as a useful solution. But what if the "sovereign cloud" is less secure than US companies want us to believe? Let's take a deep dive into the "Microsoft Sovereign Cloud", the "Sovereign Cloud from Google", and the advertised "European Digital Sovereignty from Amazon Web Services" and whether it's safe to use these as a European authority or business.

“Sovereign washing”: the fairytale of US Big Tech

In recent months, all major US tech companies have launched “sovereign clouds”, be it “Microsoft Sovereign Cloud”, the “Sovereign Cloud from Google”, or “European Digital Sovereignty from Amazon Web Services” - they all promise EU organizations to protect their data and to adhere to high European data protection standards.

Their message sounds really convincing: “We’ll store your data in Europe, we’ll follow your rules, and we’ll bring jobs and infrastructure.” But when it sounds too good to be true, it usually is. In fact, the “sovereign cloud” is nothing else but a Trojan Horse - while it looks good on the outside, it’s aimed at making EU businesses and authorities trust US services with their data.

But the truth is: this is not sovereignty. This is marketing. This is sovereign washing.

Illusion of digital sovereignty

Let’s start with the obvious: Just because your data is stored in Europe doesn’t mean it’s protected by European laws. US cloud providers, even when operating out of European datacenters, are subject to US jurisdiction — especially through laws like the CLOUD Act and FISA 702.

This means that under US law, companies like Microsoft, Amazon, and Google can be compelled to provide US authorities with access to data of European companies and authorities even if the data is stored within the EU and outside of the United States.

Yes, they might build a separate European legal entity, or partner with a local company for supposed “sovereignty”. But as long as the technology, source code, service updates, or control mechanisms remain in American hands, Europe has no true sovereignty over its data or its digital infrastructure.

There have been many attempts to enable EU organizations to use US cloud offerings in a legally compliant way, but because of US surveillance laws, none of these attempts have been successful to date. For instance, the Schrems II ruling of the European Court of Justice struck down the Privacy Shield agreement between the US and the EU precisely because US surveillance laws are incompatible with EU data protection rights guaranteed by the European GDPR. The “sovereign cloud offerings” are just another attempt to legalize US clouds in the EU.

But whenever personal data is - or could be - transferred to a third country like the United States, an adequate level of protection must be ensured. From an EU perspective, this is problematic due to the Cloud Act and certain political risks, which undermine the required level of data protection.

Even the European Commission fears that its use of Microsoft is in breach of EU data protection laws. The Commission is now looking at European cloud providers to replace Microsoft Azure.

The promised control by US cloud providers is a dangerous illusion.

Turn ON Privacy in one click.

Even the most robust technical safeguards offer no real protection. Whether through direct access or via compelled cooperation from partner companies, Microsoft, Google, and Amazon can be forced to hand out data of European businesses and authorities.

Microsoft’s “Data Guardian” may create the appearance of transparency, but once access has occurred, even the most tamper-proof logs are useless: They merely document an event, for instance the handing out of data to US authorities, that can’t be undone.

Microsoft - which has the most to lose in this European move for more digital sovereignty - is also making the boldest promises. One being that it would legally challenge American requests to hand out data. But what does this actually mean? In fact, it’s more symbolic than practical. These legal actions do not really prevent data from being handed over - because even when challenging a request, Microsoft first has to comply so the data is already gone. The damage is already done. A legal challenge is in most cases absolutely pointless.

Sovereign washing

These supposedly sovereign solutions are not signs of technical independence but rather perfectly orchestrated communication strategies. They are designed to create trust where, in truth, no control exists. US companies do not offer real digital sovereignty, what they are doing here is just clever repackaging of an unresolved problem, and it’s very similar to privacy washing.

And just like the “privacy” claims from US tech companies, the strategy with sovereign washing is exactly the same:

  1. Market hard — Brand the American cloud as “European-compliant”.
  2. Build dependence — Make European companies and authorities dependent on their cloud offerings through integrations and closed-source code.
  3. Lobby hard — Flood Brussels with lobbying, influence, and outspend European competition in all lobbying efforts.
  4. Skip the taxes — Profits flow back to US headquarters and with tax optimization strategies in place, US companies pay very little tax in the EU.

It’s clever. But it’s not in Europe’s interest.

Location, location, location

What is true for home buyers is also true for digital sovereignty: it’s all about location.

While US cloud providers continue to dominate the European market, US tech companies can not guarantee the promises these companies make about digital sovereignty. The US offerings might now wear a European flag on their sleeve, but the sovereignty label isn’t anything but a label: the companies offering these so-called “sovereign clouds” continue to be subject to US laws and surveillance powers - and this can not be washed away. So, yes, the CLOUD Act and FISA 702 still apply, even if the server is in Frankfurt, Brussels, or Paris.

If Europe is serious about digital sovereignty, it must move beyond the illusion that such control is possible with US services. True sovereignty can only be built on infrastructure provided by European companies, not subject to US jurisdiction.

Sovereignty doesn’t come from shiny new product names such as these “sovereign clouds”. It comes from full legal and technical control. Everything else is nothing more than sovereign washing.

Make the right choice: Choose Europe.

Illustration of a phone with Tuta logo on its screen, next to the phone is an enlarged shield with a check mark in it symbolizing the high level of security due to Tuta's encryption.