Before the French Senate, Microsoft France's chief legal counsel admitted the company cannot guarantee that European authorities' data is safe from the U.S. government. The reason is the U.S. CLOUD Act — and it hits your code harder than your files.
A Senate Hearing, an Honest Answer
Before the French Senate, Anton Carniaux, chief legal counsel of Microsoft France, was asked a simple question: can Microsoft guarantee that French authorities' data will never be handed to the U.S. government? His answer was just as simple — and uncomfortable: no, Microsoft cannot guarantee that.
This isn't negligence or a legal slip. It's an honest description of a legal reality. The U.S. CLOUD Act compels companies headquartered in the United States to hand data to U.S. law enforcement — regardless of where that data is physically stored. Whether a server sits in Frankfurt, Paris, or Amsterdam changes nothing. What matters is not the location of the data center, but the nationality of whoever operates it.
That leaves a U.S. provider permanently caught between two legal orders. The GDPR requires a legal basis for any disclosure of personal data. The CLOUD Act requires disclosure — if necessary without the affected customer ever knowing. A company subject to both at once cannot satisfy both at once.
Klingt interessant?
This Is Not a New Pattern
Anyone who's followed the past few years knows the line. The Austrian and French data protection authorities have already ruled that the use of Google Analytics violates the GDPR — precisely because personal data is transferred to the U.S. and exposed there to access by U.S. authorities. So the problem isn't hypothetical. It has been formally established by regulators.
The Senate hearing simply adds one more, especially stark, piece to the picture: this time the admission comes from the provider itself. Not a critic, not a watchdog, but the chief legal counsel of the very company operating the infrastructure. When the operator concedes under oath that it cannot guarantee the sovereignty of your data, the question is settled — no matter what the product page says.
"Our data sits in an EU data center" sounds reassuring. But it is not the same as data sovereignty if the operator is a U.S.-controlled company. Location is a property of the disk. Sovereignty is a property of the legal order the operator answers to.
Why This Is Sharper for AI Software Development
With static data the situation is unpleasant but contained: it's about a database, a table, a backup. With agent-based software development, the question shifts fundamentally.
This is no longer just about where your data sits. It's about where your code is created, where your agents run, and where your model calls are processed — and who can be compelled to expose all of it.
An AI agent building your software inevitably sees more than any database ever does: your repository, your architecture, your business logic, your security mechanisms, your unreleased features. Every prompt, every tool call, every intermediate state is a data point. If that processing happens on the infrastructure of a U.S.-controlled operator, all of it potentially falls into the same scope Microsoft's chief legal counsel just described.
Put differently: with the CLOUD Act and static data, the exposure is your archive. With AI-assisted development, the exposure is the workbench where your software is built in the first place — and the full context an agent processes while doing it.
What This Means for CTOs and Tech Leads
Three consequences I think are worth taking seriously:
First: data sovereignty is a property of the operator, not the location. The first question in any procurement shouldn't be "where is the server?" but "which legal order does the operator answer to?" A U.S. corporation with an EU data center answers the second question wrong, no matter how the first one comes out.
Second: with AI development, the attack surface grows. Offloading model calls and agent runs to a U.S.-controlled service exposes not a single data object but the entire process by which your software comes into being. That's a different class of risk — and it can't be configured away with an encryption checkbox.
Third: contractual assurances don't solve a legal problem. No data processing agreement, however good, overrides the CLOUD Act. If the company itself says it cannot guarantee this, then no SLA can guarantee it either. Sovereignty has to be structural, not promised.
This Is Exactly Where nopex Comes In
The Senate hearing confirms what we've been saying for a long time: an EU data center is a necessary but not a sufficient condition. As long as the operator is U.S.-controlled, data sovereignty remains a promise its own chief legal counsel cannot keep.
nopex is built for exactly this. We run agent-based software development on European infrastructure that sits outside the reach of U.S. operators — the decisive difference isn't just the location, but who controls the infrastructure. On top of that comes provider-agnostic model routing: open models where possible, proprietary frontier models where they add value, but without hard dependence on a single, U.S.-controlled vendor.
The point is this: with us, sovereignty is structural, not a checkbox in a spreadsheet. Your code, your agents, and your model calls run where no foreign legal order can compel their disclosure on demand. What Microsoft's chief legal counsel admitted before the Senate is exactly the question you shouldn't have to ask about your development platform.


