EU Data Boundary fails to keep out US government agencies
As commendable this proposal sounds, storage location was never the problem. Rather, US companies are required by the US Cloud Act to give their government and intelligence agencies access to customers’ data upon request, regardless of where exactly they host it. If companies refuse access, they are in violation of US law. So those promises from US companies fail to convince in the face of US legislation that is plainly incompatible with EU law.
The announcement of the « EU Data Boundary » program also gives the impression that Microsoft wants to position itself for the European Gaia-X cloud infrastructure program. All while admitting that it only wants to minimize, not stop, the transfer of user and customer data to the US. Oh, and this will not happen until the end of 2022. But after the demise of Privacy Shield, there is no legal basis whatsoever for even minimal transfers of sensitive into the US. But even if the flow of data to the US were to dry up completely, in the end it always comes down to the same thing: US companies are subject to US legislation. But participation in Gaia-X requires each member to adhere completely to the European rules of the game.
Therefore, we ask the Gaia-X association to consistently and unwaveringly insist on compliance with EU law. One possible solution could be for US providers to participate in Gaia-X through a trustee model to effectively bypass US surveillance laws such as the Cloud Act, and thus provide the necessary data sovereignty.