Is 2026 the year of European Data Sovereignty?
I won’t bury the answer - probably not, but it should be.
If it isn’t already, data sovereignty should be moving up your priorities list. The issue is linked with security, data protection, and even the ability for your organisation to work at all. Sounds hyperbolic, I know, but the risks are there.
In short, if you are using one of the large US hyperscalers for cloud services, meaning Google, AWS, Microsoft, Oracle, and so on, then you are at risk. Not because of any failure on their part, simply because of the legal position in the US.
The US CLOUD act requires US companies to produce, on receipt of a warrant or subpoena, data that they hold, regardless of where in the world it is held. This means that even if your organisation has very carefully made sure their data is physically stored in the EU, it can be accessed. And these requests from the US government usually come with gag orders attached, meaning you would never know your data had been accessed.
Microsoft, among others, has said that they will set up European arms to protect against this, but it simply doesn’t work - the parent company can still be compelled to reveal the data.
Even worse, there is currently a risk that even European companies could have to hand over data held in Europe to governments elsewhere! This time the risk is coming from Canada, where a court has confirmed a Production Order from the Royal Canadian Mounted Police issued in October 2024 against OVHcloud - a French cloud provider. It demands the release of information related to four accounts, even though all information is held in France, by the parent company, and not the Canadian subsidiary who is the target of the order.
OVHcloud is in the unenviable position of facing contempt of court punishments in Canada, and, thanks to a French law prohibiting the transfer of data outside of agreed treaties, fines of 90,000 euros and 6 months imprisonment in France.
This is, frankly, a real pickle. US hyperscalers massively dominate the market, and often have significant network effects going in their favour as well - think the tight integration of Teams into Microsoft’s offerings. But use of these platforms for personal data could very well be incompatible with European data protection laws, let alone any possible government or enterprise risks.
I’ll go into more details on these risks in future posts, and look at possible mitigations or solutions. For now, I’ll simply suggest you think about where your data is stored, and how secure it is not only from criminal action, but legal action.