The Ruling and Why It Happened
In 2022, the Data Protection Authority of Baden-Württemberg issued a formal opinion concluding that Microsoft 365 violates GDPR Articles 44–49, which govern the transfer of personal data to countries outside the European Union. The DPA found that Microsoft systematically transmits diagnostic telemetry, usage metadata, and potentially document content to servers in the United States — where European data protection rules do not apply.
The conflict between European data protection law and US cloud providers has been building since at least 2013. EU courts struck down the Safe Harbor framework in 2015 (Schrems I), then struck down its replacement, Privacy Shield, in 2020 (Schrems II). Each time, the fundamental problem was the same: US surveillance law allows US intelligence agencies to compel American companies to disclose data about non-US persons without meaningful legal recourse.
The US CLOUD Act of 2018 made this compulsion explicit and extraterritorial. Under the CLOUD Act, US authorities can issue a warrant to any US company for data stored anywhere in the world. “EU servers” is a marketing distinction, not a legal one.
“The use of Microsoft 365 in its current form is not compatible with European data protection law.”
— Baden-Württemberg State Data Protection Authority, 2022
The Fundamental Problem with US Cloud Providers
Any company incorporated in the United States is subject to US law. The CLOUD Act means that US prosecutors and intelligence agencies can demand that US companies produce data from their custody — wherever it is physically stored, whoever it belongs to, and regardless of what foreign law might otherwise protect it.
Zero-Knowledge Is the Only Real Answer
The only way to use US cloud storage safely — under any legal framework — is to encrypt your data locally before it ever reaches the provider. If the provider only ever receives ciphertext, no government order can compel them to hand over plaintext that doesn’t exist.