Microsoft 365 and GDPR: The Same Problem, Different Logo

A lot of the conversation about US cloud providers and GDPR focuses on Google. Microsoft tends to get a pass - partly because it's older, partly because it has a longer history in enterprise IT, and partly because Teams and Outlook feel more "serious" than Gmail and Meet. But the legal exposure is identical. Microsoft is an American company. The CLOUD Act applies.

Microsoft's EU Data Boundary: What It Is and What It Isn't

In 2023, Microsoft announced its EU Data Boundary initiative - a commitment to store and process EU customer data within the EU for its commercial cloud services. This was a significant and meaningful commitment. It was also, legally speaking, not a solution to the CLOUD Act problem.

The EU Data Boundary addresses storage and processing location. It does not change Microsoft's corporate jurisdiction. Microsoft Corporation is incorporated in the United States. The CLOUD Act applies to US companies, not to the physical location of their servers. A valid US government order directed at Microsoft can still compel the production of data stored on EU servers - because the obligation runs to the company, not the data centre.

The "Sovereignty" Products and Their Limits

Microsoft has introduced "sovereign" cloud offerings - including Microsoft Cloud for Sovereignty and, in some markets, partnerships with local operators. These are genuine attempts to address the jurisdiction problem. They are also expensive, complex to implement, and not available to most small and medium-sized European businesses.

The standard Microsoft 365 subscription that most EU businesses use - Business Basic, Business Standard, Business Premium - does not include sovereign cloud features. It runs on standard Microsoft infrastructure, operated by Microsoft Corporation, under US corporate jurisdiction. The EU Data Boundary applies. The CLOUD Act also applies.

"Microsoft's EU Data Boundary is a genuine commitment to keeping data in Europe. It doesn't change who Microsoft is or what US law requires of them."

Where the Risk Concentrates

The CLOUD Act risk for Microsoft 365 users concentrates in the same places as for Google Workspace users - with one additional area specific to Microsoft's product mix:

• Teams communications. Microsoft Teams has become the primary communication channel for many European organisations. Every message, every call recording, every shared file in Teams is stored on Microsoft's infrastructure. This is a significant concentration of sensitive internal communication in US-jurisdiction infrastructure.
• SharePoint and OneDrive content. Document libraries, HR files, financial records - the same exposure as Google Drive, but often with more sensitive content because SharePoint is used for formal document management rather than casual file sharing.
• Exchange Online email. The same structural exposure as Gmail - stored on US-company infrastructure, potentially accessible under a CLOUD Act order.
• Azure Active Directory. Identity data - who your employees are, what systems they can access, their authentication history - sits in Azure AD for most Microsoft 365 organisations. This is a category of data that has particular sensitivity under GDPR.

The Public Sector Problem

European public-sector organisations - municipalities, hospitals, schools, government agencies - have begun to receive explicit guidance from national DPAs about US cloud dependencies. The Dutch government's DPIA on Microsoft 365, published in 2021 and updated since, identified specific risks and required Microsoft to make contractual changes. The German state of Thuringia suspended Microsoft 365 in schools over data protection concerns. Hesse's data protection authority issued similar guidance.

These aren't fringe positions. They reflect a mainstream regulatory view that is hardening, not softening. Public-sector organisations that have not conducted their own DPIA on Microsoft 365 are behind the curve.

Why Microsoft Gets Less Scrutiny Than Google

The regulatory focus on Google Analytics and Google Workspace has been sharper and more public than the equivalent focus on Microsoft. There are a few reasons for this. Google's advertising business model makes data use feel more visible and more threatening. Google Analytics is a consumer-facing product used by millions of websites, creating a large surface area for complaints. And Google has historically been less proactive about engaging with European regulators.

Microsoft's enterprise focus, its sovereign cloud investments, and its generally more cooperative posture with regulators have bought it more goodwill. But goodwill is not a legal defence. The structural CLOUD Act problem is identical for both companies.

"The question isn't which US cloud provider is nicer. It's whether US law applies to them. It applies to all of them."

What a Genuine Alternative Requires

The alternative to Microsoft 365 or Google Workspace that actually resolves the jurisdiction problem has to be European at the corporate level - not just at the server level. European incorporation. European ownership. European legal jurisdiction for all processing. No US parent company, no US sub-processors in the critical path.

InfoPeak meets those requirements. It's not a Microsoft or Google with European servers. It's a European company building European infrastructure for European businesses that need to operate without US jurisdiction exposure. The product is simpler than Microsoft 365 - deliberately so. It covers the core workflow: mail, documents, spreadsheets, storage. It doesn't try to replicate Teams or Azure or Power Platform. It solves the jurisdiction problem cleanly, for the use cases that actually matter.

The Conversation to Have With Your IT Department

Most IT departments chose Microsoft 365 because it was the safe, familiar, enterprise-standard choice. That reasoning made sense for years. The regulatory landscape has shifted. The question to ask now isn't "is Microsoft 365 good?" - it clearly is, as a product. The question is: "Have we conducted a Transfer Impact Assessment, and does our legal team stand behind the conclusion?" If the answer to either part is no, that's where the conversation needs to start.