The Data War Just Got Personal

The CyberDiplomat

5 min read
Share
The Data War Just Got Personal
Microsoft is accused of handing Dutch regulators' emails to the US government. It's not just a privacy scandal — it's the latest episode in a decade-long battle for who controls Europe's digital future.

The Dutch civil servants in question were not browsing the web on company time. They were building the legal architecture of Europe's digital future — drafting rules, exchanging minutes, coordinating enforcement under the Digital Services Act. And according to local media reports, Microsoft quietly passed their names and communications — unredacted — to the US House of Representatives.

If confirmed, this is not a data breach in the conventional sense. There was no hacker, no vulnerability. The data moved through entirely legal channels: the US Cloud Act, which compels American technology companies to surrender data to US law enforcement regardless of where that data is stored or who it belongs to.

That is precisely what makes this so significant.

2 - Dutch agencies affected — ACM and AP

5 - Europeans issued US visa bans for creating EU digital laws

€0 - Redactions applied to leaked civil servant names

The Old Battle, New Frontline

Europe and the American technology giants have been circling each other for the better part of a decade. What began as a competition dispute — the EU fining Google, Meta, and Apple for anti-competitive behaviour — evolved into something more fundamental: a philosophical argument about who gets to set rules on the internet, and whether those rules constitute unfair trade barriers or legitimate democratic governance.

The Digital Services Act and the Digital Markets Act represent Europe's most ambitious answer to that question. They impose transparency obligations, restrict algorithmic amplification of illegal content, and require large platforms to open up their data to independent researchers. Major US companies — X, Meta, Google, Amazon — have faced substantial fines under these frameworks. The US government's response has been to characterize the regulations themselves as an attack on American companies and American values.

"The US issued visa bans for five Europeans involved in creating EU digital laws — a move virtually without precedent in relations between democratic allies."

The Microsoft accusation lands in that context. The civil servants whose data was allegedly shared are not random individuals — they work for the Authority for Consumers and Markets and the Dutch Data Protection Authority, the very agencies tasked with implementing and enforcing the DSA. If the US government was seeking intelligence on European regulatory strategy, it would be hard to find a more targeted source.

A pattern, not an incident

It is tempting to treat this as an isolated technical failure. It is not. Consider the recent record:

2026 - Dutch civil servant data leaked to US Congress

Emails, minutes, and invitations from ACM and AP staff — working on DSA implementation — reportedly shared unredacted with the US House of Representatives via Microsoft services.

2026 - ICC prosecutor's email blocked by Microsoft

After US sanctions targeted ICC Chief Prosecutor Karim Khan, Microsoft reportedly blocked his email access. Microsoft denied the allegations; the ICC subsequently migrated to European alternative openDesk.

2025 - US visa bans for EU digital law architects

Five European officials involved in drafting the DSA were barred from the United States, framed as retaliation for "coercing American platforms to punish American viewpoints."

2024–25 - X, Meta, Google, Amazon fined under DSA

Major US platforms received significant penalties under the Digital Services Act, prompting the US government to escalate political pressure on EU regulators.

Ongoing - France, Germany, and Switzerland exit Microsoft

Multiple European governments began replacing Microsoft productivity software with open-source European alternatives, citing Cloud Act exposure as an unacceptable sovereignty risk.

The Cloud Act — formally the Clarifying Lawful Overseas Use of Data Act, passed by the US in 2018 — is the quiet engine behind much of this tension. It gives US authorities the power to compel American companies to produce data stored anywhere in the world, regardless of the local laws of the country where that data sits.

European data protection law, including GDPR, says the opposite: personal data belonging to EU residents is subject to EU law and cannot be transferred without adequate protections. These two frameworks are not merely in tension — they are structurally incompatible. Any European institution that uses American cloud infrastructure is, by definition, operating inside a legal contradiction.

THE EU'S REGULATORY ARSENAL — WHAT'S AT STAKE

DSA — Digital Services Act

Governs illegal content removal, algorithmic transparency, and researcher data access for large platforms. The direct target of US political pushback.

DMA — Digital Markets Act

Restricts anti-competitive behaviour by designated "gatekeepers." Apple, Google, Meta, and Amazon are all in scope.

GDPR

Sets baseline data rights for EU residents. Structurally incompatible with the US Cloud Act's extraterritorial reach.

EU AI Act

The world's first binding AI regulation, classifying systems by risk and imposing mandatory obligations on high-risk applications.

The sovereignty reckoning

Dutch State Secretary Willemijn Aerdts has said she raised the Microsoft allegations directly with the US Ambassador. That is a diplomatic response. But diplomacy does not change the underlying architecture: as long as European governments run their operations on American infrastructure, they are structurally exposed to American law.

This is why the migration away from Microsoft in France, Germany, and Switzerland is not merely a procurement decision — it is a structural one. It is Europe quietly acknowledging that the legal protections it has spent years building are only as strong as the technology stack they run on.

"Europe has built the world's most sophisticated digital rights framework. Then it ran it on American servers."

The ICC's move to openDesk after the email-blocking incident illustrates the same logic. Once trust in a platform's neutrality is broken — regardless of whether the allegation is proven — the practical response is substitution. Every institution that makes that move marginally reduces the leverage that the Cloud Act confers.

What comes next

Three things will determine whether this moment produces structural change or fades into the news cycle.

First, the investigation. The Netherlands' Data Protection Authority is one of Europe's more assertive regulators. If it pursues a formal investigation and finds a GDPR violation, the resulting fine and precedent could force Microsoft — and by extension every US cloud provider — to confront the Cloud Act conflict explicitly rather than manage it quietly.

Second, the procurement signal. If European institutions — starting with the regulatory agencies whose staff were affected — begin migrating to European alternatives at scale, it sends a market signal that cannot be ignored. Sovereignty is ultimately an economic decision as much as a legal one.

Third, the transatlantic relationship. The US-EU Data Privacy Framework, the successor to Privacy Shield, was designed to bridge the Cloud Act gap. If the political environment continues to deteriorate — visa bans for regulators, accusations that digital laws are protectionism — the legal foundation for data transfers becomes increasingly fragile.

EUROPEAN ALTERNATIVES GAINING TRACTION

A growing ecosystem of European-built alternatives is emerging as governments reassess their infrastructure dependencies.

The battle between the EU and American technology giants was always about more than fines. It was about whether democratic institutions retain the capacity to govern the technologies that increasingly mediate economic and civic life — or whether those technologies, and the legal systems that govern them, belong to whoever built the servers.

The Microsoft allegations, if proven, are a stark answer to that question. Europe built the world's most sophisticated digital rights framework. Then it ran it on American servers. The reckoning that follows will be less about one company's conduct and more about whether that structural dependency can be unwound — and how quickly.

Sources: NL Times · Dutch State Secretary for Digital Economy · European Commission DSA enforcement record · US Cloud Act (2018) · US Department of State visa ban announcements · ICC statement on openDesk migration

Read more