36 comments

[ 2.4 ms ] story [ 56.1 ms ] thread
Seen here:

https://www-senat-fr.translate.goog/compte-rendu-commissions...

================================================================

Quoting the translation:

Mr. Dany Wattebled , rapporteur . - Mr. Carniaux, as Director of Public and Legal Affairs, you represent Microsoft France before public decision-makers. Can you guarantee before our committee, under oath, that the data of French citizens entrusted to Microsoft via UGAP will never be transmitted, following an injunction from the American government, without the explicit agreement of the French authorities?

Mr. Anton Carniaux . - No, I cannot guarantee that, but, again, it has never happened before.

================================================================

Original:

M. Dany Wattebled, rapporteur. - Monsieur Carniaux, en tant que directeur des affaires publiques et juridiques, vous représentez Microsoft France auprès des décideurs publics. Pouvez-vous garantir devant notre commission, sous serment, que les données des citoyens français confiées à Microsoft via l'Ugap ne seront jamais transmises, à la suite d'une injonction du gouvernement américain, sans l'accord explicite des autorités françaises ?

M. Anton Carniaux. - Non, je ne peux pas le garantir, mais, encore une fois, cela ne s'est encore jamais produit.

================================================================

Thread on Mastodon:

https://toot.cat/@devopscats/114879479938557566

Having worked for the French state and wrestled a few times with its IT services, I can tell you that the reason for choosing Microsoft isn't cost, or "efficiency".

It's that they only know Microsoft, they don't want to learn something else, and if there's a problem, it's Microsoft's fault, no theirs, so they don't have to deal with their own incompetence.

If you want an anecdote, we were working with SAS, a statistical software which required costly licences (more than a million € for a few dozens of workers). I suggested to switch to R or Python to the top director, who agreed.

First meeting with the service in charge, the chief opens with "ok, we are asked to change, but the goal here is to show that we tried, and found that it's not possible."

I resigned a few months after, as everything was in the same vein.

Switching from a working, integrated solution (SAS) to a untested collection of random scripts (R or Python??) is a horrendous idea, and I would be willing to bet that the people in charge of implementing this brilliant move saved the French state quite a bit of money by blocking it.

If they had started with the R or with Python, that would have likely been a better solution - but that doesn't mean that switching, especially just because some new employee convinced the director they'd save money with a half-baked idea, is not.

I work for a company whose entire business is basically replacing various dedicated internal tooling scripts with an integrated, extremely costly solution, and we mostly sell to other businesses. Most people who buy this are extremely happy to get rid of their kludge of scripts, and we very rarely feel pressure from such alternatives (our other B2B, also extremely expensive, competitors, are the main thing we get compared with).

Specialized software often works much better, and makes a lot of sense past some scale, than in-house solutions. Especially if there are no big geopolitical risks - which there aren't with SAS for the French government.

You may be underestimating the depth of scope of SAS. You can't just replace it with "a bunch of R and Python scripts".
Everything else aside moving to R and Python to escape the USA hegemony means you are still dependend on Python Software Foundation and R Fundation. First is American. Second is based in Vienna, Austria yet still has big American presence among its members. So you end up still dependending on USA. Same with most free and open source. Even if its authors may appear to be European, they may turn out to be Americans (Linus Torvalds) or work for US company anyway (Guido van Rossum)
(comment deleted)
There's simply no option for digital sovereignty other than cultivating a strong domestic software industry. As the source details, much of this exposure is being done with full understanding of the risks and costs.

The article also refers to some report claiming that European solutions are "wrongly judged to be too costly or inefficient". I'd be interested to read it if anyone has a translation. Even for something as basic as word processing software, every case I've seen so for the alternatives quickly lands on "you have to accept rough edges because that's the cost of data sovereignty" - much easier for a hobbyist or politician to say than an IT director charged with making sure your organization runs well.

Time[1] and time[2] again, the CJEU has ruled that the US stance of noncitizens having no standing on privacy issues is incompatible with EU law. Time[3] and time[4] again, the European Commission has negotiated a functionally identical agreement codified in executive orders and declared it “adequate” until the court could decide otherwise. Not even the Congress explicitly giving[5] the US government powers to compel (among others) EU subsidiaries of US multinationals, regardless of what EU law says, has changed the equation. Now there’s been a presidential election in the US that many in the EU are unhappy about. *Shocked Pikachu*

> [French MP Philippe] Latombe criticised the US-EU Data Privacy Framework (DPF) deal, saying it no longer served EU interests due to the US president’s “impulsive” nature.

Am I wrong to say that there’s something profoundly rotten in that statement with regards to the rule of law?

[1] https://en.wikipedia.org/wiki/Max_Schrems#Schrems_I

[2] https://en.wikipedia.org/wiki/Max_Schrems#Schrems_II

[3] https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield

[4] https://en.wikipedia.org/wiki/EU%E2%80%93US_Data_Privacy_Fra...

[5] https://en.wikipedia.org/wiki/CLOUD_Act

International law is not really a thing so ultimately this kind of debate between nations/supernational bodies where their positions are irreconcilable comes down to raw power.

Does either the US or the EU have any cards to play that will force the other to back down, or not?

I think we need a lot more accessible disclosure on the subject for the public. Even beyond government services, products exposing one to the US should come with a big fat warning.
It's always the same issue.

If you want to move away from <insert US tech giant>, you either need to embrace Linux and open source software which requires the state's employees to learn a new "stack" of applications which means they need to be given appropriate training or you need to have you home grown solutions that are as easy to use as their US counterparts and were developed within the EU by the EU's member countries with the EU's values embedded in them.

The first solution is not going to happen, as Linux is still relatively unknown all things considered and I don't see the French government employees learning how to use this OS and/or the applications running on it by themselves.

Secondly in times of budget cuts like in France currently, the government is not about to rip all the Microsoft products off and replace them with something that would take years to transition to and cost a fortune to implement.

So that leaves the homegrown solution. Unfortunately the work to move off of Microsoft et al should have started 10 years ago but it hasn't. Europe has completely dropped the ball on tech and now it's coming back to bit it in the ass.

The Draghi report from last year was supposed to kick things into gear but we will be lucky to see anything coming through within the next 5 years and by this stage the US tech giants will have entrenched themselves even more in the EU.

I am sorry to say but this is a failure that will resonate for the many decades to come.

This site has a heavy pro Russian bias, see for example https://brusselssignal.eu/2025/07/europe-still-has-the-power...

Turns out it was founded by an American, who was arrested on suspicion of bias-motivated crimes, second-degree assault and harassment after attacking a reporter in the USA but currently living in Hungary and running some media org there, with ties to the right wing Fidesz party. And he is on paper as being the founded of brusselssignal.eu

His organization received a big loan from an undisclosed source to set up the Brussels organisation and it seems to made up of or advised by a rag tag of European right wing politicians.

The whole thing stinks of Russian meddling in Europe.

Sources https://www.szabadeuropa.hu/a/szazhetvennegy-millios-kolcson...

https://www.companyweb.be/company/0793608171/free-pub/231068...

https://edition.cnn.com/2024/12/28/us/patrick-thomas-egan-ac...

These damn Russians wanting the EU to be digitally sovereign!!
Dunno about op's site, but the news itself comes from a french parliament hearing, has been discussed quite a bit on other news media, and from my experience, is being discussed by people here.
I many time heard here in Europe not to trust Chinese appliances as these devices do listen to us… is #USA any different?
I don't see enough talk about reducing the amount of data collected in the first place. Even if it's kept within one jurisdiction, it can still be the target of a breach by a local criminal, a foreign spy, or a new government agency... Cameras on every street, cellular antenas on every car, biometrics for everything... It may vary from country to country, but an expansion on citizen data collection (in one area or another) seems commonplace across most governments, and usually with zero opposition in "the real world". And unlike products or platforms that you can chose to not use, there's hardly any escape from those.
> I don't see enough talk about reducing the amount of data collected in the first place.

It's because the power's that be want all the data and none of the liability. The easiest way to comply with any privacy regulation is to not collect, store, or process any personal data. Just don't store or process data about humans and 99% of the problems go away.

But data is the new oil. And sometimes when you store or process oil there are leaks that spill everywhere, contaminate things, and even sometimes kill people. That's never stopped us from collecting, storing, or processing oil.

these seem like solved problems. in canada, many govt depts have procurement rules that state all data must be hosted nationally by a custodian subject to national or even provincial law, and this has been standard for decades. the firm I work for also doesn't use google or microsoft clouds for similar reasons.

the deeper problem is governments are not technology builders and cannot produce tech products because they have no unique ability to deliver anything anyone subject to them actually wants.

It's interesting that there at least starts to be two opposing camp in the executive (some people in French government start to push for more sovereignty, some EU governments too, some MEPs, etc...)

Of course the rest of the administrations are not there yet, there are contracts to abide to, habits, etc... But there is the start of a general recognition that overdependence on the US is a liability at some level.

Also, it would incredibly more feasible to move IT infrastructure back and have some reign on data, then it would be to recover from our overdependence on China in terms of... Well, in terms of everything physical.

Which means that the first milestone would be to host pour data on "sovereign" data centers... Using East-Asian made hardware.

One thing at a time, I guess ?

Honestly how hard can it be given Microsoft size (and AWS, and Google's) to mandate the intervention of a EU corporate entity to manage their IP in the region, full source code, EU cloud assets, encryption keys, EU-only support access, collect their royalties etc., but essentially act as a privacy buffer wholly unanswerable to any US head office or any obligations US law holds the company to wrt any EU person, its just a black hole that grants them the right to earn money and hold a large market share in the EU. The Chinese aren't afraid to do it.
Why would you need a corporate entity? Just hire folks to manage data in open source software on open hardware located in government premises.
The EU majorly screwed up by not focusing on a homegrown software ecosystem. The Chinese, due to either luck or competence or both, have a parallel big tech ecosystem compared to America and that is a huge advantage.
In the Chinese case, competence. Korea also has such an ecosystem - and is a much better example for the EU to look towards - but stems from more of a mix between competence and luck.
Most shamefully for the EU, even Russia, a much, much smaller and poorer country, has a full set of replacements for the US tech hegemony, at least on the software side.

However, we are all complicit in this state of affairs, with pushing dreams of a broderless internet. If the EU had tried to limit Facebook or Google access to the EU markets, or just favored some inferior EU alternatives, people on this very forum would have been up in arms about government overreach, balkanization of the Internet, and Brussels bureaucrats trying to stay relevant.

> The Chinese, due to either luck or competence or both

China banned foreign tech to allow for local tech to grow. The EU has tried to be in good relationship with the USA allowing big tech to dominate the old continent.

I think that the arrangement worked well for both the USA and EU for a long time. But now that big tech is highly politically motivated to support the far-right that win-win situation has ended.

The only way for the EU to grow domestic tech is to do what the Chinese did, ban USA tech and let local companies to thrive. I just hope that it is done in an open standard-base way instead of the big tech monopolies of the USA.

You'll note one common thing between those two successful examples: one language only.

That's the big difference in the EU when you are a start-up and want to go from the $10-50M range to $500M+: in the US and China, you have one big market with a shared language and one rule of law. In Europe? The second you want to expand to a market bigger than 50M people you have to adapt to different languages, cultures and laws.

If you have not baked it in at the start that can be a huge roadblock. And if you have baked it in at the start you may have missed your chance due to the delay you incurred. Then you're just a target to be eaten by a US or Chinese company with a big war chest earned in their own market.

That's why part of the EU rules is about trying to unify its member countries laws. Yes GDPR can seem like a protectionist framework from outside, but the main goal was to make all country in the EU have one shared legal system to handle personal data. So sharing them becomes easier inside the EU. We can expect more of this kind of laws to be written but they'll always be too late.

Europe is in love with azure too bizarrely.
EU obviously needs a Great Firewall - this would force foreign big tech to host data within the EU and subject these companies to ironclad EU legal jurisdiction. Naturally, some companies will not comply and withdraw services, clearing the way for domestic EU operators to emerge. This may seem like an unpalatable choice but it really is the only way back toward digital sovereignty - right now, the EU has been in 'trust me bro' situation with US big tech - a huge and accumulative risk
They are trying with the Digital Privacy shield, but the issue is there is no domestic alternative to act as an alternative to the US.

And a grand bargain with China is highly unlikely given Wang Yi's recent visit with Kaja Kallas [0] where he announced Chinese moral support for Russia in Ukraine, which is diametrically opposed to the EU's foreign policy, while Von der Leyen condemned China for providing unrestricted support to Russia and causing industrial overcapacity [1].

Unlike Japan or South Korea, the EU holds no cards that it can leverage against the US or China - JP and SK can offer China a trilateral FTA which acts as a negotiating tool against the US, and SK+Japan can offer additonal military support for the US within the APAC domain which can act as a negotiating tool against China. What can the entire EU offer either US or China which cannot be vetoed by a COE member.

The EU has an added issue that the COE requires unanimity amongst heads of state to pass EU wide legislation, and US FDI representing €900B in inward FDI stock [2] within Ireland means there is a guaranteed veto against any tech decoupling. It's a similar story in Czechia, Poland, Romania, and Bulgaria as well.

[0] - https://www.scmp.com/news/china/diplomacy/article/3316875/ch...

[1] - https://www.scmp.com/news/china/diplomacy/article/3317442/vo...

[2] - https://www.cso.ie/en/releasesandpublications/ep/p-fdi/forei...

The EU is not a single country, every member is a sovereign country and there is no "EU jurisdiction".

The EU only provide directives that each member state adapt to their legal framework. Each country decides on their own policy regarding internet access, and it is very unlikely that a directive that have them go through some central EU-controlled firewall would pass.

wait, do they (at least attempt to) spearhead it with Mistral and La Suite? La Suite works good...

regard français perplexe

I mean, same story in Belgium, The Netherlands, and (I'm gonna assume) every other EU government.

Specifically for The Netherlands, https://berthub.eu/articles/posts/demystifying-european-digi... is a good read, from someone that really understands how this works in government.

Sadly, I understand why: they have a tonne of systems, that all, at least somewhat, work, that people know how to use, with established contacts and support contracts. IT departments trained and certified on how to run and deploy MS software. And that's before we start talking about lobbying.

edit: added a link to a good resource about the topic.

We should have started moving over yesterday, but it's a long and difficult process, I just hope we start moving forward on this.

This is everywhere in the EU. The Dutch government put out an RFP for MS Outlook licenses. RFPs are supposed to be vendor neutral, so I don't understand how an RFP for something that only a single company sells can be vendor neutral.

They outsource all their email, but they don't put out RFPs for "email". MS is burrowed so deep into EU governments good luck getting them out.

If control flows through data infrastructure, does it matter who “owns” the platform? Once exposure is built into the structure, sovereignty becomes a user illusion.