Europe’s Export Hit: Personal Data

Europe likes to see itself as a global guardian of data protection and fundamental rights. GDPR, NIS2, AI Act – the regulatory claim is high, the rhetoric confident. In operational reality, however, a different picture emerges: personal data of European citizens and companies is systematically outsourced to infrastructures lying outside European legal and control spheres. Not illegal, but politically shortsighted. Not out of necessity, but out of convenience.

The current debate about Microsoft 365 in Switzerland and Bavaria exemplifies the pattern. Thirty Swiss data protection officers are openly warning against its use with sensitive data. In Bavaria, the state government under Markus Söder is nevertheless considering a long-term commitment to Microsoft. The arguments are everywhere the same: proven software, fast implementation, compatibility. The consequences are ignored.

Microsoft is not just any provider. Those who commit to Microsoft 365 commit to an ecosystem. Technically, organizationally, financially. And legally. US corporations are subject to US law – worldwide. The Cloud Act allows American authorities to access data, regardless of whether it is located in Frankfurt, Zurich, or Geneva. European data centers do not change the legal situation. Certificates do not change the access possibility. Even Microsoft does not deny that full exclusion of state access cannot be guaranteed.

Thus, the question is no longer whether risks exist, but why European states deliberately accept them. In Switzerland, license costs for Microsoft products are exploding, while data protection authorities declare that use with citizen data is often not permissible. In Bavaria, a possible billion-dollar contract is being discussed – declared as an open review, factually a strategic commitment for years.

The problem is not limited to Microsoft. The Federal Office for Information Security (BSI) provides a particularly irritating example. The BSI is launching a central portal for NIS2 reports – operated on Amazon Web Services. A federal agency whose task is the protection of critical infrastructure is outsourcing security-relevant information from energy, health, and administration to the infrastructure of a US hyperscaler. This is not a technical minor detail. It is a political decision about power, control, and dependency.

Yet alternatives exist. IONOS, Plusserver, OVHcloud, or the cloud offerings of Deutsche Telekom have been operating scalable, certified infrastructures under European law for years. With Gaia-X, a framework was created that was supposed to enable exactly such governmental use cases: interoperable, sovereign, European. That these options apparently played no role at the BSI is a signal – to the market and to other agencies.

The ever-same counterargument is efficiency. Familiar tools, established processes, lower conversion costs. In the short term, this is true. In the long term, structural lock-in effects arise. Those who are deep in the Microsoft or AWS ecosystem can no longer switch without accepting massive costs, friction losses, and dependencies. The decision today determines the leeway of administrations for a decade.

It is not about anti-Americanism and not about product quality. Microsoft and AWS deliver powerful technologies. The actual failure lies in the fact that European states treat digital infrastructure like office equipment – instead of critical public services. Energy dependency was only taken seriously politically when it became painful. Digital dependency is being built up with eyes wide open.

That things can be done differently is no secret. Schleswig-Holstein is consistently focusing on open source. With OpenDesk, an open office platform for the administration is being created in Germany. In Switzerland, providers like Switch, Abraxas, Infomaniak, or Proton exist, operating under European law. These solutions are not trivial. They require building competence, conversion, and political fortitude. That is precisely why they are strategically relevant.

Personal data has long been an export hit for Europe – not through sale, but through outsourcing. It migrates into infrastructures that Europe neither controls nor strategically manages. Regulation is no substitute for an operational decision. Data protection laws help little if the technical basis lies outside one’s own legal sphere.

Digital sovereignty does not arise through declarations of intent, cloud labels, or location marketing. It arises through consistent procurement decisions. As long as ministers, federal agencies, and administrations confuse convenience with modernization, sovereignty remains a buzzword. The alternatives are there. What is missing is the political will to use them systematically.