They say technology is the great equalizer — until it isn’t. Too many digital leaders believe their data is “safe” simply because it’s hosted in a “safe” jurisdiction, which would keep it outside the reach of countries like the United States, or perhaps China or the EU, even. The thinking goes: Foreign soil equals sovereign shield. But based on recent revelations, that assumption may be more delusion than defense.

Zlatko Unger of the Wiz, in a recent LinkedIn post, puts it bluntly: “Your data might be physically in another country, but it isn’t in that country. If it’s with an American company, it’s in America.” That’s not techno‑barbarians reporting fear — it’s a hard truth wrapped in plain English. If the cloud provider is U.S.‑based, your data answers to Uncle Sam, no matter where it is parked.

The Microsoft Canary in the Sovereignty Coal Mine

Earlier this month (August 2025), a Microsoft France representative confirmed something chilling: Microsoft must comply with valid U.S. legal demands — even if the data resides in France or Canada. No override, no exceptions, no deference to local privacy or sovereignty laws. That means Canadian or French data — including sensitive citizen and government data — can be handed over with no approval from local authorities. Sovereignty claims are null.

This is no small detail. The underlying mechanism is the U.S. CLOUD Act, passed in March 2018. It amended the Stored Communications Act to force U.S. companies to turn over data regardless of where it’s stored — even abroad — provided there’s a valid warrant or subpoena.

The earlier legal battle — Microsoft Ireland — hinged on whether the U.S. could compel data stored overseas. The Second Circuit sided with Microsoft in 2016, saying the old law didn’t extend extraterritorially. But almost immediately, Congress stepped in, passed the CLOUD Act, and effectively nullified that ruling. The Supreme Court then vacated the case as moot. (Wikipedia)

Why Local Hosting Isn’t a Panacea

Yes, some countries — including Canada — have pushed data localization measures, demanding that data stay within national borders. But ask yourself: can data sovereignty really be enforced if global gatekeepers refuse to stand firm?

Even if a company’s servers are physically inside Canadian borders, Microsoft’s confirmation exposes the lie. The U.S. legal lever still pulls the data, wherever it resides. For organizations, the power question isn’t about security in data — they can implement encryption or defenses—but about control.

That goes double for organizations relying on U.S.-based platforms — even foreign branches. Providers like Microsoft (or AWS, Google, Oracle) may offer local options, but all remain beholden to U.S. jurisdiction if the provider is American.

And sure, you might look elsewhere — say, Chinese cloud providers — to dodge the long arm of Law‑and‑Order America. But don’t kid yourself: those providers answer to the CCP, not your company — or you. You’d simply be surfing from the frying pan into the fire.

So what’s real sovereignty anymore?

Shimmy’s Take

Here’s the hard truth: No one — no data — is safe.

Can any nation really uphold data sovereignty when powerful extraterritorial laws exist and cloud providers span continents and alliances? Is it even valid to talk about “data sovereignty” when providers can be compelled to surrender data, regardless of where it physically resides?

Full sovereignty over your data means you’d have to control the entire stack: The infrastructure, the encryption, the supply chain, the hardware, the network and the governance. That’s not infrastructure — it’s an empire.

Most companies don’t want — or frankly, can’t manage — that. They need scale, agility and innovation. And that means leaning on hyperscale clouds.

Solutions (Or at Least, Mitigations)

So where does that leave us? A few potential ways forward — none perfect, all partial:

1. Multi-jurisdictional, encrypted architecture
   • Keep your own encryption keys, held outside U.S. jurisdiction. Use zero‑knowledge systems. If data is encrypted client-side, even a valid U.S. warrant may get encrypted gibberish, not your crown jewels.
2. Sovereign clouds
   • Governments like Canada are considering — or building — sovereign cloud infrastructures that don’t use U.S.-based providers. Build a cloud you control on your soil, with local legal protections. Difficult and expensive, but sovereignty costs.
3. Split governance, split storage
   • Use a hybrid approach: Keep the most sensitive data on-prem, or with local partners; put non-critical workloads on global cloud. Segmentation reduces risk.
4. Push for stronger international treaties
   • Advocate for binding agreements that respect local privacy safeguards. Mutual legal assistance treaties (MLATs) and CLOUD Act executive agreements are better than nothing — but still fall short of sovereignty.
5. Persistent transparency and pressure
   • Demand transparency reports, source access, audit logs. Programs like Microsoft for Sovereignty at least attempt to give governments more control and visibility over cloud operations — but still operate within U.S. firms.
6. Policy and advocacy
   • Digital leaders must pressure both governments and providers to uphold jurisdictional boundaries — or impose penalties when they don’t.

The Bottom Line

If you think you can host data on foreign soil and call it sovereign, you’re fooling yourself. Modern data sovereignty is a myth — more flammable than flame-resistant, more illusions than safeguards.

But myths can be managed. With encryption, sovereign clouds, smart architecture and pressure-led policy, you may not be invulnerable—but you might just have a fighting chance.

Remember: It’s not just about where the data is — it’s who controls its release. And these days, control is the rarest of resources.

Shimmy’s Final Take

No cloud — no infrastructure, no provider — can guarantee true sovereignty. If a nation can unilaterally insist on data, sovereignty means nothing. Until we invest in fully managed, truly sovereign infrastructure — or reshape laws to respect boundaries — we’re all just sitting ducks in the digital coliseum. 

There was a time when one could say that the U.S. would not undertake such extraordinary actions lightly. Maybe something like a 9/11 type emergency would trigger such overreach. But given the current state of actions by the U.S. government, including actually taking stakes in tech providers, you just can’t bank on reasonable people doing reasonable things anymore.