The Sovereignty Balancing Act: Extraterritorial Legal Jurisdiction in the Context of European Data Sovereignty Guidelines and Widening Encryption Backdoors

Zurich’s Conference of Data Protection Officers, Privatim, has published guidelines for federal officials and public bodies regarding the use of Software-as-a-Service (SaaS) and cloud solutions from international hyperscalers; imploring officials to avoid using such solutions to store personal data or data subject to “professional secrecy” and condemning the prospect of the U.S. exercising extraterritorial legal jurisdiction over Swiss data via the Clarifying Lawful Overseas Use of Data (CLOUD) Act as an abrogation of Swiss citizens’ constitutional rights. The CLOUD Act places data protection authorities in Switzerland and worldwide in a legally paradoxical position, rendering citizens’ personal data subject to both the protections of domestic data protection law, while simultaneously vulnerable to exfiltration by foreign powers like the United States via the subpoena and warrant powers conferred on the U.S. government by virtue of the 2018 CLOUD Act.

The manual, published December 2, rejects End-to-End (E2E) encryption as a prospective defense for using such solutions in most cases, demanding that data remain encrypted throughout its entire lifecycle—including during processing within the service provider’s Random Access Memory (RAM)—and that the cloud provider itself has no way of accessing encryption keys. While the Swiss Federal Chancellery emphasizes that the manual itself does not amount to a legal obligation on the federal administration, its recommendations effectively renders public bodies subject to a de facto ban from using U.S.-controlled clouds for a breadth of sensitive data, from classified government documentation to medical, social security, and educational records.

Privatim explicitly mentions Microsoft 365 to exemplify the threat of extraterritorial legal jurisdiction on sensitive data. While Microsoft has underscored its contractual obligation to oppose any attempt from the U.S. government to access data stored and processed via its SaaS and cloud services, this obligation is confined to where there is a “lawful basis to do so.” Thus, irrespective of Microsoft’s assurances of the unlikelihood of a U.S. request pertaining to European data, data protection authorities are beginning to pierce through hyperscalers’ promises to point to the continued absence of any real legal protection or guarantees against the extraterritorial reach of the CLOUD Act, as admitted by senior Microsoft representatives in front of the French senate in June. While concerns over the United States’ jurisdictional reach have been echoed across Europe, Zurich’s de facto ban, while lacking legal enforceability, amounts to the most hardline approach officially issued yet. With rising skepticism in countries like France, Germany, and the Netherlands pertaining to overreliance on foreign cloud services, Zurich’s explicit position could trigger a domino effect across the region, buttressed by existing sentiments. Yet, in the short term, Zurich’s stance is likely to engender a degree of fragmentation within Europe’s regulatory ecosystem, particularly where cross-border research projects and partnerships are involved.

On the hyperscaler side, with national authorities increasingly unimpressed by publicized assurances and promises, the recent guidelines are projected to place pressure on cloud providers to boost existing technical protections within SaaS solutions. Bring Your Own Key (BYOK) has been widely rejected as a defense against the United States’ prospective legal reach, instead confidential computing, external key management, customer-side data processing, and client-side E2E encryption will become requirements to sovereign cloud solutions. Yet, localizing key management and data processing brings its own obstacles, namely potentially deprecated functionality within the given SaaS solution, infrastructure overhaul costs, increased latency, and greater staffing and overhead demands. Consequently, in the medium to long term, migration toward local European cloud providers is expected, but this market shift will not happen overnight, mainly as many local SaaS solutions lack the same advanced feature sets (including Artificial Intelligence (AI) capabilities), uptime stats, and cybersecurity posture boasted by U.S.-based hyperscalers.

Zurich’s publicized stance on the CLOUD Act and Swiss reliance on hyperscalers such as Microsoft is indicative of a shift within the digital sovereignty space. While data sovereignty has long been recognized as territorial or national control over data, there is a clear movement toward recognizing sovereignty in a more expansive manner, beyond data residency, and marrying it with a legal or jurisdictional component. Zurich’s explicit recognition that data sovereignty includes sovereignty in the sense of freedom from extraterritorial jurisdiction over other states’ data exemplifies this shift. Yet, as the definition of sovereignty becomes wider, total sovereignty becomes both less feasible not only for those working with international SaaS providers like Google, Microsoft, and AWS, but also some European cloud providers. An absolute ban on working with legally distinct European organizations with no corporate ties whatsoever to foreign states could bar partnerships with players like OVHcloud, which, while being a French cloud provider, has Canadian subsidiaries. This has rendered it vulnerable to a recent court order in November from a Canadian court to hand over European customer data irrespective of French legal prohibitions which ban the sharing of such data outside of international Mutual Legal Assistance Treaties. In this sense, absolute sovereignty could stifle one of the oft-celebrated by-products of digital sovereignty: greater space for European-led innovation in markets that the United States has hitherto dominated.

Given the consequences of absolute sovereignty in its purest form, combining the expansive definition of sovereignty adopted by Privatim, while maintaining a risk-based, tiered approach to sovereignty remains the most efficient (and economic) way of boosting data sovereignty in-house. This is especially so given that interpretations of sovereignty remain fluid, preventing sovereignty solutions from following a “one size fits all” model. Alongside different definitions of sovereignty is the divergence between which data are classified as sensitive across verticals. Even among critical infrastructure providers in the energy and utilities, aerospace and defense, telecommunications, financial, health, and public sectors, classifications of sensitive versus non-sensitive versus highly-sensitive data differ, and this subjectivity complicates the very concept of “absolute” data sovereignty. Offering various sovereign tiers will be key to tapping into market deviations in how sovereignty and sensitive data are understood, particularly where regulation and policy is expected to continuously evolve, as indicated by Privatim’s recent announcement. Education around classifying data based on risk will be paramount, as will integrating flexible movement between different sovereign tiers within cloud solutions.

At the same time, rising protectionism over data in the context of foreign states is not necessarily tied to greater protection for citizen data or reverence for the sanctity of E2E encryption domestically, as indicated by the intensifying battle between various European states and E2E encryption solution providers. Cases such as Apple vs the UK Home Office, French efforts to insert themselves as a “ghost participant” in encrypted communications, or European Union (EU) Chat Control for scanning encrypted messages are all examples of the movement toward undermining E2E encryption domestically. Placing aside the fact that many of these cases have involved U.S.-based firms, there is a stark difference in how greater protection for E2E encryption is demanded from international solutions, while simultaneously undertaking efforts to undercut it domestically. Yet, although seemingly conflicting, jurisdictional sovereignty demands and intensifying battles over encryption backdoors demonstrate the increasing lack of control that states feel over their digital borders. Understanding that control remains at the core of the sovereignty debate will be crucial to predicting policy shifts and evolution within Europe and beyond as the fight for sovereignty over digital territory and borders rages on.