Microsoft Shared Dutch DSA Regulator Emails with US House Under CLOUD Act Access

Dutch civil servants at agencies enforcing the Digital Services Act had names, meeting minutes, and internal communications disclosed to US congressional staff. Microsoft acted as the data custodian. The transfer occurred without Dutch government notification and bypassed EU data protection channels. This matches patterns documented in prior vendor disclosures where US legal process overrides regional storage claims.

CLOUD Act Section 103 permits US authorities to compel US-headquartered providers to produce data regardless of physical location. Dutch data remained subject to this statute even when hosted in European regions. Microsoft transparency reports from 2023-2025 record hundreds of similar government requests annually, with limited recipient notice options. Residency guarantees therefore provide no insulation from foreign jurisdiction.

The incident reveals structural dependency: EU regulators shaping platform rules operate inside vendor stacks that answer first to another sovereign. European Commission audits and national sovereignty programs have flagged this exact vector since 2021. Vendors must now demonstrate segmented access logs, locally held encryption keys, and explicit refusal mechanisms for extraterritorial demands rather than compliance theater.

Public sector procurement rules in the Netherlands, France, and Germany are already tightening key custody and audit requirements. Failure to meet these will shift workloads to providers that isolate control planes from US parent entities.