In 2024, US authorities issued 57,000 requests to access data stored by US companies, including data hosted in Europe. If your AI solution runs on an American LLM, then your citizens' data is not protected by the GDPR.
This article presents the challenge of data sovereignty in the face of GDPR regulation and the Cloud Act.
Data sovereignty: a sometimes subtle clause
In the context of a vendor contract, your Data Protection Officer (DPO) must validate the processing operations. In general, contracts include GDPR clauses. The data is therefore located on servers in the European Union. The “compliance” box is ticked.
One question is missing from your vendor qualification process. Just one: what is the legal nationality of the company that processes your data?
Not the nationality of its servers. The nationality of the company itself.
Ultimately, if the answer is “American” or “subsidiary of an American group,” then your citizens’ data is subject to the Cloud Act, regardless of where it is physically hosted. This is not a debatable legal interpretation. It is the text of the American law, in force since 2018, that the major tech companies apply without publicizing it.
What the Cloud Act concretely authorizes
First, it is important to understand the principles set out. The Cloud Act (Clarifying Lawful Overseas Use of Data Act) gives US authorities the right to require an American company to hand over data stored on any server in the world, including in Europe, with no mandatory notification to the data owner or to the government of the country concerned.
Furthermore, Microsoft, in its 2024 Transparency Report, states that it received more than 57,000 government requests over the year, a significant portion of which concerned European customer data hosted on European infrastructure.
For example, if your American AI vendor receives such a request, it will respond to it but is not legally required to inform you. You therefore discover the breach during an audit, or not at all.
Why GDPR compliance is no longer enough
The Court of Justice of the European Union formalized this in the Schrems II ruling in 2020: a transfer of data to a company subject to American surveillance is incompatible with the GDPR, even if the servers are located in Europe.
Indeed, for French administrations, the issue goes beyond formal compliance. The data processed in a prefecture, a family allowance fund, or a public hospital includes civil-status information. But it also includes residence data, medical information, and asset situations. These are exactly the categories of data that the Cloud Act prioritizes in its intelligence requests.
It is true that entrusting the processing of this data to an American vendor inevitably creates structural exposure that neither your DPO nor your vendor can control.
What the Cloud at the Center doctrine (SecNumCloud) changes
Faced with these sovereignty challenges, the Cloud at the Center doctrine, formalized by the SGDSN and the ANSSI, is not just a recommendation. It is an operational framework that redefines the qualification criteria for vendors handling administrations’ sensitive information systems.
Indeed, its central principle rests on the fact that sensitive data can only be entrusted to vendors certified SecNumCloud, the French cloud security accreditation issued by the ANSSI. Two hosting providers are qualified today: Outscale France (a subsidiary of Dassault Systemes) and Cloud Temple.
For example, for your upcoming calls for tender, this translates into three criteria that have become non-negotiable:
1. SecNumCloud certification as a condition of eligibility
This certification should not be confused with a label; its impact is far greater. A non-certified vendor can no longer be selected. And this is the case regardless of the functional quality of its solution.
2. The location of processing, not just storage
Indeed, the inference and training operations of AI models must also remain on sovereign infrastructure. It is true that hosting the data in France while letting inference run on American servers does not fully meet the requirements of the doctrine.
3. Access traceability
Every interaction between your AI solution and your citizens’ data must be auditable by your CISO and accessible to the CNIL (French data protection authority) upon request. Obviously, this is a requirement that most American LLMs do not satisfy natively.
Data sovereignty is no longer a political argument
Ultimately, the challenge is to choose a French and sovereign vendor end to end. Data sovereignty is now a measurable technical and legal criterion.
This is why the administrations that integrate these requirements as eliminatory criteria in their upcoming contracts will not only have reduced their legal exposure. They will have built a relationship of trust with their users resting on a concrete guarantee. As a result, your data remains French, under French jurisdiction, auditable by French authorities.
In our next article, we will see how sovereign agentic AI concretely transforms the daily work of public-sector employees, but also why reducing the level 1 workload has become the key.
Sources
In the previous article, we discussed digital accessibility. The central question was: why has it become a legal requirement in 2026?
