Last week Dutch media reported that the U.S. House of Representatives obtained unredacted emails from civil servants working on EU platform regulation. The correspondence, allegedly passed by Microsoft, included addresses, meeting minutes and invitations tied to agencies enforcing the Digital Services Act. The leak spotlights how foreign legal compulsion can breach presumed national control over sensitive government data and raises questions about oversight mechanisms.

Policymakers often conflate data residency with sovereignty, assuming that European‑hosted servers guarantee protection. In reality, U.S. statutes such as the CLOUD Act empower American authorities to compel disclosure from American firms regardless of where the data physically resides. The Dutch episode demonstrates that a “European region” label offers little shield when the provider remains subject to extraterritorial mandates and can override national privacy frameworks.

The incident forces cloud vendors to prove more than compliance; they must show locally controlled encryption keys, segmented access controls and transparent audit trails. Public‑sector buyers can no longer rely on branding claims of “sovereign cloud.” Procurement discussions now pivot on legal authority over data, making jurisdictional leakage a decisive factor in architecture choices for ministries handling citizen records.