European data sovereignty in court

Canada's OVHcloud ruling threatens the security of European cloud strategies. The consequences for companies, data protection and European digital sovereignty are far-reaching.

On September 25, 2024, the Ontario Court of Justice ordered the French cloud provider OVHcloud to hand over user data to the Canadian police - even though the requested data is stored on servers in France, the UK and Australia. This is based on a production order dated April 19, 2024.

The judge's reasoning: OVH's "virtual presence" in Canada is sufficient to establish Canadian jurisdiction - regardless of where the data is physically stored. What sounds like legal hair-splitting means in practice: suddenly a Canadian court is effectively deciding on European data sovereignty.

The legal dilemma: punishable in France or in Canada

For OVHcloud, the ruling is a real trap:

• In Canada, there are penalties if the data is not delivered.
• In France, there are penalties if they are delivered.

The reason for this is the French blockade law (Loi n° 68-678 of 1968), which was amended in 2022. It prohibits French companies from passing on commercially sensitive information directly to foreign authorities, unless the route via international mutual legal assistance agreements is chosen. Violations are punishable by up to six months in prison and fines.

The French economic service SISSE and the Ministry of Justice have written to Canada asking it to use the official mutual legal assistance channel - and at the same time made it clear that direct data disclosure would be illegal under French law.

OVHcloud has therefore lodged an appeal with the Ontario Superior Court and at the same time requested that the enforcement be suspended - as the deadline for handing over the data was set for October 27.

Why this case calls European data sovereignty into question

The conflict is not an exotic special case, but a precedent:

If the principle of "virtual presence" holds, any company with a digital footprint in a third country could in future be directly implicated in foreign investigations - including the data stored there.

This calls into question the business model of international cloud providers who advertise themselves as a "data location in Europe" and "protection from foreign authorities".

Parallels with the US CLOUD Act are obvious: Since 2018, the CLOUD Act has allowed US authorities to obtain data from US cloud providers such as Microsoft, Google and Amazon - regardless of whether the data is located in Frankfurt, Dublin or Paris. Violation is punishable by law.

Particularly explosive: In a public hearing before the French Senate in June 2025, the chief legal counsel of Microsoft France stated under oath that Microsoft cannot guarantee that data of European users in EU data centers is protected from access by US authorities - even in projects such as the "EU Data Boundary".

The message for compliance and IT managers in Europe is uncomfortable

"Data residency in the EU" does not automatically protect against access by third countries - as long as the provider itself is subject to the law of a third country.

The OVHcloud case shows that it is not just US hyperscalers that are in the spotlight. European providers with global business can also be torn between national law and foreign courts.

In the end, only international politics will be able to solve the fundamental problem.

France is signaling in the proceedings:

The data is secure

They can and should also be supplied via official legal assistance channels in order to solve criminal offenses.

However, under French law, it would be a criminal offense for the cloud provider to simply hand them over by direct order of a foreign court.

Canada, on the other hand, focuses on efficiency: fast data, direct access, without lengthy diplomatic loops. The Ontario Superior Court must now weigh up what weighs more heavily:

- The efficiency of police investigations, or:

- respect for the sovereignty of a partner state and established procedures under international law.

One thing is clear: technical measures, EU data spaces or contractual clauses cannot prevent the collision of national laws. Without clear political guidelines, European data sovereignty remains vulnerable.

Checklist: What companies need to check their cloud strategy for now

Anyone responsible for a cloud strategy for critical data today must clarify the following questions as quickly as possible:

• What law is my provider subject to?
• Where is the parent company based?
• Where are the registered offices of all subsidiaries?
• What is the group structure (US law? UK? Canada?)
• Where are the data centers & backups really located?
• Does the marketing promise hosting "in the EU" or specifically and unequivocally "hosting exclusively in Germany"?
• Who holds the keys? Can the provider technically access productive data at all, or does the key lie exclusively with the customer?

For many companies - especially in regulated industries, the public sector, the healthcare or legal sector, or for particularly sensitive data such as industrial property rights - there is no way around a sovereign cloud from Germany. Not out of nationalism - but because there is currently no greater level of security.

SecureCloud: Sovereign German cloud without legal backdoors

The OVH case confirms our approach:

• Data centers and company headquarters exclusively in Germany - operated in highly secure, bank-compliant data centers of NorisNetworkAG.
  
  
• "Data based in Germany" - this is not just a marketing slogan, but a guarantee of a truly autonomous IT infrastructure without any technical or legal backdoors for third countries.
  
  
• Certifications such as ISO 27001 and a BSI C5 certificate attest to a level of security that is particularly relevant for KRITIS-related applications.
  
  
• End-to-end encrypted cloud storage and integrated eSign solutions (SecureSign), where data and keys remain under customer control.
  
  
• SecureCloud is the truly sovereign content cloud from Germany. Specifically: no US parent company, no foreign subsidiaries, so no target for the US CLOUD Act.

The OVHcloud case shows where the journey is heading: the more complex the geopolitical situation and the more aggressive extraterritorial laws become, the more valuable a clear, national legal framework for business-critical data becomes.

If you want to check how sovereign your current cloud landscape really is - and which workloads would be better off in a German, legally independent cloud - get in touch with us.