Can someone else access my data in the cloud?
In recent weeks, concerns around privacy and data access in the cloud have resurfaced.
At the centre of the discussion is data sovereignty: the principle that organisations must maintain full control over who can access their data and where that data is stored.
Reading time 3 minutes Published: 17 April 2025
This topic goes beyond personal data. Company data, in general, falls under increasing scrutiny due to regulations such as the GDPR and the EU Data Act, which require cloud providers to meet strict data protection standards.
Some argue the US CLOUD Act allows American authorities to access data, even if it is stored in the European Union. The Dutch National Cyber Security Centre (NCSC) addressed this concern in 2022, stating:
‘The U.S. government gaining access to European (personal) data, specifically on the basis of the CLOUD Act, is conceivable, yet in practice also very unlikely.’
The NCSC also noted:
‘The CLOUD Act is just one example of extraterritorial legislation impacting data processing in Europe. Other countries also have such legislation.’
This debate led some to suggest moving back to private data centres or shifting to European cloud providers. While this may offer more autonomy and control, it also means sacrificing scalability, innovation, and cost-efficiency of hyperscalers like Azure.
Microsoft has made clear commitments that customer data belongs to their customers. They provide extensive documentation and go through great lengths to protect this data.
Through Microsoft’s EU Data Boundary Initiative, Azure ensures that data is stored and processed entirely within the EU — including pseudonymised personal data and professional services data (like customer-provided-logs or support case notes).
This makes Azure a great cloud for software companies, offering high automation, streamlined operations, and a broad range of services. It enables rapid innovation with cutting-edge AI tools, all while staying cost-effective and compliant with data sovereignty regulations.
Data sovereignty is not only about where you store your data, it also concerns the measures taken to protect it. This includes secure cloud architecture, robust security policies, encryption of data both at rest and in transit, customer-managed keys (CMK) or Bring Your Own Key (BYOK), confidential computing, and more.
These capabilities make it harder for unauthorised access to occur, whether by malicious actors or governments. Azure’s global security investments, including advanced threat protection and compliance tooling, also play a key role.
Some of these measures are easy to implement and start with a well-planned cloud design. Others, like customer-managed keys, require more planning and may impact how you manage services across Azure and, therefore, need careful consideration.
Data access is not the only concern. Resilience, the ability to recover from cyberattacks or natural disasters, is becoming increasingly important. With its global infrastructure and multi-region capabilities, Azure is well-positioned to provide the resilience businesses now require.
Coming back to the topic of sovereignty, we can say that striking the right balance between the benefits and risks of the public cloud is more critical than ever. In the end, it is about making informed choices and aking advantage of everything the cloud offers while staying in control of your data. If you need help managing these challenges or want to make sure your cloud environment is secure and resilient, we at Intercept are here to help.
At Intercept, we support organisations in:
If you would like our support in implementing any of these measures, don’t hesitate to get in touch. We are here for you.