US Congress demands messages from European officials via Microsoft and Google
What the Belgian privacy and tech community has been warning about for years is now confirmed: those who communicate via American cloud services communicate under American oversight.
Brussels, March 17, 2026
On March 16, 2026, the US House of Representatives formally reminded ten major technology companies (Alphabet (Google), Amazon, Apple, Meta (Facebook, Instagram, WhatsApp), Microsoft, OpenAI, Reddit, Rumble, TikTok, and xAI) of their obligation to hand over all communications with European institutions to the Judiciary Committee. The letters, signed by Committee Chairman Jim Jordan, specifically target messages exchanged by European officials in the context of the Digital Services Act (DSA).
The trigger is telling: a senior European Commission official advised colleagues to switch to encrypted apps with auto-deleting messages, precisely because they fear that those communications might otherwise end up in American hands. That fear is justified. It also illustrates exactly the concern that privacy and digital rights organisations in Belgium and Europe have been raising for years.
“Anyone sending their work emails via Microsoft 365 or Google Workspace is writing on paper that can be seized by a foreign power.”
The subpoenas now being enforced date from November 2025 and earlier. What the letters add is this: Congress explicitly confirms that the obligation is continuing in nature: new messages, temporary messages, and encrypted communications all fall within its scope, as long as they pass through the platforms in question.
What does this mean for Belgian public institutions?
Microsoft 365 is the standard email environment for 80% of Belgian municipalities, schools, hospitals, and federal government services. The same applies to Google Workspace. Both companies are now formally subject to an American legal obligation to retain their internal communication data and hand it over to the US Congress on request.
The European Commission offers a so-called “Sovereign Cloud” product from Microsoft and Google as reassurance, but this provides no legal protection: the parent companies remain subject to the American CLOUD Act, which compels them to provide access to data, even when that data is physically stored in Europe.
What is the CLOUD Act? The Clarifying Lawful Overseas Use of Data Act (2018) allows American authorities to demand data from US technology companies regardless of where that data is physically stored. A Belgian hospital using Microsoft Exchange Online therefore falls under this regime, even if the servers are located in Dublin or Brussels.
What is FISA 702? Section 702 of the Foreign Intelligence Surveillance Act allows American intelligence services (including the NSA) to intercept the communications of non-US persons outside the United States without an individual warrant, when those communications pass through American service providers. This applies to emails sent by journalists via Microsoft or Google, if those communications are deemed relevant to American national security interests. FISA 702 was extended in 2024 until April 20, 2026, and its reauthorisation is currently under debate in Congress. It is one of the central objections raised by the European Court of Justice against earlier transatlantic data agreements (Schrems I and II).
Which executive orders are relevant? Executive Order 12333 (1981, extended several times) authorises American intelligence services to conduct foreign surveillance outside US territory, with limited judicial oversight. EO 14086 (2022, Biden) introduced additional safeguards as part of the EU-US Data Privacy Framework, but these are considered insufficient by European privacy law specialists. The future of that framework is uncertain given the changed political relationship between the US and the EU. Under the current American administration, moreover, several oversight bodies have been weakened or dismantled, further undermining the practical enforcement of those safeguards.
BeLibre maps the Belgian situation
BeLibre has been active since early 2025 as an independent initiative mapping the digital dependence of the Belgian public sector. Via belibre.be/map we publish research data on which Belgian public institutions (e.g. municipalities, schools, hospitals, police zones) have outsourced their email infrastructure to American providers. The patterns we find are not the exception: they are the norm.
This research connects to a longstanding call from the Belgian tech and privacy community to take digital sovereignty seriously as a matter of public governance. The events of this week give that call renewed urgency.
BeLibre calls for action
BeLibre calls on policymakers to explicitly account for extraterritorial legal risks when procuring cloud and communications services. Technical alternatives exist: European and open-source platforms for email, document management, and communications are available, scalable, and in many cases less expensive.
Digital sovereignty is not an abstract concern. It is a duty of governance.
About BeLibre
BeLibre (belibre.be) is a Belgian initiative, active since 2025, that maps the public sector’s dependence on American cloud infrastructure and raises awareness around digital sovereignty.
Press contact Jurgen Gaeremyn · jurgen@belibre.be
Sources
- Letters from H. Comm. on the Judiciary to Alphabet, Amazon, Apple, Microsoft, OpenAI - March 16, 2026 (judiciary.house.gov)
- Politico: “EU tech enforcer tells officials not to be scared by US threats” - February 16, 2026
- iBestuur: US subpoenas tech giants over communications with European regulators - March 17, 2026