A global public-facing explanation with two real case studies

Around the world, people rely on digital identity systems, cloud platforms, and online services to access government services, banking, healthcare, and communication. But when these systems depend on companies controlled by the United States, a fundamental legal conflict emerges: U.S. law applies to U.S. companies everywhere, even when they operate in the United Kingdom, Europe, Australia, India, or any other country.

The most important of these laws is the U.S. CLOUD Act, which allows U.S. authorities to demand access to data held by any U.S. controlled company including its subsidiaries abroad even when that data belongs to foreign citizens and is stored outside the United States.

Two real-world events show how this can affect people in any country:

• A Microsoft account belonging to ICC Chief Prosecutor Karim Khan was reportedly cancelled due to U.S. sanctions.

• Kyndryl, a U.S. company, attempted to acquire Solvinity, which operates DigiD, the Dutch national identity system used by 18 million people.

These cases demonstrate how U.S. legal obligations can directly affect foreign citizens, foreign governments and international institutions.

The CLOUD Act: A Global Conflict With National Privacy Laws

Under the CLOUD Act, U.S. authorities can compel U.S. companies to hand over data:

• even if the data belongs to non-U.S. citizens

• even if the data is stored in the UK, EU, Australia, India, or elsewhere

• even if doing so violates local privacy laws

• and often without notifying the individuals affected

This creates a direct conflict with national privacy frameworks such as:

• GDPR (Europe)

• UK Data Protection Act

• Australian Privacy Act

• India’s Digital Personal Data Protection Act

From a global perspective, U.S. ownership introduces a legal risk that cannot be mitigated by contracts, encryption, or local hosting alone.

Case Study 1: ICC Chief Prosecutor’s Microsoft Account Cancelled Due to U.S. Sanctions

International Criminal Court (ICC) Chief Prosecutor Karim Khan, based in The Hague, reportedly discovered that his Microsoft account had been cancelled. According to public reporting, Microsoft informed him that the action was due to U.S. sanctions rules.

This incident demonstrated something deeply concerning for all countries:

A non-U.S. official lost access to a digital service because a U.S. company was required to enforce U.S. law even though the ICC is not a U.S. institution.

This raises global questions:

• Could a UK judge, Australian journalist, or Indian civil servant lose access to their account due to U.S. sanctions?

• What happens when U.S. sanctions conflict with the laws or interests of another country?

• How can foreign governments maintain independence if their digital tools are controlled by companies bound to foreign legal systems?

This case became a powerful example of how U.S. extraterritorial law can directly affect foreign officials and institutions.

Case Study 2: Kyndryl Attempts to Acquire Solvinity Threatening DigiD

Solvinity is a Dutch managed service provider responsible for operating DigiD, the national digital identity system used by 18 million Dutch citizens to access government services.

When Kyndryl a U.S. company spun out of IBM attempted to acquire Solvinity, the Dutch Government intervened.

Why?

Because U.S. ownership would expose DigiD’s highly sensitive identity data to:

• the U.S. CLOUD Act

• foreign legal demands

• potential access by U.S. authorities without Dutch oversight

The Dutch Government concluded:

No technical or contractual measure could prevent U.S. legal obligations from overriding Dutch and EU privacy protections.

This was a landmark moment: a real acquisition attempt blocked because the target held critical national identity data that would become vulnerable under U.S. law.

It demonstrated that for essential digital infrastructure, U.S. ownership may be incompatible with national sovereignty not just in Europe, but anywhere.

Why This Matters for Citizens of Any Country

These two cases one involving sanctions, the other involving a blocked acquisition illustrate the same global problem:

1. Your data can be accessed under U.S. law

Even if you live in the UK, Australia, India, or Europe.

2. Your government cannot stop it

Local privacy laws cannot override U.S. legal obligations.

3. Sensitive national systems are especially exposed

Including:

• national identity systems (e.g., DigiD, Aadhaar-linked services, UK GOV.UK accounts)

• public-sector digital services

• health data platforms

• telecoms and cloud hosting

• political communications

• international justice institutions

4. Foreign governments lose sovereignty over their own data

If U.S. authorities can compel access to your country’s data, your government cannot guarantee your privacy or security.

This affects everyone, not just Europeans.

How Countries Are Responding

Governments around the world are now taking steps to protect citizens’ data, including:

• blocking high-risk acquisitions (as in the Solvinity case)

• requiring local or sovereign cloud services for sensitive data

• promoting national cloud frameworks

• insisting on local operational control for public-sector systems

• increasing scrutiny of foreign ownership in digital infrastructure

These actions are not anti-American. They are pro-sovereignty, focused on ensuring that citizens’ data remains protected under their own country’s laws.

In Plain Terms

When a U.S. corporation controls a digital service used in your country, your data and even your access to essential services may become subject to U.S. legal demands.

The ICC case and the Solvinity–DigiD case show that this is not theoretical. It is happening.

For citizens of the UK, Europe, Australia, India, and beyond, the principle is simple:

Your data should be protected by your country’s laws not exposed to foreign legal systems.