Microsoft has formally asked the UK Parliament to correct the official record after a senior executive gave testimony that the company now says was “inaccurate” about its role in the suspension of an International Criminal Court prosecutor’s email account. The reversal, first reported by The Register, lands at a moment when European organizations are pouring billions into sovereign cloud alternatives precisely to avoid the kind of jurisdictional vulnerabilities exposed by this incident.
What the UK Parliament Heard — and What Microsoft Now Says
On 10 February 2026, Hugh Milward, Microsoft’s senior director for corporate, external and legal affairs, told the House of Commons Business and Trade Committee that the ICC — not Microsoft — decided to disable the email account of ICC Chief Prosecutor Karim Khan after the United States imposed sanctions on him. Milward insisted Microsoft “worked with the ICC throughout the whole period” and that “it was the ICC’s decision to terminate and respond to that sanction, not Microsoft’s.” When pressed on how a US company could avoid complying with US sanctions, Milward replied that the ICC “has the ability to switch on and off their own users” and “makes the decision as to whether or not they continue to provide service to one of their employees.”
Following reports in the Dutch press and scrutiny from activists, Microsoft changed its story. A company spokesperson told The Register: “We have apologized to the Business and Trade Committee for the inaccuracy and asked for the record of the hearing to be corrected.” The new Microsoft line: “We were in touch with the ICC throughout the process that resulted in the disconnection of its sanctioned official from Microsoft services. At no point did Microsoft cease or suspend its services to the ICC.”
Yet a detailed account from Dutch sources, confirmed by technology activist Bert Hubert, paints a different picture. According to that version, Microsoft informed the ICC that US sanctions required it to deny Khan access to its services. If the ICC did not itself suspend the prosecutor’s account, Microsoft would terminate email services for the entire organization. Faced with that ultimatum, the ICC’s own IT staff pulled the plug on Khan’s mailbox. Microsoft has so far declined to comment on that additional reporting.
The correction request raises procedural and trust questions. As of this writing, the parliamentary transcript still reflects Milward’s original words; no formal amendment has been published. While a correction would settle the factual record of who clicked “deactivate,” it does not alter the broader structural issue: a US cloud provider, held to US sanctions law, can force a customer organization to act against its own officials — or risk losing service entirely.
What It Means for You
For enterprises and public sector bodies that rely on US cloud providers, this isn’t just a political dispute. It’s a clear demonstration that contractual and technical assurances can buckle under the weight of sanctions with extraterritorial reach. The practical impacts break down by audience:
IT and Procurement Leaders: Your vendor’s promises to “challenge” unlawful orders or keep your data within a certain geography do not outweigh a valid US court order or executive action. If a sanctioned individual appears inside your organization, a US provider cannot lawfully continue serving that person — and may have the contractual right to impose that restriction on you, up to and including threatening to cut off your entire tenant. Your risk assessment must now account for this scenario.
Public Sector and Regulated Entities: Governments and international courts are already responding. The ICC itself migrated to OpenDesk, an open-source office stack delivered by the German Centre for Digital Sovereignty, partly to reduce dependency on US-controlled software. The French government and other ministries are accelerating procurement of “sovereign” clouds run by local companies. If you handle sensitive diplomatic, judicial, or personal data, the incident confirms that full independence from foreign legal compulsion requires infrastructure and software that sits outside the reach of the US legal system.
Everyday Windows Users and Small Businesses: The immediate impact is indirect, but not irrelevant. As larger organizations shift toward European cloud solutions and open-source alternatives, the ecosystem of integrated apps and services you rely on may fragment. For home users, the deeper concern is the same as in the enterprise: US government access to personal data stored by US tech firms is limited only by the law — and your government’s ability to negotiate — not by any absolute technical firewall.
How We Got Here: A Timeline of Tensions
This parliamentary dust-up is the latest symptom of a long-simmering conflict. Key milestones include:
- Spring 2025: The United States imposes sanctions on ICC officials investigating alleged war crimes by Israeli leaders. Chief Prosecutor Karim Khan is among those targeted.
- 10 June 2025: In sworn testimony before a French Senate commission, Anton Carniaux, Microsoft France’s director of public and legal affairs, admits he “cannot guarantee” that French citizens’ data would never be handed to US authorities under the CLOUD Act. That admission becomes a rallying cry for European digital sovereignty advocates.
- April 2025: Microsoft announces a “European Digital Resilience Commitment,” pledging to include contractual promises to litigate against unlawful data requests, expand datacentre capacity, and set up a European governance board. The move aims to reassure nervous European governments, but critics note that no contract can override a US court order.
- Early 2026: Karim Khan’s Microsoft email access is suspended. The Dutch press reports the ultimatum from Microsoft; the ICC confirms the incident.
- 10 February 2026: Hugh Milward testifies to the UK Parliament that the ICC — not Microsoft — made the decision to suspend the account.
- 18 February 2026: After The Register’s inquiries, Microsoft apologizes for the inaccuracy and asks for the parliamentary record to be corrected.
- Ongoing: The ICC adopts OpenDesk. Gartner forecasts that European sovereign cloud spending will more than triple from $6.9 billion in 2025 to $23 billion in 2027, amid a global surge that could reach $80 billion in 2026.
What to Do Now: Practical Steps to Shore Up Your Cloud Sovereignty
While no single measure provides complete insulation from extraterritorial legal risks, organizations can layer protections to meaningfully reduce exposure:
-
Audit Your Cloud Footprint for Sanctions Sensitivity
Identify workloads and user accounts that, if blocked, could disrupt operations, diplomatic functions, or fundamental rights. Map which services rely on US-based providers and which have viable non-US alternatives. -
Implement a Tiered Data Strategy
- Tier 1 (highest sensitivity): Data and identities that would be unacceptable to put under any conceivable US legal reach. Move these to providers solely under EU or national jurisdiction, or to on-premises infrastructure.
- Tier 2: Enforce strict technical controls — customer-managed encryption keys held outside the provider’s reach, split-key architectures, and identity systems that allow your own administrators to disable accounts without vendor involvement. Insist on contractual commitments for advance notice of any legal orders and a pledge to fight them in court.
- Tier 3: Standard cloud workloads where cost and convenience outweigh legal risk. -
Strengthen Contracts
Demand transparency reporting, clearly defined jurisdiction, and obligations on the vendor to notify you before—not after—complying with any foreign order that might affect your services. While such clauses cannot nullify a valid court order, they create procedural hurdles and give you time to respond. -
Test Your Sanctions Response
Run tabletop exercises that simulate a sanctions-triggered account suspension by a critical cloud provider. Who decides? How fast can you switch to an alternative? Does your legal team have a pre-drafted challenge? -
Seed or Adopt Sovereign Alternatives
Where no suitable European cloud exists for a particular workload, consider joining procurement consortia or funding open-source projects. The ICC’s move to OpenDesk shows that organizations can break free of a single vendor stack when compelled. -
For Governments and Policymakers
Define clear certification criteria for “sovereign” cloud services and use public procurement to create a market. The French Senate’s experience, combined with the ICC saga, provides the political momentum.
Outlook: A Market Reshaped by Jurisdiction
The immediate future will see more public bodies scrutinising every cloud contract for a sanctions clause. Microsoft’s parliamentary correction, while embarrassing, is unlikely to satisfy those who see the ICC episode as proof that US cloud providers cannot be fully trusted with sensitive European data when Washington’s foreign policy shifts. Gartner’s forecast of a three-fold increase in European sovereign cloud spending underscores that this is no longer a fringe concern — it’s a procurement priority with billions of euros behind it.
Watch for the UK Parliament response: will it amend the record and question Milward further? Also track the pilot deployments of OpenDesk and similar open-source stacks in EU institutions. Microsoft, AWS, and Google will likely intensify their “sovereign cloud” marketing, but without a genuine legal firewall — something no contract can deliver — a growing number of European customers will vote with their budgets for alternatives that sit outside the reach of the CLOUD Act.