For weeks now, corporate hallways have echoed with growing concerns over employees’ use of artificial intelligence. Legal and IT departments are rushing to draft internal policies, driven by the seemingly legitimate fear of sensitive data leaking through these new communication channels.
🤖 The current landscape:
Generative AI platforms (ChatGPT, Claude, DeepSeek, Mistral…) demonstrate commendable transparency in their privacy policies. They openly acknowledge collecting and storing user data on their servers—whether American, Chinese, or French.
⚠️ But beware: Focusing our concerns solely on these new tools reveals a form of strategic myopia.
📊 CLOUD Act: When U.S. law infiltrates European data
Since March 2018, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) has significantly strengthened U.S. legal control over our data. This legislation grants U.S. authorities access to data stored on “non-American” servers, creating a major loophole in GDPR compliance.
🎯 A crucial yet often overlooked fact: Hosting providers subject to U.S. law can hand over data without even informing its owners—whether individuals or businesses.
💻 The staggering scale of the phenomenon
Let’s dive into numbers that put this issue into perspective. Microsoft 365 dominates the market with over 345 million paid users in 2024 [https://www.microsoft.com/en-us/investor/earnings/fy-2024-q2/press-release-webcast], representing more than 2 million companies worldwide. But this is just the tip of the iceberg. Every day, a tsunami of sensitive data flows through:
• Professional emails:
- Outlook has over 1.4 billion active users https://www.microsoft.com/en-us/microsoft-365/outlook/email-and-calendar-software-microsoft-outlook
- Gmail leads with over 1.8 billion professional and personal users https://workspace.google.com/intl/en/features/
- More than 333.2 billion business emails are exchanged daily https://www.statista.com/statistics/456500/daily-number-of-e-mails-worldwide/
• Cloud storage services:
- OneDrive stores over 115 petabytes of corporate data https://www.microsoft.com/en-us/microsoft-365/onedrive/onedrive-for-business
- SharePoint manages data for over 300,000 organizations https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration
• Collaboration tools:
- Teams has over 320 million monthly active users https://www.microsoft.com/en-us/microsoft-teams/group-chat-software
- Google Workspace serves over 3 billion users https://workspace.google.com/
- More than 50 million Teams meetings take place daily https://www.microsoft.com/en-us/microsoft-teams/teams-analytics
• Virtual desktop synchronization systems:
- 67% of businesses now use virtual desktop solutions https://www.gartner.com/en/documents/3989813/
🔑 The fundamental difference
While AI usage requires active consent for data collection, our daily digital infrastructures operate passive data collection—often invisible yet just as real.
⚖️ The current paradox
American tech giants hold an almost monopolistic grip on:
• Hosting servers
• Operating systems
• Web browsers
• Email solutions
• Collaboration tools
🔍 The real risk isn’t just AI usage—it’s our entire digital infrastructure.
Companies worry about chatbots, but how many have implemented end-to-end encryption (AES-256) for their emails and sensitive documents? Apart from banks and a few strategic organizations, the vast majority of businesses store and exchange critical data without real protection.
Of course, regulating AI use in companies is necessary—but it’s only one piece of the puzzle. These policies, though essential, risk being mere placebos if they aren’t part of a broader data protection strategy.
🌐 Ultimately, the real question is: Do we truly want to protect our data, or are we just creating the illusion of doing so?
In this context, implementing AI policies without rethinking our entire information system is like putting a padlock on an open door—leaving us with no choice but to trust the U.S. government to exercise restraint with its sovereign powers.
❓ Given these complex challenges, what concrete measures has your company taken to truly protect its sensitive data? Beyond AI usage policies, what alternatives do you prioritize for your digital infrastructure?