Microsoft OneDrive EU Alternative 2026: CLOUD Act, Microsoft 365, and What EU Teams Use Instead
Microsoft OneDrive is the default cloud storage layer for over 400 million Microsoft 365 subscribers worldwide — which means it is also among the most common sources of GDPR compliance risk for EU organisations. Not because of any failure in Microsoft's security posture, but because of a structural legal fact: Microsoft Corporation is a US company, and all of its services are subject to compelled disclosure under US law regardless of where the data physically resides.
This guide explains the mechanics of that exposure, why Microsoft's own EU Data Boundary does not resolve the underlying problem, and which EU-native alternatives provide genuine data sovereignty for files, documents, and collaboration data.
Microsoft Corporation: The Corporate Structure That Matters for GDPR
Microsoft Corporation is incorporated under the laws of Washington State, with headquarters at One Microsoft Way, Redmond, WA 98052. It is publicly traded on Nasdaq as MSFT, with a market capitalisation exceeding $3 trillion.
Microsoft Ireland Operations Limited (MIOL) acts as the Microsoft 365 data controller for EU/EEA customers. This is a standard structure: a foreign subsidiary accepts contractual responsibility for EU data processing while the parent US corporation retains ultimate ownership of infrastructure, engineering, and compelled disclosure obligations.
The subsidiary structure does not insulate EU customer data from US law. The relevant statute is explicit.
The CLOUD Act and the Microsoft Ireland Precedent
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 18 U.S.C. § 2713, was passed in 2018 specifically in response to United States v. Microsoft Corp. (the "Microsoft Ireland case"). Between 2016 and 2018, Microsoft challenged a US Department of Justice warrant demanding emails stored on servers in Dublin, Ireland. Microsoft argued that US law could not compel production of data stored on foreign soil.
The Supreme Court agreed to hear the case. Before it could rule, Congress passed the CLOUD Act, which amended the Stored Communications Act to state:
"A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."
The case was then dismissed as moot. The outcome: data stored by a US company is subject to US government compulsion regardless of the physical server location. Microsoft's Dublin data center does not create a legal shield. Neither does Microsoft's Amsterdam, Stockholm, or Helsinki data center.
Microsoft's EU Data Boundary: What It Does and Doesn't Do
In January 2023, Microsoft launched the EU Data Boundary (EUDB) — a commitment to store and process EU/EEA commercial customer data within the EU/EEA for its core commercial cloud services, including Microsoft 365 (OneDrive, SharePoint, Teams, Exchange Online).
EUDB represents a meaningful engineering investment. Microsoft has documented which data categories stay within the EU boundary and which currently do not (for example, certain telemetry and diagnostic data was still processed outside the EU in EUDB's initial phases).
However, EUDB's own documentation acknowledges a critical limitation: EUDB does not and cannot nullify Microsoft's obligations under US law. If US authorities issue a lawful order under the CLOUD Act, FISA Section 702, or a National Security Letter, Microsoft must comply regardless of where the data physically sits and regardless of EUDB commitments.
Microsoft's privacy documentation states: "Microsoft will challenge any government request for EU customer data that it believes is not required by law." This is a contractual commitment to legal resistance, not a technical guarantee. Legal resistance may delay disclosure; it cannot prevent it if the order is upheld.
For EU organisations that need to demonstrate GDPR compliance, this creates a structural problem. A Transfer Impact Assessment (TIA) required by EDPB guidance must account for the realistic probability of CLOUD Act orders — and Microsoft's own disclosure reports show it receives hundreds of such orders per year.
FISA Section 702 and PRISM
Microsoft was one of the original providers under the PRISM surveillance programme, with participation beginning in 2007. PRISM operates under FISA Section 702, which authorises the collection of foreign intelligence data stored by US electronic communications service providers.
Section 702 authorises the acquisition of data about non-US persons located outside the United States — which describes precisely the EU users of Microsoft 365. The orders are issued to companies, not to individuals, and are accompanied by gag orders that prohibit the provider from notifying the target.
National Security Letters (NSLs): Microsoft also receives NSLs issued by the FBI. In its most recent transparency report, Microsoft received NSL counts in the thousands annually. NSLs also carry gag orders and do not require judicial authorisation.
The combination of CLOUD Act orders, FISA Section 702, and NSLs creates a legal landscape in which US authorities have multiple independent pathways to OneDrive and SharePoint data — with minimal EU judicial oversight over any of them.
What GDPR-Relevant Data Lives in Microsoft 365
OneDrive is not a standalone product for most enterprise users. It is the storage layer beneath Microsoft 365. Understanding the GDPR exposure requires mapping what data actually flows through it:
OneDrive for Business:
- Employee files, shared drives, personal document libraries
- Scanned documents, contracts, HR data, medical records (if applicable)
- Version history containing deleted drafts with personal data
SharePoint Online:
- Team sites and document libraries (the backend for Teams file tabs)
- Intranet pages with personnel directories
- Project records, compliance documentation
- Power Automate flow histories stored in SharePoint lists
Microsoft Teams:
- Chat messages (stored in Exchange Online mailboxes + SharePoint)
- Channel messages and posts (stored in SharePoint group mailboxes)
- Meeting recordings and transcripts (stored in OneDrive of the organiser)
- Shared files in Teams channels (stored in SharePoint)
- Voicemail transcriptions (stored in Exchange)
Microsoft Copilot / Microsoft 365 Copilot:
- Prompt inputs and model outputs may be retained for abuse monitoring and model improvement (depending on tenant configuration)
- Copilot processes document content, email context, and meeting transcripts
- Microsoft's Copilot data handling is governed by a separate DPA addendum
Exchange Online:
- Email bodies and attachments (frequently contain personal data)
- Calendar entries with attendee lists
- Contact directories with employee and customer PII
Every category above is accessible to US authorities through CLOUD Act orders, FISA production, or NSLs. The data does not need to leave the EU for this to be true.
GDPR Compliance Requirements When Using Microsoft 365
If your organisation continues using Microsoft 365, these obligations apply:
Data Processing Agreement: Microsoft provides the Microsoft Online Services Data Protection Addendum (DPA) as the GDPR-required data processing agreement. This DPA includes Standard Contractual Clauses (SCCs) as the transfer mechanism for data transferred outside the EU.
Transfer Impact Assessment: Following the Schrems II ruling and EDPB Recommendation 01/2020, organisations must conduct a TIA before relying on SCCs. The TIA must assess whether the SCCs provide "essentially equivalent" protection to EU law in the destination country. For the United States, this assessment must address CLOUD Act, FISA Section 702, and NSL exposure. Supervisory authorities in Austria, Belgium, and France have found that standard SCCs alone are insufficient for US-cloud transfers — organisations must assess whether supplementary measures (encryption, pseudonymisation) are effective, and whether the transfer can be justified.
Records of Processing Activities (ROPA): Each OneDrive, SharePoint, Teams, and Exchange Online workload must be documented as a processing activity in your ROPA, including data categories, retention periods, sub-processors (Microsoft and its sub-processors listed in the DPA), and transfer mechanisms.
Data Subject Access Requests: Microsoft 365 provides the Microsoft Purview Compliance Portal for DSAR searches. For large tenants with extensive historical data, DSAR fulfilment can be operationally complex. Microsoft's eDiscovery and search tools help but require administrator configuration.
Retention and Deletion: Retention labels and policies must be configured to implement deletion obligations under GDPR Article 17. Microsoft Purview Retention Policies can automate deletion, but litigation holds and compliance holds may delay deletion in practice.
Microsoft EU Data Boundary Limitations: A Realistic Assessment
| Capability | EUDB Commitment | CLOUD Act Reality |
|---|---|---|
| Data storage location | Within EU/EEA ✓ | Irrelevant for compelled disclosure |
| Data processing location | Within EU/EEA for core services ✓ | Irrelevant for compelled disclosure |
| Telemetry data | Some still processed in US (EUDB phase-in) | Subject to US orders |
| Legal challenge commitment | Microsoft will challenge unlawful orders | Lawful orders must be complied with |
| FISA Section 702 | No EUDB provision | Subject to collection |
| NSLs | No EUDB provision | Subject to collection |
| Notification to customers | Cannot notify under gag orders | Structural limit of any US provider |
EUDB is meaningful for reducing routine data transfers and demonstrating good-faith compliance effort. It does not address the fundamental legal exposure for organisations that need to satisfy supervisory authority scrutiny of transatlantic data transfers.
EU-Native Alternatives to Microsoft OneDrive and Microsoft 365
The following alternatives are headquartered in the EU/EEA and are structured such that they are not US companies subject to CLOUD Act compelled disclosure.
Nextcloud Hub (Stuttgart, Germany)
Corporate structure: Nextcloud GmbH, incorporated in Stuttgart, Germany. Founded by Frank Karlitschek (also co-founder of ownCloud). No US parent company, no US VC investors that would create structural CLOUD Act exposure through corporate control.
What it covers: Nextcloud Hub is a full Microsoft 365-equivalent for self-hosted or managed deployments. Files (OneDrive equivalent), Nextcloud Office (collaborative document editing via Collabora Online or OnlyOffice), Talk (Teams equivalent), Mail (Exchange equivalent), Calendar, Contacts.
Deployment options: Self-hosted on your own infrastructure or EU-hosted via Nextcloud-certified hosters including IONOS, Hetzner, OVHcloud, and others.
GDPR position: When self-hosted, you are the controller and processor. No third-country transfer occurs. When hosted by an EU provider on EU infrastructure, the processing chain remains within the EU.
Licensing: AGPL-3.0 (core), Enterprise Subscription available for support, compliance features, and advanced enterprise integrations.
Relevant for: Organisations that can manage their own infrastructure or use a managed EU hoster. The most complete Microsoft 365 replacement in the EU sovereign stack.
ownCloud (Nürnberg, Germany)
Corporate structure: ownCloud GmbH, Nuremberg, Germany. ownCloud was the predecessor to Nextcloud — Frank Karlitschek founded ownCloud in 2010, then left to found Nextcloud in 2016. ownCloud remained as a separate entity focused on enterprise customers.
What it covers: Enterprise file sync and share, document collaboration via ownCloud Infinite Scale (oCIS) — a rebuilt, container-native architecture. Strong governance features, compliance frameworks (ISO 27001, SOC 2 comparable), and enterprise connectors.
Deployment options: On-premises or managed hosting by EU partners.
Differentiation from Nextcloud: ownCloud Infinite Scale is built for large-scale enterprise deployments (100,000+ users) with particular emphasis on governance, audit trails, and regulatory compliance documentation. More enterprise-IT-oriented, less consumer-style feature set.
GDPR position: Same as Nextcloud — the data stays where you deploy it, within your control.
Seafile (Stuttgart, Germany)
Corporate structure: Seafile Ltd. / Seafile GmbH (Germany). Originally developed at Tsinghua University in China, but the European entity is Seafile GmbH based in Stuttgart. Note: the original developer entity is in China — organisations with strict data sovereignty requirements should verify the governance structure and whether source code review is part of their threat model.
What it covers: High-performance file sync, block-level deduplication, encrypted client-side storage libraries, team collaboration. Known for sync performance with large file counts.
Differentiation: Seafile's block-level sync makes it particularly efficient for large binary files and large file counts compared to file-level sync tools. Less full-stack (no equivalent of Teams or Exchange), but excellent as a file storage layer.
Strato HiDrive (Berlin, Germany)
Corporate structure: STRATO AG, Berlin, Germany. Subsidiary of Deutsche Telekom (Germany, listed on Frankfurt Stock Exchange: DTE). German infrastructure, German data protection law applies as primary jurisdiction.
What it covers: Cloud file storage, WebDAV, backup, photo sharing. Consumer and business tiers.
Differentiation: Well-known German brand, easy onboarding for non-technical teams. Less suited for complex collaborative workloads. Good choice as a simple file storage and backup solution for SMBs.
Hetzner Storage Box (Nürnberg, Germany)
Corporate structure: Hetzner Online GmbH, Gunzenhausen, Bavaria. Family-owned, no external investors, no US parent. One of the most trusted EU infrastructure providers.
What it covers: SFTP, FTP, SMB/CIFS, Rsync, BorgBackup compatible object-like storage. Not a consumer-grade GUI product — designed for developer and DevOps workflows.
Differentiation: Extremely cost-effective (from €3.46/month for 1TB), German data centres, GDPR-focused operator. Integration with rclone, borg, restic makes it suitable for automated backup and archival. Not a replacement for OneDrive GUI — combine with a self-hosted Nextcloud for the full stack.
ONLYOFFICE DocSpace (Riga, Latvia)
Corporate structure: Ascensio System SIA, Riga, Latvia. EU member state. Founded 2009, independent of US ownership.
What it covers: ONLYOFFICE DocSpace provides Google Workspace / Microsoft 365-style collaborative document editing (DOCX, XLSX, PPTX native compatibility). DocSpace adds room-based collaboration (guest rooms, editing rooms, review rooms) suitable for client collaboration workflows.
Differentiation: Native OOXML format support means documents opened in ONLYOFFICE look identical to Microsoft 365. This is a practical advantage during migrations when clients or partners continue using Microsoft Office.
Deployment: Cloud-hosted at ONLYOFFICE.com (Latvia) or self-hosted on-premises.
CryptPad (XWiki SAS, Paris, France)
Corporate structure: XWiki SAS, Paris, France. CryptPad is developed by the XWiki team with funding from EU research grants (NLnet, NGI Next Generation Internet programme).
What it covers: Zero-knowledge collaborative editing — documents are encrypted client-side before reaching the server. The server operator cannot read document contents. Includes a collaborative document editor, spreadsheet, presentation, kanban board, and whiteboard.
Differentiation: Zero-knowledge architecture means even the hosting provider cannot comply with a surveillance order for document content (they only have encrypted ciphertext). This provides a level of protection that even EU-hosted services cannot guarantee if the server operator is subject to a court order.
Trade-offs: No native OOXML compatibility. No offline mode. Suitable for sensitive internal collaboration; less suitable for external client sharing workflows that require Microsoft Office format compatibility.
Microsoft 365 → EU Stack: Migration Considerations
Migrating from Microsoft 365 involves more than file storage. The suite covers email, calendar, video calls, document editing, and increasingly AI features through Copilot. A realistic EU-equivalent stack looks like this:
| Microsoft 365 Component | EU Alternative |
|---|---|
| OneDrive / SharePoint (files) | Nextcloud Files, ownCloud, Seafile |
| Microsoft Office (Word/Excel/PPT) | ONLYOFFICE (OOXML compatibility), LibreOffice |
| Teams (video + chat) | Nextcloud Talk, Matrix/Element, Jitsi |
| Exchange / Outlook (email) | Nextcloud Mail + Postfix, Mailbox.org, ProtonMail Business |
| SharePoint Intranet | Nextcloud, Confluence self-hosted, BookStack |
| Microsoft Forms | Nextcloud Forms, LimeSurvey |
| Power Automate | n8n (self-hosted), Nextcloud Flow |
| Microsoft Purview / compliance | Nextcloud Audit, ownCloud Governance |
| Copilot | Open WebUI + Mistral on EU cloud, Nextcloud AI features |
Migration tooling: Microsoft provides the SharePoint Migration Tool for migrating from file shares to SharePoint. For the reverse direction (SharePoint/OneDrive to Nextcloud or ownCloud), tools include:
rclone: mounts OneDrive and copies to target — handles incremental sync- Nextcloud's Migration App for specific source integrations
- ownCloud's Import Tool for ownCloud-to-ownCloud migrations (version upgrades)
- Direct WebDAV sync between Microsoft 365 and Nextcloud (for smaller tenants)
Teams channel messages: Teams stores channel messages in Exchange Online mailboxes, not directly in OneDrive/SharePoint. Exporting Teams chat history is possible via Microsoft Purview eDiscovery export or compliance export, but the format is JSON — not natively importable into Matrix/Element. Custom migration scripts are required.
Retention and compliance holds: Any SharePoint content subject to a legal hold or retention policy must have holds released before content can be deleted. Plan for this in your migration timeline — releasing holds in large tenants can require legal sign-off and Purview administrator work.
EU Sovereign File Storage: Decision Framework
| Requirement | Recommended EU Option |
|---|---|
| Self-hosted, full control | Nextcloud Hub (AGPL, self-hosted) |
| Enterprise scale (100k+ users) | ownCloud Infinite Scale |
| OOXML document compatibility priority | ONLYOFFICE DocSpace |
| Zero-knowledge encryption requirement | CryptPad |
| Simple SMB cloud storage | Strato HiDrive |
| Developer/DevOps backup storage | Hetzner Storage Box |
| Managed EU-hosted Nextcloud | IONOS, Hetzner Managed, OVHcloud |
Checklist: Replacing Microsoft OneDrive + SharePoint for GDPR Compliance
- Audit all OneDrive and SharePoint data categories (personal data inventory)
- Identify Teams file shares stored in SharePoint team sites
- Identify Teams meeting recordings stored in OneDrive (organiser's drive)
- Select EU-sovereign replacement stack (files + editing + communication)
- Run pilot migration with rclone or SharePoint Migration Tool
- Configure retention and deletion policies in the new system
- Update ROPA to reflect new processors and transfer mechanisms (none for EU-only stack)
- Notify data subjects if required by your privacy notice updates
- Revoke Microsoft 365 licenses after migration validation
- Disable OneDrive sync clients on end-user devices post-migration
Summary
Microsoft Corporation's status as a US company creates a structural GDPR compliance challenge for EU organisations using OneDrive, SharePoint, Teams, and the rest of Microsoft 365. The EU Data Boundary reduces routine data transfers and demonstrates compliance intent, but it does not and cannot override the CLOUD Act, FISA Section 702, or National Security Letters — all of which provide US authorities with legal pathways to Microsoft 365 data regardless of where it physically resides.
EU-native alternatives — Nextcloud, ownCloud, ONLYOFFICE DocSpace, Seafile, Strato HiDrive, Hetzner Storage Box, and CryptPad — provide file storage and collaboration capabilities without the structural exposure that comes from using a US-incorporated provider. For organisations that need to satisfy supervisory authority scrutiny of their data transfers, or that are subject to sector-specific regulations (healthcare, finance, legal), an EU-sovereign stack removes the most common source of transfer risk entirely.
The Microsoft Ireland case of 2016–2018 was the moment the industry learned that US law reaches EU data centers. The CLOUD Act that ended that case was designed to make that reach permanent and explicit. Four years later, that legal structure has not changed — and neither has the compliance obligation to account for it.