IMPLICATOR
In Germany, 98 percent of adults tell pollsters they do not trust Chinese technology companies with their personal data. Ninety-one percent say the same about American firms. Read those numbers twice. There is no further room on the scale. Whatever happens next in Brussels, Washington or Beijing, the German public cannot tell a pollster it trusts foreign tech any less than it already does.
That ceiling is the most important feature of the POLITICO European Pulse survey released on April 10, and almost nobody is reading it correctly. The headline, 84 percent of Europeans distrusting US tech firms, gets treated as a mood, a Trump-era tantrum that will fade when the next administration arrives. It will not fade. The sentiment is downstream of statutes, not personalities. And the statutes aren't going anywhere.
Europeans have been saying a version of this to pollsters for six years straight. What shifted this spring is not the polling answer. What shifted is that Brussels, at last, believes it.
What's Actually at Stake
- POLITICO's European Pulse survey shows 84 percent of Europeans distrust American tech firms and 93 percent distrust Chinese ones, with German distrust already at the statistical ceiling of 91 and 98 percent.
- The numbers are not a Trump-era spike. Bertelsmann measured 20 percent trust in US firms and 6 percent in Chinese firms back in 2019, meaning the headline figure reflects six years of legal architecture catching up to public sentiment.
- The CLOUD Act and China's 2017 National Intelligence Law create jurisdictional asymmetries GDPR cannot fix, making any sovereignty branding on top of US-parented cloud legally porous by design.
- The next decade of European cloud procurement turns on one sentence in the upcoming Cloud and AI Development Act: whether sovereignty gets defined by control or merely by presence on EU soil.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
The numbers, and what they measure
Cluster17 ran the fieldwork between March 13 and March 21, pulling 6,698 adults from Spain, Germany, France, Italy, Poland and Belgium. The share who will not trust American tech firms with their personal data came in at 84 percent. For Chinese firms, 93. Only 51 percent said they trust European companies. Just 45 percent said they trust their own national governments with their information, which is its own kind of grim.
Poland is the outlier, with 38 percent willing to trust American firms and 20 percent Chinese ones. That tracks the Polish security posture toward Russia; Warsaw still sees Washington as a guarantor, and data trust moves with strategic trust. Germany sits at the other pole. Belgium, Spain, France and Italy all pile into the European mean, which in this survey is already a bleak address.
The numbers do not describe refusal to use American services. Europeans still run their businesses on AWS and Azure, still type into ChatGPT, still upload their photos to Google. What the survey measures is the public's functional recognition that using these services is a compromise rather than a preference. You are doing it because you must, not because you trust the provider. That is a very different psychological contract from the one hyperscalers built their European revenue on.
A six-year trajectory, not a news cycle
The closest historical comparison is the Bertelsmann Stiftung eupinions survey from 2019, which polled more than 12,000 EU28 respondents with roughly the same question. In 2019, only 20 percent of Europeans said they would trust an American firm with their data. Six percent said so about a Chinese one. Forty percent trusted European firms.
Run the arithmetic. Trust in US firms has slipped slightly, from 20 to about 16 percent. Trust in Chinese firms has been parked at a floor since before GDPR was enforced. Trust in European firms has grown by roughly a quarter. The story is not collapse. The story is continuity, plus a slow transfer of conditional loyalty toward home providers who still cannot command majority confidence.
That is the tell. If distrust were Trump-driven, the Chinese number would have moved with US politics. It didn't. If distrust were an EU marketing win, the European number would be above 70. It isn't. The only variable that cleanly explains the stability is legal architecture, and that architecture has been in place since before any pollster first asked the question.
The CLOUD Act built this number
Any company that processes European personal data must follow GDPR, whatever flag flies over its headquarters. But GDPR ends where another sovereign's statute begins. An American firm receiving European data on American soil answers to American law once the data crosses the border. GDPR cannot patch that asymmetry. It was never designed to. The survey is what that design gap sounds like when you hand it a microphone.
The American law doing the real work here is the 2018 CLOUD Act. It lets US authorities compel American-based companies to cough up data under their "possession, custody or control" wherever that data physically sits. A Microsoft data center in Frankfurt is, legally, within reach of a US subpoena. Microsoft itself conceded the point in a French court in 2024, admitting it could not guarantee sovereignty for European customers in the event of a legally valid American injunction. There is no engineering fix for that sentence.
China's 2017 National Intelligence Law does the same job from the other direction, requiring Chinese organizations to "support, assist and cooperate" with state intelligence work. No privacy carve-out exists. That is why the 93 percent figure has been parked at a floor since 2019. Europeans are not reacting to Xi Jinping's mood. They are reacting to a statute they cannot argue with.
Schrems II sits in the middle of all this. In July 2020 the Court of Justice of the European Union invalidated the EU-US Privacy Shield because American surveillance law did not provide protection "essentially equivalent" to GDPR. The replacement framework is already under legal challenge. Every European executive who has had to re-paper cross-border contracts twice in five years remembers exactly why.
The public survey is the citizen version of the corporate migraine.
Get Implicator.ai in your inbox
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
The sovereignty-washing fight is the real story
Here is what you should watch next. The European Commission is preparing the Cloud and AI Development Act, known as CADA, for a May sovereignty package. CADA is the first European law that will attempt to define what sovereignty means as a procurement category, not just a slogan. And two camps are already fighting over the definition.
On one side stand the American hyperscalers, newly emboldened to rebrand. AWS European Sovereign Cloud. Microsoft Azure Local. Google's T-Systems partnership. All marketed as sovereign, all still subject to the CLOUD Act because all still parented in Delaware. A trade group representing twenty-four European cloud CEOs, CISPE, sent an open letter to Executive Vice-President Henna Virkkunen on March 17 demanding that CADA define sovereignty by control, not by presence. The letter's subtext is brutal. An EU data center address, CISPE argues, is the minimum viable sovereignty-washing product. Let that past the drafters and Europeans will be paying a premium to host their regulated workloads on infrastructure that is, legally, still American.
The Commission is rhetorically on the European providers' side. On March 31, Virkkunen told a Lille audience that Europe's reliance on foreign cloud "can be weaponised against us," and flatly refused a dialogue offer from the US ambassador on EU digital rules. "It's our sovereign right," she said, "not something we can trade on." Brussels is not negotiating. It is cornered into a mandate it asked for.
Meanwhile the Digital Markets Act investigations into AWS and Azure, opened on November 18, will grind toward a November 2026 decision that could designate both as gatekeepers on qualitative rather than quantitative grounds. Neither service meets the DMA's quantitative thresholds. A designation would be the first time the Commission uses its discretionary route at hyperscaler scale. Worth watching.
The legitimacy gap Brussels cannot close
Here is where the thesis turns uncomfortable. Europe has the mandate. Europe does not have the capacity.
AWS, Microsoft Azure and Google Cloud together hold roughly 70 percent of the European cloud market, according to Synergy Research Group data the Commission itself cited in its November DMA filings. Competition economist Cristina Caffarra, who founded the Eurostack Foundation, puts the real dependency closer to 90 percent once AI workloads and managed services enter the count. Europe generates something like a quarter of the planet's cloud revenue while owning less than 2 percent of the infrastructure that revenue runs on. OVHcloud, the continent's biggest homegrown player, booked just under a billion euros for FY2024. AWS does that in under a week. Forrester projects that no European enterprise will fully migrate off US hyperscalers in 2026. Not one.
Remember Gaia-X? The Franco-German sovereignty venture from 2019, more than ten billion dollars of public and private money behind it, now mostly filed under failure by the people who rooted for it. Caffarra's autopsy runs one sentence. Once Microsoft, Google and AWS were inside Gaia-X, the initiative lost its purpose. That is a useful thing to remember when CADA's drafters decide how porous the definition of "European" should be.
That is the gap the 84 percent will be litigated against for the rest of this Commission's term. Every EU procurement decision that touches an American logo will be adversarially scrutinized, by CISPE, by activists, by parliamentary committees, by the press. The European Central Bank's recent decision to build its digital euro on two "sovereign cloud" platforms that run on hyperscaler infrastructure already looks like a test case. It will not be the last. The Commission already blocked American firms out of the EU's new financial-data system last year, a narrower rehearsal of the fight CADA will stage in public.
Brussels has a mandate to decouple and an industrial base that cannot deliver decoupling on a ten-year horizon, let alone a two-year one. That is what a legitimacy crisis looks like before it breaks, and you are going to watch it unfold through every procurement headline of 2026.
What to watch
One sentence in the CADA text will decide who wins the next decade of European cloud procurement. Sovereignty by control means AWS Frankfurt cannot qualify, regardless of which region serves the workload. Sovereignty by presence means a data center in Dublin satisfies the statute and the hyperscalers keep 70 percent market share while nominally complying with a law written to shrink them.
That sentence is being drafted now, behind closed doors, by civil servants who know the 84 percent figure will be hurled at them if they soften it. They may soften it anyway. The industrial base they would hand the win to has been insisting for six years that it is almost ready to compete, and has not yet shown up.
The ceiling is real. The ground underneath it is not yet built.
Frequently Asked Questions
What did the POLITICO European Pulse survey actually measure?
Cluster17 polled 6,698 adults across Spain, Germany, France, Italy, Poland and Belgium between March 13 and March 21, 2026, asking whether respondents trusted American, Chinese and European technology companies to handle their personal data responsibly. The results: 84 percent distrust US firms, 93 percent distrust Chinese firms, 51 percent trust European firms, and just 45 percent trust their own national governments.
Why does the CLOUD Act matter for European data trust?
The 2018 US CLOUD Act lets American authorities compel US-based companies to hand over data under their possession, custody or control, regardless of where that data physically sits. A Microsoft or AWS data center in Frankfurt remains within reach of a US subpoena. Microsoft admitted this in a 2024 French court filing. No data-center location can override parent-company jurisdiction.
What is the Cloud and AI Development Act (CADA)?
CADA is a European Commission proposal expected in a May 2026 sovereignty package. It will define what counts as a sovereign cloud provider for EU procurement purposes. Two definitions are competing: sovereignty by control, which excludes US-parented providers, and sovereignty by presence, which accepts any provider operating an EU data center. That language choice decides the next decade of cloud spending.
Can European cloud providers actually replace AWS and Azure?
Not at hyperscaler scale inside this decade. AWS, Microsoft Azure and Google Cloud together hold roughly 70 percent of the European cloud market. OVHcloud, the largest EU provider, booked under a billion euros in FY2024 revenue, less than AWS generates in a week. Forrester projects zero European enterprises will fully migrate off US hyperscalers in 2026.
What is sovereignty-washing?
It describes cloud services marketed as European or sovereign while legally remaining subject to US or Chinese law. AWS European Sovereign Cloud, Microsoft Azure Local and Google's T-Systems partnership all market sovereign branding on infrastructure still controlled by Delaware-parented corporations. CISPE, the European cloud trade group, flagged the practice in a March 17, 2026 letter to Commissioner Virkkunen demanding CADA block it.
AI-generated summary, reviewed by an editor. More on our AI guidelines.
Marcus Schuler
Editor-in-Chief and founder of Implicator.ai. Former ARD correspondent and senior broadcast journalist with 10+ years covering tech. Writes daily briefings on policy and market developments. Based in San Francisco. E-mail: [email protected]
