Sometime before Friday, 22 May 2026, Microsoft handed over the documents. The recipient was the House Judiciary Select Subcommittee on the Weaponization of the Federal Government, chaired by Jim Jordan. The subpoenas had gone out in July 2025 — to Alphabet, Amazon, Apple, Meta, Microsoft, Rumble, TikTok and X Corp., a list of ten companies in total. The subpoenas demanded the companies’ internal communications with foreign governments about content moderation. Microsoft handed over emails, meeting minutes and calendar entries belonging to Dutch civil servants. The names were not redacted.

The Dutch magazine Vrij Nederland published the story that Friday. The named civil servants worked at the Autoriteit Consument en Markt (ACM) and the Autoriteit Persoonsgegevens (AP) on the implementation of the Digital Services Act. The subcommittee that received the names had described that work as foreign “censorship of American speech”.

By Friday afternoon, Staatssecretaris Willemijn Aerdts had told the US Ambassador to her face. Aerdts (D66) had been appointed three months earlier as the Netherlands’ first Staatssecretaris for Digital Economy and Sovereignty, in the Cabinet-Jetten of 23 February. The ambassador she spoke to, Joe Popolo, had arrived in The Hague even more recently. Aerdts told reporters afterward: “As ik problemen hebt, vecht je die met ons uit of, indien nodig, in Europa, maar niet over de ruggen van ambtenaren heen.” If you have a problem, you fight it out with us, or if necessary in Europe, but not over the backs of civil servants.

Microsoft’s response, when it came, made the situation worse.

What Microsoft handed over

The contents were not summaries. They were the raw working material of regulators: emails between named ACM and AP staff and Microsoft’s corporate representatives, calendar entries for internal meetings, and minutes from discussions of the DSA implementation. The committee received the names in full. According to reporting in iBestuur, Meta also shared similar data. The other eight subpoenaed companies have not publicly confirmed compliance.

The committee’s stated subject is whether European online-platform regulation constitutes censorship of US companies. The civil servants named in the documents are the people responsible, in the Dutch jurisdiction, for enforcing exactly the rules the committee is investigating. The Weaponization Subcommittee now has, in its files, the names of European officials enforcing rules it considers hostile.

Cybernews reports that some affected employees have family in the United States and now fear being denied entry. That fear is not theoretical: the Trump administration has sanctioned European civil-society leaders, including the management of the German NGO HateAid in December 2025, for what it considered hostile speech regulation.

The defence that makes it worse

Microsoft has not issued a detailed public statement on the Dutch matter. Reporting consistent across NL Times, Dutch IT Channel and Cybernews indicates the framing the company has used in private and in the trade press: the disclosure was not triggered by a CLOUD Act obligation. The released material, the framing goes, was correspondence between Microsoft and European authority representatives — and that correspondence fell outside the protections European regulators may have assumed they had.

That framing was offered as exoneration. Read carefully, it is the opposite. If the CLOUD Act had compelled the disclosure, European regulators would at least have a legal threshold to litigate against. The voluntary framing means there was no threshold at all — only Microsoft’s commercial judgement that cooperating with Jim Jordan’s Subcommittee was preferable to refusing it. The defence makes the situation worse than the accusation.

The framing serves Microsoft in a second way: it allows the company to position the incident as a one-off matter of judgement rather than a structural exposure under US law. It also serves the Dutch cabinet, which can externalise the problem to a US vendor instead of explaining why ACM and AP communications were on a US-hosted platform at all. Aerdts’s intervention with Ambassador Popolo, while substantive, did not commit the cabinet to a procurement change. The Junior Minister for Economic Affairs, Eric van der Burg (VVD), called the disclosure “more than worrying” — strong language for a Dutch state secretary, weaker than a commitment.

The pattern is older than this case

This is not the first time a US vendor has exposed European officials to US authorities under political pressure. It is the third documented case in 13 months.

In May 2025, Microsoft suspended the email account of Karim Khan, Chief Prosecutor of the International Criminal Court, after the Trump administration imposed sanctions on him for issuing arrest warrants against Israeli officials. In December 2025, the same administration sanctioned the management of HateAid, a German NGO that supports victims of online hate speech, with US entry bans.

The Khan case ran under sanctions designation. The HateAid case ran under entry-ban regulations. The Dutch case runs under a House subcommittee subpoena. The legal instruments differ. The pattern does not: a US-headquartered service provider was asked, formally or informally, to act against a European who had become politically inconvenient in Washington. In each case, the provider complied.

The Dutch case differs in one further respect that the others do not. On Microsoft’s own framing, the company was not asked under legal compulsion. The compliance was free.

This is not coincidence. It is the operating mechanism of the architecture: a vendor will protect its largest customer relationship over a smaller one. The US House of Representatives is a larger customer than any single European regulator. The CLOUD Act is one expression of that asymmetry. Voluntary disclosure to a subpoena is another.

What stays broken after the protest

The cabinet has summoned the US ambassador. There has been a diplomatic exchange. Microsoft may yet issue a public clarification. None of this changes the structural conditions.

After the dust settles, three things remain exactly as they were. Microsoft can still receive requests from US legislative, executive, and judicial bodies. Microsoft can still decide voluntarily to cooperate beyond what it is strictly required to do. ACM, AP, and most other European regulators still run their offices on Microsoft systems, with their communications still subject to the same exposure. The incident has produced political heat. It has not produced architectural change.

The signal worth watching is procurement, not protest. If, within twelve months, ACM or AP announce a migration of their internal communications off Microsoft, the incident has had structural consequences. If they do not, Aerdts’s intervention with Popolo will be the entire response.

What this article is not

This is not a claim that Microsoft acted illegally. By Microsoft’s own framing, it did not. This is not a claim that voluntary cooperation with a House subpoena was malicious. It may have been ordinary corporate caution before a powerful US political actor.

It is a claim that the structural conditions that produced this outcome are unchanged by anything that has happened since 22 May. The mechanism that operated is older than this case and will outlive its diplomatic resolution.

The names are in Washington now

The civil servants whose names are now in a House Judiciary subcommittee file are still at work. The Digital Services Act still needs to be enforced. The Weaponization Subcommittee has not closed its investigation. Microsoft has not retracted the documents — there is no procedure for retraction once a subcommittee has them.

The next request from a US authority to a US vendor about a European regulator will be answered by the same commercial logic that answered this one. Until the architecture changes, the names of the Dutch civil servants are not the last names that will end up in a House subcommittee file. They are the third.

Sources

Topic overview: Digital Sovereignty in Europe Related articles: Digital Sovereignty: Why Now, Germany Mandates Open Formats