Bert Hubert, researcher, advisor, publicist, geek, recently posted something that made a lot of people stop scrolling. He wrote: "Ik kan gewoon niet meer - net gehoord dat Sociale Verzekeringsbank, een van de allergrootste verwerkers van privégegevens binnen de Nederlandse overheid, druk bezig is met zijn totale migratie naar Microsoft Azure. En de mensen die het tegen zouden kunnen houden worden buitengesloten & hebben het opgegeven."

That single paragraph captures both a technical concern and a deep sense of exhaustion: a major Dutch government agency, one of the biggest processors of private data, is moving fully to Microsoft Azure, while those who might resist or add nuance feel sidelined and defeated.

In this post, I want to unpack what Bert Hubert is pointing at, why it matters far beyond the Netherlands, and what a more responsible path for government IT could look like.

The shock behind a single LinkedIn post

When someone like Bert Hubert says "Ik kan gewoon niet meer" ("I just can't anymore"), it is not about one technical decision in isolation. It is about a pattern.

"Sociale Verzekeringsbank, een van de allergrootste verwerkers van privégegevens binnen de Nederlandse overheid, druk bezig is met zijn totale migratie naar Microsoft Azure."

The core of his alarm is this:

A massive public institution (the Sociale Verzekeringsbank, SVB) handles highly sensitive, lifelong data about citizens.
That institution is now moving entirely onto the infrastructure of a single, foreign, commercial cloud provider.
People who might critically assess, slow down, or redirect that decision "worden buitengesloten & hebben het opgegeven" — are being excluded and have given up.

This is not just a story about Microsoft Azure. It is a story about data privacy, democratic control, and what happens when complex technological decisions get treated as purely operational IT choices instead of societal ones.

What it means when a social insurance bank moves to Azure

The scale and sensitivity of the data

The Sociale Verzekeringsbank is not a random back-office system. It deals with pensions, child benefits, and other social security schemes. To do that, it has to know who you are, where you live, your family situation, your lifetime work history, and often your medical or disability status.

At this scale, data is not just "records". It is a longitudinal biography of millions of people. If breached, misused, or subject to foreign legal demands, the impact is enormous and largely irreversible. You cannot change your birth date, disability status, or the fact you once received a specific benefit.

Concentrating power in foreign cloud providers

Migrating such a core institution completely to Microsoft Azure concentrates technical, economic, and legal power in one place:

Technical power: Azure becomes the default platform for deploying new systems and services. Skills, tooling, and architectures all align to what that platform offers.
Economic power: Once deeply integrated, switching away becomes expensive and risky. This is classic vendor lock-in.
Legal power: No matter how many European datacenters are used, the provider remains a US company, subject to US laws like the CLOUD Act, which can compel access to data under certain conditions.

Governments can add contractual protections and technical controls, but the fundamental asymmetry remains: a sovereign state is outsourcing critical infrastructure to a company whose ultimate obligations are defined by another sovereign state and by shareholder interest.

From efficiency to dependency

Cloud migration is often sold with compelling arguments: scalability, cost savings, resilience, speed of innovation. Many of those benefits are real. Public-sector IT has plenty of examples of insecure, outdated, and poorly maintained systems.

But as Hubert's reaction signals, there is a thin line between modernizing and becoming dependent. Once an agency's entire stack is shaped around one proprietary platform, the exit costs become so high that "we could leave if we wanted" stops being credible.

The silence of those who could say no

The second part of Hubert's post is just as important: "En de mensen die het tegen zouden kunnen houden worden buitengesloten & hebben het opgegeven."

That is a governance failure, not just a technical one. It suggests:

Critical voices inside or around government IT are not meaningfully involved in decision-making.
Oversight bodies, privacy regulators, or independent experts feel sidelined.
The process has become so politically or institutionally locked in that resistance looks futile.

In a healthy democratic process, a decision as far-reaching as the total migration of a major social security data processor to a commercial cloud should involve:

Public debate and transparent risk assessments.
Input from privacy experts and security researchers.
Clear articulation of alternatives and trade-offs.

When instead people feel "buitengesloten" and give up, we do not just lose technical nuance; we lose democratic legitimacy.

Data privacy, sovereignty, and trust in government

What is really at stake here is the relationship between citizens and the state.

Governments require citizens to hand over data under legal obligation. There is no genuine opt-out from paying taxes, receiving benefits, or being registered in population databases. That creates a special duty of care:

Privacy: ensuring that data is collected minimally, processed lawfully, and protected strongly.
Sovereignty: ensuring that decisions about that data remain under control of democratically accountable institutions, not foreign courts or corporations.
Trust: ensuring that citizens believe their data will not be misused, exposed, or repurposed beyond what they were told.

When a government agency moves fully onto a foreign commercial platform, many citizens reasonably ask: who ultimately controls my data now? Even if encryption and compliance are done well, the perception of loss of control can erode trust. And once trust is gone, it is far harder to rebuild than any IT system.

Are public clouds always a bad idea for governments?

It would be too simple to say "never use public cloud". That is not what this debate is about. Public clouds can bring:

Better baseline security than many legacy in-house systems.
Faster patching and response to known vulnerabilities.
Access to modern tools for analytics, monitoring, and automation.

The real question is how and where governments should use them, and under what conditions. Hubert's frustration comes from seeing a total, uncritical migration of one of the most sensitive data processors, combined with the exclusion of critics.

A more balanced approach could be:

Selective use of cloud for less sensitive workloads.
Hybrid or multi-cloud strategies that avoid single-vendor dependence.
Strong encryption with keys controlled exclusively by public institutions on sovereign hardware.

What governments should do differently

Building on the concern in Hubert's post, here are some concrete principles governments could adopt:

1. Treat cloud decisions as political, not just technical

Moving an entire social security agency to a foreign platform is a political decision with long-term societal impact. It should be debated in parliaments, scrutinized by regulators, and openly communicated to the public, not buried in procurement documents.

2. Publish clear risk assessments and trade-offs

Citizens deserve to see:

What specific risks have been identified (legal, technical, geopolitical).
What measures will mitigate those risks.
Why alternatives (national infrastructure, European providers, in-house modernization) were rejected or deprioritized.

3. Build in exit strategies from day one

Vendor lock-in should be treated as a strategic risk. That means:

Using open standards and portable architectures where possible.
Avoiding deep coupling to proprietary services unless absolutely necessary.
Budgeting and planning for the real cost of being able to leave.

4. Strengthen independent oversight

Those "mensen die het tegen zouden kunnen houden" should not be marginal. Privacy authorities, security agencies, academic experts, and civil-society groups need formal, resourced roles in evaluating and, when needed, challenging major cloud decisions.

5. Invest in public and European alternatives

Relying solely on a handful of US hyperscalers is a strategic vulnerability. Governments can:

Support European cloud providers and sovereign cloud initiatives.
Invest in public infrastructure for critical workloads.
Develop internal expertise so that "cloud" does not become synonymous with one vendor's way of doing things.

What citizens and professionals can do

If you work in government, IT, security, or policy, Hubert's post is an invitation to stop normalizing these decisions as "just IT". You can:

Ask uncomfortable questions in your own projects about data sensitivity and vendor dependence.
Push for proper privacy impact assessments and public documentation.
Support organizations that litigate and advocate for data protection and digital rights.

As a citizen, you can:

Ask your representatives how your government stores and processes your data.
Pay attention to digital policy debates, not just headline scandals.
Recognize that infrastructure choices today shape the freedoms and vulnerabilities of tomorrow.

Closing the loop back to Bert Hubert

Hubert's "Ik kan gewoon niet meer" is not a call to despair; it is a signal that the burden of care is being carried by too few people, for too long, with too little impact on actual decisions.

We can choose to see the migration of the Sociale Verzekeringsbank to Microsoft Azure as an inevitable modernization step, or we can see it as a turning point that forces a broader conversation about control, dependency, and public values in the digital state.

If more of us treat these questions with the urgency and seriousness that Hubert brings to his work, perhaps fewer people will feel they have no choice but to give up.

This blog post expands on a viral LinkedIn post by Bert Hubert, Researcher, advisor, publicist, geek. View the original LinkedIn post →