Microsoft is again doing battle to protect the privacy of its customers where data is located outside the US.
Must tech companies surrender user data to the US government?
This week’s coverage of the Microsoft overseas data case again draws attention to issues one might have thought were resolved some time ago. Essentially, the question is around whether the US law government has the power to make tech companies surrender data they have on users that is stored overseas.
If you’ve been following cloud security issues since the early days, you’ll probably remember a lot of fuss around something called the Patriot Act, for example, and that back in 2012 a Microsoft UK managing director admitted that he could not guarantee that data stored on the company’s servers, even those outside the US, might not be seized by the US government. Thankfully, things have moved on since those days (although back then there was a spate of opportunistic marketing by European cloud providers, claiming their services would help clients avoid the Patriot Act’s provisions).
The waters were further muddied though by the collapse in 2015 of ‘Safe Harbor’ rules on data sharing between the 28 nations of the EU and the US. A ruling by the European Court of Justice said that to authorise the export of data, the two bodies involved must draw up and sign ‘model clauses’ which set out the US organisation’s data privacy obligations.
Microsoft was quick off the mark, telling enterprise customers they didn’t need to worry. All 28 data protection authorities in the EU had already confirmed in a joint letter that Microsoft’s enterprise cloud contracts already meet the high standards of EU privacy law and the requirements of the ‘model clauses’ mentioned above. Personal data stored in Microsoft’s enterprise cloud was therefore already subject to Europe’s rigorous privacy standards no matter where it was located.
At the time, Brad Smith, Microsoft’s president and chief legal officer, stated: “…customers can use Microsoft services to move data freely through our cloud from Europe to the rest of the world. We will take proactive steps to expand these legal protections to benefit all of our enterprise customers… and will continue to ensure that we can comply both technically and operationally with the stringent obligations imposed by these contractual commitments.”
Microsoft stands firm
The current case dates from 2013, when US prosecutors sought emails on a Microsoft server in Ireland sent by a drug-trafficking suspect. The US government said as Microsoft was a US company it could request the data. But Microsoft says a warrant issued in the US shouldn’t be used to recover information outside the country and that the US government should instead use treaties signed with other nations to access data held on foreign soil.
Given the assurances Microsoft has categorically given its customers, losing the case would put it in a very difficult position. It says that customers would be likely to stop using its and other US tech companies’ services if they thought the US government could access information about them no matter where they were.
As Brad Smith blogged last month, “Emails are stored in known physical locations, on hard drives, in data centre facilities. When the US government requires a tech company to execute a warrant for emails stored overseas, the provider must search a foreign data centre and make a copy abroad, and then import that copy to the United States. This creates a complex issue with huge international consequences.”
The list of governments supporting Microsoft includes Ireland, France, the European Commission, European privacy regulators and members of the European Parliament. “289 different groups and individuals from 37 countries signed 23 different legal briefs supporting Microsoft’s position,” wrote Smith.
There’s also strong backing for Microsoft across the tech community. Apple, Amazon, HP, eBay, AT&T, Verizon and Salesforce are among that have voiced support for Microsoft's stance.
What happens next?
The current case is actually an appeal filed by the Trump administration calling for the Supreme Court to decide the issue; the court is expected to issue a ruling by the end of June. If the ruling should go against Microsoft there’s surely too much at stake for that to be the end of the matter.
Meanwhile changes have been proposed to the existing US Stored Communications Act to let US judges issue warrants for data but also allow companies to object if the request clashed with their obligations under foreign laws. This may be a practical long-term solution to such a nagging problem.
How does all this affect my use of cloud?
If you use Microsoft cloud services like Azure in the UK, Microsoft’s already made a massive investments in secure UK data centres. It’s data held in centres like this that is potentially subject to the court’s ruling. If your data is, on the other hand, held in the US then the US government could already force it to be surrendered.
To make sure whatever happens that the US authorities can’t (legally) get their hands on your data, you could simply use a non-US service provider (our own cloud hosted services all use highly-secure UK data centres, for example). But as a close Microsoft partner we join with the rest of the industry in believing it’s on solid ground, that it’s putting forward the strongest and most robust case imaginable, and that there’s no way it will ever let down its customers outside the US.
If you think about the sheer number of businesses, large corporations and government agencies that rely on Microsoft Cloud outside the US there’s simply no other option than to find a positive solution to this case. At Vohkus we’re absolutely clear that you can continue to use Microsoft Cloud with confidence.