EU users of Microsoft’s cloud-based services, Office 365, could find their information being shared with US law enforcers without their knowledge, due to Microsoft’s US legal obligations.
Cloud services allow users to store data online, rather than locally. Whilst this has many advantages, such as being able to access information from anywhere, it has raised questions as to security and in particular security of data, as users may not always be aware of where, or to whom, their personal data is being transferred.
Now Microsoft, a US-based company, has stated that EU users of its upcoming cloud services may have their personal information intercepted by US law enforcers.
Under EU data protection laws, organisations that process individuals’ personal data must inform the individuals when they are required to disclose the individuals’ personal information. However, it appears that these EU provisions may come into conflict with US law obligations placed on organisations like Microsoft.
The USA Patriot Act grants law enforcement authorities in the United States the right to access the personal data which is held by US-based companies, regardless of where it is stored in the world. Under the Act, law enforcers may also prevent organisations from informing the customer that the organisation has had to provide the customer’s personal information to the authorities. This controversial law was established as an anti-terrorism provision.
In the legal notice on Microsoft’s online services trust centre, it explains that:
“In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).”
Microsoft states that “as a general rule, customer data will not be transferred to datacenters outside that region. There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (e.g., for technical support, troubleshooting, or in response to a valid legal subpoena)”.
In summary, Microsoft is making clear that it will disclose EU customers’ data without prior consent and it will not necessarily inform the customer of this disclosure, where required by law.
As a major cloud provider, Microsoft has entered into the Safe Harbor agreement which allows data to be passed from a subsidiary Microsoft entity in Europe to a Microsoft entity in the United States. The Safe Harbor scheme allows US companies that meet the requirements of the EU’s Data Protection Directive to transfer EU data to the US. However, this does not prevent Microsoft from having to comply with US legislation such as the USA Patriot Act, leaving Microsoft in a difficult position.
This will be a major problem for cloud security and data protection and may discourage EU customers from utilising Microsoft’s cloud offering. However, this will be a recurring problem for cloud providers and customers, some of which, inevitably, will not be as clear in their documentation as Microsoft as to the position.