Major step forward in cloud privacy secured by Microsoft
US government cannot insist on access to data held on foreign servers
When it comes to data privacy on cloud servers this is big news. An appeal court ruling, issued on 14 July 2016, overturns an order granted in 2014 and now ensures the US government cannot force Microsoft to give authorities access to the firm’s servers located in other countries.
The US Department of Justice had wanted to access a server in Ireland, as part of an investigation into a drugs case, and Microsoft (with the backing of the likes of Amazon, Apple and Cisco) had resisted this strongly.[vc_column width=”5/6″]
If you’re among those organisations that have held back on Office 365 adoption because of privacy concerns, Microsoft has moved quickly to explain the implications. “This makes clear that the US government can no longer seek to use its search warrants on a unilateral basis to reach into other countries and obtain the emails that belong to people of other nationalities,” said Brad Smith, president and chief legal officer of Microsoft.
“It tells people they can indeed trust technology as they move their information to the cloud.”
Taking the brakes off Office 365 adoption
Privacy issues have dogged the use of cloud services from the early days, as stories circulated about the US government having a right of access to cloud servers operated by US companies no matter where they were located in the world. That’s why the new ruling is so significant.
In 2012 it was reported that “anxiety was heightened last year when a Microsoft UK managing director admitted that he could not guarantee that data stored on the company’s servers, even those outside the US, would not be seized by the US government.”
The same article was one of many that also cited common concerns around the US Patriot Act, although “if an EU company has no US presence and neither does its EU cloud company – which may happen from time to time – its data may be beyond the direct reach of the Patriot Act,” explained Alex Lakatos, partner and cross-border litigation expert in the Washington, DC office of Mayer Brown.
Then there’s been EU privacy law, the end of ‘Safe Harbor’, the potential impact of GDPR and more to contend with.
In 2014 all 28 data protection authorities in the EU confirmed in a joint letter that Microsoft’s enterprise cloud contracts already meet the high standards of EU privacy law and the requirements of the ‘model clauses’ mentioned above. Personal data stored in Microsoft’s enterprise cloud is therefore already subject to Europe’s rigorous privacy standards no matter where that data is located on Microsoft’s enterprise cloud services – including Azure and Office 365. Now we have an assurance that its data is secure from US government interference too.
International implications for cloud data privacy
The BBC highlights that the 14 July appeal court ruling will help prevent tit-for-tat approaches to data privacy between governments. Microsoft had warned that allowing the search warrant to be conducted could open up a global privacy ‘free for all’, in which other countries would perhaps seek to apply their own search warrants to servers located in the US.
Microsoft said the laws were simply too outdated to be effective. “The protection of privacy and the needs of law enforcement require new legal solutions that reflect the world that exists today – rather than technologies that existed three decades ago when current law was enacted.”
Quadrotech’s view on the appeal court ruling
At Quadrotech we think this news is very welcome and long overdue. We’ve always held faith with Office 365 and Microsoft’s ability to protect itself and its customers, and the appeal court ruling formalizes something that has actually been the de facto case for years.
We think there’s been so much scaremongering and FUD around whether it’s safe to migrate to the cloud that people sometimes lose sight of what strides the service providers have made while they wait for the legislators to catch up.
Microsoft and businesses like it have created entire business strategies around cloud services. They have no choice but to do it properly. That means creating security and privacy protections that are likely to go well beyond what many organisations could provide on-premises.
To put it another way, Microsoft is not only protecting its interests by obtaining this ruling. It’s protecting yours, too.