Out-Law / Your Daily Need-To-Know

Microsoft commits to offer non-US storage of data

Out-Law News | 24 Jan 2014 | 3:55 pm | 2 min. read

Microsoft is to offer businesses the chance to store data on servers based outside of the US when using their cloud services.

Microsoft's general counsel Brad Smith told the Financial Times that the technology giant will store companies' data at data centres outside of the US if this is what those customers want.

"People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides," Smith said, according to the report.

In Europe there has been significant debate at political level about the extent to which data held by European businesses can be accessed by US authorities when those businesses contract with US-based cloud providers to store that information.

The debate has intensified in recent months as a result of the publication and reporting of documents leaked from the US National Security Agency (NSA) by the whistleblower Edward Snowden. Those documents appear to show that the NSA has access to data held by US companies through a wide-ranging surveillance programme it operates.

Questions have subsequently been raised about the scope and extent of the data gathering and whether the activity is being undertaken in line with US legislation and whether it is subject to sufficient safeguards.

The Foreign Intelligence Surveillance Act (FISA) in the US sets out the procedures that US intelligence agencies have to follow in order to gather foreign intelligence information about foreign based individuals for the purposes of protecting against attacks on the US, such as terrorism. Under the regime intelligence agencies require a court to sanction the acquisition of data.

The US Patriot Act also gives law enforcement bodies the right, subject to certain conditions, to obtain information on individuals from US "electronic communication service providers" without those individuals' knowledge or consent.

The leaks about the extent of the NSA's surveillance has prompted concerns within the EU about whether businesses based within the trading bloc can comply with EU data protection rules when they use US-based cloud providers to store personal data.

Chris Soghoian, a privacy researcher at the American Civil Liberties Union, has suggested that even if data is stored on EU-based servers by US cloud providers, the US authorities may still have a right to access the data.

"What matters more than where the data is, is where the system administrators are and who can order them to do things,” Soghoian said, according to a report by the Wall Street Journal. "As long as [a company] has a presence [in the US], the data is vulnerable [to being accessed by US authorities]."

In a blog published last month, Brad Smith of Microsoft outlined how the company intends to protect its customers' data, including in cases where the data being demanded resides in a different country to the one where the law enforcement body seeking the information is based.

"We are committed to notifying business and government customers if we receive legal orders related to their data," Smith said. "Where a gag order attempts to prohibit us from doing this, we will challenge it in court. We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data. And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country."

"Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision," he said.