Updated Microsoft has announced plans to ensure data processing of EU cloud services within the borders of the political bloc in a move that expert observers claim reveals problems with the firm's existing setup.
Those problems extend to UK public sector organisations seeking to stick within government guidance as well as a longstanding issue where personal data held in the EU can potentially be accessed via US security laws.
In a blog, Brad Smith, Microsoft’s president and chief legal officer, said the software and cloud services giant would, by the end 2022, enable EU customers of Azure, Microsoft 365, and Dynamics 365 to have all their data processed physically within the EU.
To my understanding, there would still be direct access to data and keys from the US in this new Microsoft setup. This means that any data still falls under the FISA law
Although critics have questioned what the announcement means about Redmond's current processing setup, Smith said Microsoft cloud services already comply with or exceed EU guidelines. “We provide commercial and public sector customers with the choice to have data stored in the EU, and many Azure cloud services can already be configured to process data in the EU as well. In addition, we use world-class encryption and robust lockbox solutions that meet current regulatory guidance.
“Many of our services put control of customer data encryption in customers’ hands through the use of customer-managed keys, and we defend our customers’ data from improper access by any government in the world,” he said.
Microsoft had already engineered its core cloud services to both store and process all personal data of our EU commercial and public sector customers in the EU. Smith added. “This plan includes any personal data in diagnostic data and service-generated data, and personal data we use to provide technical support.”
He said more information would be available at Microsoft’s EU Cloud Customer Summit in the autumn.
So where exactly are you processing the data now... and what about the NSA?
Max Schrems, the Austrian lawyer and activist behind the Schrems II ruling that saw the EU Court of Justice strike down Privacy Shield arrangements, said Microsoft’s move would fail to allay concerns that US security services would retain access to data held in the EU by a US company, via Section 702 of the Foreign Intelligence Surveillance Amendments Act of 2008 [PDF].
“To my understanding, there would still be direct access to data and keys from the US in this new Microsoft setup. This means that any data still falls under the FISA law and is, therefore, to be given to US authorities when requested. This is window dressing when it comes to National Security Agency [NSA] surveillance,” he told The Register.
Owen Sayers, an enterprise architect and data protection, privacy and security specialist, agreed with Schrem's assessment that Microsoft's plans would do little to address qualms about NSA access under current US legislation.
He also pointed out that the announcement amounted to a tacit admission that Microsoft was already routinely processing personal EU data outside the EU. Although Microsoft had already committed to customer-managed key encryption, this would not meet the requirements of European Data Protection Board (EDPB) guidance.
UK.gov software contracts
Although EU customers might wonder what they are supposed to do while Microsoft erects this particular service, UK public sector customers could be in a more difficult position as the vendor makes no mention of UK customers.
In particular, the UK public sector is supposed to stick to European Commission guidance on the adequacy of the protection of personal data in order to maintain the post-Brexit data flow.
"This has some serious implications for HMG users who nearly always refer to the 'data stored in UK' commitment to justify Microsoft use," Sayers said.
He also pointed out Microsoft has not said whether customers would be supported from outside the EU. “Support is still a [data] transfer,” he said.
In a LinkedIn post, Alexander Hanff, lead privacy advisor to Amari.ai and Think Privacy founder, said, “Microsoft just basically admitted that using their services in the EU currently is not lawful since Schrems II... this was a really stupid move from a PR perspective.”
He noted that the majority of Microsoft’s users might not have a detailed knowledge of the relevant data protection laws and would probably take the vendor at its word. “It is just smoke and mirrors and highly immoral in my opinion,” he opined.
Microsoft has been contacted for comment.
Updated at 1536 BST on 10 May to add
Microsoft sent us a statement to say its "approach" to "comply with and exceed the requirements" of the Schrems II decision was "unchanged":
"Our customers can continue to transfer data between the EU and US consistent with the decision, and we’ve gone beyond EDPB guidelines by publicly committing to challenge every government request for public sector or enterprise customers data from any government where we have a legal basis for doing so. Our customers are separately telling us that data residency is important to them, and we hope this additional step will help.
"We also believe that data residency may bolster our ability to make legal challenges to some non-EU government demands for access to data. At the same time, it’s important to note that any technology provider with business interests in the US – even if it’s based in Europe – may be subject to US legal process."
Microsoft has multiple data centres in Britain that it says "give customers in the UK, in many instances, options for keeping their data in the UK".
The Register asked Microsoft if it can ensure all support is provided from within the EU, as accessing such information outside of the region, even for tech support, is still a transfer.
"We’ve identified the technical and operational investments necessary to meet this goal, and we believe we can accomplish it. In the coming months we’ll be walking customers and regulators through our plans and will be responsive to their feedback. If there are areas where exceptions are necessary, we’ll be transparent about them," said Microsoft. ®