US authorities have access to European cloud data
Cloud providers like Microsoft have to provide US criminal prosecutors with access to customer data, as ZDNet reports. This access applies even if the data is stored by firms based in the EU and in European data centres. This was explained by Microsoft's British managing director Gordon Frazer in London during the launch of Microsoft's Office 365, when he was asked whether Microsoft could ensure that the data stored at its data centres in the EU would never leave Europe.
Frazer said that his firm has to follow the laws of the United States because it is head-quartered there. In particular, the stipulations in the Patriot Act apply, which gives US criminal prosecutors far-reaching access rights to data. Frazer said that customers would be informed that their data had been handed over "whenever possible", but he could not guarantee that notification would be given. After all, the FBI can issue a National Security Letter (NSL) containing a gag order for the companies affected. In such cases, Frazer said he would not even be able to state that he had received an NSL.
An online document in Microsoft's Trust Center confirms Frazer's statements and makes it clear that the matter not only concerns the Patriot Act: "In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service)." The firm says that it first puts the governmental authorities into contact with the customer whose data is requested. If Microsoft receives a subpoena forcing it to provide the information itself, the firm says it will only hand over what is specifically requested. Furthermore, Microsoft says it plans to do whatever is "commercially reasonable" to inform its customers of the event to the extent legally possible.
Thilo Weichert, head of the Independent State Center for Data Protection in the German state of Schleswig Holstein (ULD) says that the sharing of such data with parties outside the EU conflicts with European data protection law. In his opinion, the risk of having such data passed on compromises the confidentiality of the data and applications hosted at Microsoft's data centres and violates the basis for current agreements on data processing services. Weicherts says that, at the very least, customers should be able to terminate their agreements immediately under such conditions, which make such service providers as Microsoft, with its Office 365 and Windows Azure, unsuitable for IT services which manage personal data. He recommends that companies within Europe should use only purely European service providers for their cloud services containing personal data.