Microsoft has committed to storing and processing all of its European Union (EU) customer data within the bloc by creating an “EU Data Boundary”, but data protection experts have criticised the move as a tacit admission that data is being routinely processed elsewhere.
In a blog post announcing the plans, Microsoft president and chief legal officer Brad Smith said the EU Data Boundary pledge would apply to data processed by its main cloud services – including Azure, Microsoft 365 and Dynamics 365 – and the engineering work needed to deliver the project would be completed by the end of 2022.
“We already provide commercial and public sector customers the choice to have data stored in the EU, and many Azure cloud services can already be configured to process data in the EU as well,” wrote Smith.
“We have already begun engineering work so our core cloud services will both store and process in the EU all personal data of our EU commercial and public sector customers, if they so choose. This plan includes any personal data in diagnostic data and service-generated data, and personal data we use to provide technical support.”
Elsewhere in the blog post, Smith said Microsoft cloud services are already compliant with EU data protection guidelines, and in some instances even exceed them. Which begs the question: why has the public cloud giant seen fit to commit to building the EU Data Boundary?
Asked about this by Computer Weekly, a Microsoft spokesperson said data residency remains a top-of-mind concern for European cloud buyers.
“This announcement is less about ensuring compliance – our cloud services already comply with applicable law,” said the spokesperson. “It’s more about reducing complexity.
“By dramatically simplifying our data transfers – especially on the service generated and diagnostic data fronts – we will aid our customers in ‘knowing their transfers’ and more easily verifying their compliance obligations.”
Microsoft echoed this sentiment in an online FAQ about the EU Data Boundary, where the company stated that it “will be taking additional steps to minimise transfers of both customer data and personal data outside of the EU… to address the needs of our European customers who are looking for even greater data localisation commitments”.
European personal data routinely processed overseas
However, Alexander Hanff, founder of Think Privacy and a lead privacy adviser at Amari.ai, described Microsoft’s move as “smoke and mirrors”, claiming there is no feasible way it will protect European citizens’ data from being transferred overseas to the US, where there is a lower standard of data protection.
“I think it’s pretty obvious to most that when using cloud infrastructure, there is a level of access to that infrastructure from Microsoft for the purpose of customer support and various others,” Hanff told Computer Weekly. “That in itself would constitute a transfer. Even if the data is stored in the EU, if somebody is accessing it from the US, then it’s considered a transfer under EU law.”
Hanff added that anyone who has been working in this space understands that a large amount of data is being collected and processed about Microsoft’s cloud users, including data about their devices and telemetry information related to how they use its services.
In response to Computer Weekly’s questions about whether the information placed in its public cloud services is in fact constrained to the geographical boundaries selected by EU customers, Microsoft said the announcement’s significance can be broken down into three parts.
“First, it will apply to all personal data,” it said. “In the past, we have focused on specific categories of personal data, but not all personal data. Second, this announcement covers not only storage, but also processing. We previously conducted some, but not all, processing in Europe for these customers. Third, this announcement applies across all three of our core cloud products…whereas Azure customers may have previously had somewhat more choice than, for example, customers of Dynamics 365.”
Hanff added that it is public knowledge that Microsoft is subject to a “huge number of requests from government surveillance agencies” in the US – as evidenced by its biannual transparency reports – under the Foreign Intelligence Surveillance Act (FISA) and Cloud Acts, and that it would be naïve in this context to think they were not making requests to access Europeans’ data.
Specifically, Section 702 of FISA allows the US attorney general and director of intelligence services to jointly authorise the targeted surveillance of people outside the US, as long as they are not a US citizen; while the Cloud Act effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud.
“This, to me, is an admission by Microsoft that this is actually happening, and that the US Cloud Act is being used currently to access data in foreign datacentres, outside of the US,” said Hanff, adding that in the case of the FISA laws, secret courts are also used to green-light various surveillance activities.
“Whenever that court issues an order – bearing in mind there are tens of thousands of requests made to that court on a yearly basis, of which only a handful, we’re talking under 10, are denied – it comes with a gag order.”
Likening these to D-notices in the UK, whereby the government can prevent publishers from printing news items on specific subjects for reasons of national security, Hanff said the gag orders are a legal instrument to prevent recipients of court orders from letting anybody else know that they have received the order.
“So even if Microsoft are telling you that there is data stored in the UK, if they’ve received a request to provide that data to a US surveillance agency of some form, such as the NSA or FBI, they wouldn’t be able to say,” he said.
“This is a really big and fundamental flaw in the ‘smoke and mirrors’ we’re seeing, not just from Microsoft but from a whole bunch of US tech companies – Twitter, Salesforce, Netflix, Facebook, etc – all opening EU subsidiaries to host data in the EU, which are wholly owned by their US parent companies, which still gives the US complete access to the data in those datacentres.”
Hanff added: “It’s incredibly dishonest because a lot of companies out there, particularly smaller companies, believe what these giant tech companies tell them. They assume these big global companies have huge law firms, and therefore, as a result of that, they must know what they’re talking about.”
In response to Computer Weekly, Microsoft said it has publicly committed to challenging every government request for customer data where it has a legal basis to do so.
“Our customers are separately telling us that data residency is important to them, and we hope this additional step will help,” said a spokesperson. “We also believe that data residency may bolster our ability to make legal challenges to some non-EU government demands for access to data.
“At the same time, it’s important to note that any technology provider with business interests in the US – even if it’s based in Europe – may be subject to US legal process.
“Microsoft gives prior notice to users whose data is sought by a law enforcement agency or other governmental entity, except where prohibited by law.”
The spokesperson added: “This is one step on a long journey, and we’ve been clear about that. We’ve taken a number of steps in the past, including our Defending Your Data initiative. We think this is another helpful step and one responsive to customer discussions. And we’ll have additional announcements in the future.”
Implications for UK police using Microsoft 365
Although the EU Data Boundary applies to only 13 European countries, the issues raised by Hanff with Microsoft’s current setup also extend to UK public sector organisations using its services.
In particular, Microsoft’s announcement has raised further questions about where it stores and processes the data of its UK-based law enforcement customers, which are bound by strict rules on the overseas transfer of data.
A Computer Weekly investigation revealed in December 2020 that UK police forces were unlawfully processing over a million people’s personal data on the hyperscale public cloud service Microsoft 365, after failing to comply with key contractual and processing requirements within the Data Protection Act 2018 (DPA), such as restrictions placed on international transfers.
Computer Weekly also found that UK police forces had failed to conduct the necessary data protection checks before proceeding with their Microsoft 365 (M365) deployments.
“It would be impossible for the police to actually determine whether or not their data has been accessed by, or has been shared with, surveillance or law enforcement agencies in the US where these gag orders have been presented,” said Hanff.
In the most recent data protection impact assessment (DPIA) published by the National Enabling Programme (NEP) – the group spearheading the roll-out of M365 to UK police – it identified the risk that “Microsoft could process personal data outside the UK… without any visibility or control over this processing”.
The DPIA claimed this risk has been “mitigated by the fact that Microsoft is under its own obligations to ensure that appropriate adequacy mechanisms are in place; even without visibility of processing, it is likely that transfers will not be non-compliant”.
According to Hanff, all the safeguards that exist within EU law to facilitate third-country transfers, as well as any contractual clauses agreed between parties, “have no bearing when it comes to sovereign law”.
He added: “If the Foreign Intelligence Surveillance Court issued an order to the NSA that tells Microsoft ‘you will provide us with this data’, it doesn’t matter what contractual clauses they have with their customer.”
Computer Weekly was told by the NEP and a number of police forces in November 2020 that “the region selected for storage of data is the UK”, despite Microsoft long making it clear on its website and terms of service that there are several exceptions for its cloud services, including backup of some data services which are sent to the US and other countries that do not meet EU data standards.
An NEP spokesperson confirmed at the time that the group “has always been aware of this and it was considered in detail”, further claiming that the programme has undertaken “a robust and detailed security risk management assessment”.
According to independent security consultant and enterprise architect Owen Sayers, Microsoft’s announcement confirms that not only do its terms and conditions allow the company to send data overseas, but that it does so routinely.
“That has some serious implications for UK government users who nearly always refer to the ‘data stored in UK’ commitment to justify Microsoft use,” he said. “It’s really legally serious for law enforcement users because they just can’t send data outside of the UK for routine processing since Brexit, or before Brexit send it routinely outside of the EU.
“The UK is not, however, part of this new Microsoft initiative and it is now very much a data protection island unto itself. This would tend to the conclusion that UK government, law enforcement and commercial data will still transit the globe as it does today to be processed while in the Microsoft cloud.
“The data, personal and otherwise, that you put into Microsoft public cloud services is not constrained to UK and EU boundaries today. In future, the UK will not be using the EU datacentres at all, and will not be protected by these new Microsoft measures. At that point, the UK will really just be part of a global cloud landscape, with no means of effecting UK data sovereignty or exercising any control over the data and where it is held or goes.”
Microsoft, however, contends that the data loaded by its customers in the cloud has been available in data resident mode (constrained to datacentre boundaries) for all of its supporting services for some time.
“This announcement expands on prior commitments, including by reducing the amount of residual data transfers having to do with service generated and diagnostic data,” said a Microsoft spokesperson. “These transfers are compliant with the GDPR [General Data Protection Regulation] and prevailing regulations, but complicate our customers’ efforts to know their transfers. The EU Data Boundary will dramatically simplify these transfers.”
The NEP was also contacted by Computer Weekly about the data boundary announcement to see if it could provide evidence that all law enforcement data currently in M365 is stored and processed in the UK, along with details of the measures in place to ensure forces had a greater level of visibility of the data, but did not receive a direct response.
An NEP spokesperson said: “We are satisfied, having considered all aspects of the complex legislation and guidance affecting this area of business, that our approach within the programme continues to be both lawful and appropriate.
“We are supporting forces who continue to review their local decision-making in line with the Data Protection Act and work is continuing at a national level across all the agencies involved. We continue to keep the programme-level DPIA under review to respond to the changing circumstances.
“Quick, safe and proportionate data-sharing across forces and partners is vital to investigating complex crime and keeping people safe from harm. This is why we are following the government’s ‘cloud-first’ approach.
“We have always acted lawfully, taking expert legal advice and consulting with the ICO [Information Commissioner’s Office] throughout the life of our programme. We are expecting further guidance in response to the Microsoft announcement and the other likely changes driven by the ever-changing environment we are working within. We have already discussed this with data protection colleagues in forces and we will continue to engage with them as further advice becomes available.”
During the initial investigation, the NEP told Computer Weekly that the ICO had received a full copy of its M365 DPIA, and that the data protection regulator had “provided detailed comments and feedback on the document”.
Under the DPA 18, it is mandatory to send a DPIA to the ICO when the processing of personal data presents a high risk that cannot be mitigated.
However, when asked by Computer Weekly if it had been consulted on the national DPIA, the ICO initially refused to confirm either way.
When told of the NEP’s claim, an ICO spokesperson said: “We provided informal data protection advice on the National Enabling Programme, but a data protection impact assessment was not formally submitted for consultation with the commissioner.”
Both Sayers and Hanff agreed that one way to mitigate the risk presented by US surveillance laws would be for Microsoft to set up an new EU-based company, and not simply a US-owned subsidiary, as Amazon Web Services (AWS) has done with its distinct Luxembourg-based firm AWS SARL.
“Microsoft has actually done this in the past in Germany, because the Germans were very sensitive about their data being accessed by US surveillance,” said Hanff.
“Microsoft came up with a system where they licensed their services, their platforms, to a third party in Germany, and that third party sold the platform on to other German customers. In that way, there was almost a firewall between Microsoft and the customer.
“Bear in mind that we’re not talking about any of the data which is sent behind the scenes here, which is something that still needs to be looked at in the telemetry data, etc, but Microsoft had no direct access to go into the system.”
Hanff added that while Microsoft wound up the service around 2018, all US companies could and should look to provide similar models based on physical separation.
But according to Microsoft, “all EU Data Boundary announcement improvements will be made by Microsoft and rolled out to Microsoft-owned or operated datacentres, not a new company”.
Computer Weekly has previously contacted a number of UK-based cloud and hosting providers with experience in the delivery of police and criminal justice sector services that said they were broadly positive and receptive to the idea of working with police to develop a UK sovereign cloud capability, if of course forces do decide to explore such opportunities.
However, Hanff said there was nothing Microsoft or anyone else could really do to solve the issues of transfers to the US, and that ultimately “it’s a political issue that needs to be resolved” by the US changing its intrusive surveillance laws.
Asked whether it agrees with this characterisation and whether it would take any action to push for changes in US surveillance laws, Microsoft said it was important to note that “any technology provider with a presence in the US is subject to US legal process – not just companies based in the US”.
It added: “We received only three US search warrants for enterprise customer data located outside the US in all of 2020. Beyond that, there are some important issues relating to lawful access that government leaders on both sides of the Atlantic need to address.
“In our blog post, we also said that Microsoft will continue to do all we can to encourage government leaders to address those issues quickly, and we are optimistic that there will be a resolution in the near future.”