Microsoft ploy avoids ‘cloud’ data grab
9 May 2016
I recently moved back to New Zealand after eight years in London, where privacy law issues were a consistent feature of the technology services and projects that I advised on. I’ve been watching with interest several developments that could affect cloud storage businesses and the global transfer of personal data as 2016 unfolds.
While Apple’s tussle with the FBI over cellphone encryption has been grabbing all the headlines, Microsoft is also involved in a long-running battle with the United States government. The dispute relates to whether Microsoft is required to disclose the contents of a customer’s web-based email account in response to a search warrant. Microsoft has repeatedly resisted that disclosure, arguing that the jurisdiction of the US government does not extend to data stored on its servers in Ireland. It argues that the US government should instead seek the data through a formal request to the Irish government under mutual legal assistance treaties.
Microsoft’s efforts have so far proved unsuccessful, despite backing by other technology companies, privacy organizations and the Irish government itself. The search warrant has been upheld by the US court of first instance and on appeal to the Southern District of New York. Microsoft’s latest appeal is currently before the Second Circuit Court of Appeals and a decision had been expected as early as February. It is likely that an appeal to the US Supreme Court will be required to finally resolve the matter.
The US courts have to date held that Microsoft must disclose any data under Microsoft’s control, irrespective of where that data is. Against this backdrop, Microsoft’s latest move – its announcement of plans to create new data centres in Germany – appears to be a clever legal side-step. It will construct the data centres to its usual standards but, in an innovative move, will transfer control of the data centres to a subsidiary of Deutsche Telekom that will act as a “data trustee”. Microsoft will only be able to access data held in the data centres with the consent of the data trustee or the customer. The data trustee will be a substantial German entity obliged to protect the data in accordance with Germany’s data protection laws, some of the strongest in Europe.
Although Microsoft has not expressly linked the two issues, Microsoft’s plan puts the data outside its control and, it seems, outside the reach of the US government – at least through serving a search warrant on Microsoft in the US, as has been done in the current case. If successful, the move will enable Microsoft to market its German data centres to customers, particularly those in Europe, as a storage option that will keep data out of the hands of the US government. In light of the uncertainty created by the European Court of Justice’s recent decision (it struck down the US “Safe Harbor” framework in October 2015), others in the tech industry will no doubt be watching with interest and may well follow suit.
Microsoft’s dispute with the US government is significant because it has the potential to undermine the US technology sector’s cloud services business. Microsoft has stated in court that potential customers have already decided not to purchase services from Microsoft, opting instead for a provider based outside the US that is perceived as being not subject to US jurisdiction – a move analysts believe could cost the industry billions of dollars in lost revenue.
And the stakes were raised further by the ECJ’s October decision. The Safe Harbor framework is one of the main bases relied on for the transfer of personal data from Europe to the US-based servers of companies such as Facebook. In light of the revelations by Edward Snowden, the European Union’s highest court has ruled that the US government’s actions are inconsistent with the fundamental rights of European citizens and, accordingly, the Safe Harbor scheme cannot be relied on as providing adequate protection for personal data transferred to the US.
Officials in the EU and the US have now concluded negotiations for a “Safe Harbor 2.0”, which has been titled the EU-US Privacy Shield. However, the new regime still needs to be formally adopted by the EU and is expected to face legal challenges from privacy groups. In the meantime, business is left to implement alternative solutions against an uncertain legal backdrop.
So, what are the take-outs for businesses in New Zealand?
Privacy issues will remain high on the agenda for 2016 in light of cases such as this, high-profile leaks like the one suffered by Ashley Madison, continuing fallout from the Snowden revelations, the collapse of the EU / US Safe Harbor regime and the pending introduction of a new Data Protection Regulation for the European Union.
Legal as well as technical factors should be considered in determining the optimum location for any servers (whether you are providing or using cloud services).
From a privacy law perspective, best practice states that you should collect only as much data as you absolutely need and should not hold it for any longer than is necessary for the purpose for which it was collected.
It’s worth thinking strategically about the structure of your technology arrangements. Here Microsoft has determined that it does not need control over or access to the underlying data in order to provide its cloud storage services. And it seems that choosing not to have that control offers Microsoft a competitive advantage.
Note: This is an updated version of an article first published in the National Business Review on 5 February 2016
Lowndes is an award winning corporate and commercial law firm with offices in the heart of Auckland and Wellington. The firm serves local and international companies and investors doing business in New Zealand.
We are recognised for our technical expertise and exceptional client service including high levels of responsiveness and reliability, accessibility of our lawyers, and an unwavering focus on what matters – our clients’ commercial outcomes.