There's been a bit of a brouhaha in Europe recently after Microsoft was cornered by a tough question, and produced an answer that many had suspected, but not known for sure, was true.
It was the opening of Office 365 when Gordon Frazer, managing director of Microsoft UK, was asked whether Microsoft could guarantee that data held in EU-based datacentres would not leave the EU under any circumstances, ie, even under a request made in accordance with the Patriot Act.
Frazer, to the not-so-shocked but nevertheless horrified audience, said that neither it, nor any other US-based country, could give such a guarantee.
Since then, European parliamentary figures have demanded that something must be done; in their view, European law, which has strong privacy clauses, means nothing once the US decides that it wants something. That is, a US law could essentially nullify a European one.
I, personally, was a bit taken aback, and needed a few days to ruminate over the thought of Microsoft, or any other US company that had my data, handing it over.
It seems hard to imagine, now, that the US government would make unreasonable requests of companies based within its borders, but who knows what time will bring?
I decided to ask the company, just to be safe, if the response would be the same for Australia. This is the response that I received:
Any company with a presence in the US is legally required to respond to a valid demand from the US government for information if the company retains custody or control over the data. This is the case, regardless of where the data is stored or the existence of any conflicting obligations under the laws where the data is located. Microsoft will only respond to government requests for enterprise customer data when legally required, and, understanding general customer concerns in this area, we will use commercially reasonable efforts to notify those customers in advance, unless we are legally prohibited from doing so.
Firstly, I'd like to say that I don't blame Microsoft for this. The law is the law. But there are a number of parts of this statement which really interest me.
First: "This is the case, regardless of where the data is stored." Truly, the world is moving towards a data economy where borders become meaningless, except for the sense of the borders of who owns data.
Second: "regardless ... of any conflicting obligations under the laws where the data is located". This sentence shows certain hubris on the part of the US government. Why do they think that other countries won't be annoyed about this? Shouldn't it read: "if in war time" — or have some similar clause? Surely, there should be some discussion between the US government and the government upon whose soil the data is?
Third: "we will use commercially reasonable efforts to notify those customers in advance, unless we are legally prohibited from doing so". "Commercially reasonable" is a bit ha-ha funny contract words stuff, but the rest of it is pretty serious. I hope it wouldn't come to data being taken in a secret manner like that. After all, it would be like corporate espionage, but in a secret manner. Who knows what they'd take?
I listened to a webcast recently, where an American argued that if foreigners wanted to take cheap US services, then it was their problem if they had an issue with the US government being able to see it. In part, I agree with that. But, after all, these businesses do have subsidiaries on the soil of other nations where they are making their sales — and they may be putting down datacentres in those other nations. There must be some give, and not just all take. How would the extremely patriotic, "we rule the world" Americans feel if the shoe was on the other foot? After all of the scaremongering about Chinese espionage, I feel as though such a law has a bit of hypocrisy.
I feel like government, and any other organisation in Australia, should be fully aware of the possibility that that their data may be requested at any time before they pass along data to a US company's care. I'm not saying that they shouldn't do it. But I am saying that if they're not aware of it, and if they haven't done a risk assessment, then they're being a bit reckless.