Microsoft claims EU compliance supremacy, but it's not that simple

Microsoft claims EU compliance supremacy, but it's not that simple

Summary: The company says it is the only major US cloud services provider to offer a certain type of data protection clause in its contracts with European businesses, but the truth is that Google Apps will soon do the same

TOPICS: Privacy

Microsoft has welcomed the recommendations of a group of EU data protection officials, claiming that their endorsement of so-called 'model clauses' shows Microsoft is the only fully compliant option for businesses wanting to use cloud services.

However, while the company's words are technically true, key rival Google is preparing to offer similar clauses in its Apps contracts soon.

Model clauses were brought in in 2010 as a way for US cloud providers to prove their compliance with European data protection law, which is much tougher than that in the US. Along with 'safe harbour' self-certifications, they provide a way of getting around the fact that the US is not on the EU's brief list of countries to which EU citizens' personal data can legally be sent.

Microsoft is so far the only major cloud service provider to adopt the model clauses in its contracts, and the company's legal chief, Brad Smith, wrote a blog post on Thursday that was presumably intended to warn European businesses off adopting Google Apps instead of Office 365.

Smith's post was a response to an opinion (PDF) published by the Article 29 working group on Tuesday. The group comprises representatives from all the EU member states' data protection watchdogs — while its recommendations are not binding, they constitute official advice to the European Commission.

"In issuing this Opinion, European regulators provided the strongest endorsement to date for the European model clauses," Smith wrote. "The clauses provide a set of formal commitments that businesses can rely on to ensure that their cloud services provider adheres to the highest standards in its operations and data processing activities. Microsoft is the only cloud services provider willing to make this commitment and to offer the European Model Clauses to our customers."

Smith went on to posit two questions: "First, is [a prospective customer's] cloud services provider willing to commit contractually to offer model clauses? Second, has their cloud services provider done the detailed work with the data protection authorities across Europe to ensure that their implementation complies with the requirements of these important regulators?"

While Smith was accurate in saying Microsoft was currently the only major US provider to have adopted model clauses, he neglected to mention that — precisely one month before — Google said it was preparing to do the same "soon".

However, Google said on Friday that it had no further update as to the timing of this happening.

The Microsoft legal chief also failed to mention another of the recommendations made by the Article 29 working group. The data protection regulators are dissatisfied with US companies' use of self-certification to show safe harbour compliance, and used their opinion this week to call for providers in that country to submit to third-party audits when getting such certifications.

"In the context of cloud computing, potential customers should look to see whether cloud services providers can provide a copy of this third party audit certificate or indeed a copy of the audit report verifying the certification," the working group said.

Topic: Privacy

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • microsoft and google

    they have not keep us safe at all they can not stop the hackers no i am not one but they all say the cloud is safe what a lie i am sorry but if they had to tell the truth you all would find out the cloud is a computer that has been hacked like google and more you can find out who has been hacked the companys are not telling it all verizon has not told it's people that they were hacked and there is more that have not told it's people and i losted my med info because of a doctor that put my records in the lieing cloud
  • The point was to say that someone else is going to do it too?

    I am a little lost here. The claim was just accurate you seem to minimize it by saying, while it was technically accurate... Then you statements like the, the truth is actually Google said it will offer the same thing something soon... WOW this just reads really bad. Let's state a few facts - Fact: Microsoft is the only major US fully compliant option for businesses wanting to use cloud services
    Fact: Google claims it also be fully compliant in the future, no dates have been provided.
    Why in the world would Microsoft call out the fact that Google said they would also adopt this last month? What would be the logic in that? Do you think that Microsoft baked this up the day after Google made the announcement and now 30 days later poof?!
    • Agree

      "User name not displayed" I think our author is just trying to fit in with the rest of the anti Microsoft gang at ZDNet,
      The fact that only one company today is ready to meet the needs of customers, means that we all need to wait for Google as they will in time, might come up with a actual working solution.
      LOL, can we get some real reporting going here not just bashing,
  • Only one major issue outstanding - Patriot Act!

    Interesting to read Microsoft claim to be the only "fully compliant option for businesses wanting to use cloud services" and while as the article profess this may be technically true, Microsoft and other US providers still have to go a long way to demonstrate actual legal compliance with say Germany where the debate around use of cloud services, provided by US companies that export citizen data is still a very grey area.

    The other big issue that will not endear Microsoft to many mid to large enterprise customers is the Patriot Act. Regardless of where the data centre is located (in Europe for MS its Dublin) if the parent company is a US entity even operating subsidiaries outside of the US all the data that is held in Dublin by Microsoft that belongs to European companies is accessible under the Patriot Act by US government agencies.

    As ZDNet reported back in December last year regardless of whatever MS says it can do and comply with to enable European customers adopt cloud for some the Patriot Act is an insurmountable obstacle in embracing any US vendors cloud services. Article for ref is here:

    Apart from that, we're all good!
  • Microsoft claims EU compliance supremacy, but it's not that simple

    It is that simple if Microsoft already has the compliance and Google does not. Besides that no one would trust Google with their data when they have the "we can do whatever we want with your data" clause including using it for their own benefit to profit.

    ZDNet is broken on Firefox 13.
    Loverock Davidson-