Microsoft admits Patriot Act can access EU-based cloud data

Microsoft's U.K. head admitted today that no cloud data is safe from the Patriot Act, and the company can be forced to hand EU-stored data over to U.S. authorities.
Written by Zack Whittaker, Contributor

Editor's note: This article was first published in June 2011. This ultimately sparked a transatlantic dispute over the sovereignity of data, and ignited a change in European data protection and privacy law. In June 2013, the NSA's domestic and international surveillance program was uncovered. The article you are now reading showed back in 2011 that the Patriot Act's reach is not limited to the U.S., and can affect EU citizens and those around the world. University law researchers also confirmed this was the case. We also invite you to read why ZDNet began investigating the Patriot Act.

LONDON, U.K. — At the Office 365 launch, Microsoft U.K.'s managing director Gordon Frazer, gave the first admission that cloud data, regardless of where it is in the world, is not protected against the Patriot Act Act.

After a year of researching the Patriot Act's breadth and ability to access data held within protected EU boundaries, Microsoft was the first cloud provider to openly admit it.

The question put forward:

Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?

Frazer explained that, as Microsoft is a U.S.-headquartered company, it has to comply with local laws (the United States, as well as any other location where one of its subsidiary companies is based).

Though he said that "customers would be informed wherever possible," he could not provide a guarantee that they would be informed — if a gagging order, injunction or U.S. National Security Letter permits it.

He said: "Microsoft cannot provide those guarantees. Neither can any other company."

While it has been suspected for some time, this is the first time Microsoft, or any other company, has given this answer.

Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities. 

Microsoft previously opened up its Online Services Trust Center which explained in great detail how data was managed, handled and if necessary, handed over to the authorities.


Also read ZDNet’s Patriot Act series:

Editorial standards