Microsoft's European 'cloud pact' still does not protect data against FISA, Patriot Act

Microsoft's cloud pact with Europe still does not protect EU citizens from U.S. law, like FISA or the Patriot Act. Was it simply signed to quell fears, and prevent the loss of business?
Written by Zack Whittaker, Contributor on

Microsoft announced yesterday it would sign the European Union's "model clauses", which will help customers certify compliance with the Europe's data protection laws, and the United States' HIPAA accountability act.

The problem is, overlooked by many, is that this 'cloud pact' means little to those within the walls of Europe.

Yes, it's great news that Office 365 will now be compliant with HIPAA users and organisations, to provide "physical, administrative and technical safeguards" that allows Microsoft to be fully compliant with U.S. legal requirements.

Simply put, it means that health records and medical data will be safe in the cloud.

The niggling problem that Microsoft, and the rest of the cloud industry has, is that this agreement with the European authorities still does not protect against 'third-country' legislation.

In particular, we are talking about the U.S.' PATRIOT Act, and the Foreign Intelligence Surveillance Act (FISA).

While Microsoft claims to be the "first and only major cloud-based platform to offer leading information privacy and security standards for customers operating in the European Union", Microsoft will not disclose the terms it is signing.

A Microsoft spokesperson declined to comment on the details of the agreement that it will sign.

The company is struggling with European customers' cloud concerns, after Gordon Frazer, Microsoft UK's managing director, told ZDNet exclusively at the Office 365 launch in London, that "no company" could guarantee that European data was safe from U.S. law.

But others are already seeing this announcement as a way of quelling the fears that European users may have regarding the integrity and security of crucial cloud data it outsources.

It was only last week that global defence contractor BAE Systems pulled the plug on its outsourcing venture with Microsoft, citing the PATRIOT Act as the main concern.

The Microsoft spokesperson could neither confirm nor deny that FISA or the PATRIOT Act could still be used by U.S. law enforcement to covertly and secretly acquire European data.

The company did however say:

"It’s not uncommon for new technologies to create legal questions, and the current dialogue about data sovereignty and the cloud is only the latest example. This is an important topic which affects all cloud providers, including non-U.S. companies with a presence in the U.S., as well as those companies headquartered in the U.S.

It is also an active discussion in many regions with similar statutes".

The spokesperson was hinting at the UK's Regulation of Investigatory Powers Act (RIPA), which offers very similar powers to that of the PATRIOT Act.

While Microsoft was not willing to explain exactly how this cloud pact offers protection to consumers, it did say that it's "willingness to sign data processing agreements that include the EU Model Clauses means that Microsoft contractually guarantees that Office 365 will uphold European standards for privacy and security".

It was mostly a trick question. The proof already exists, but it was always worth a shot.

At that point, Microsoft stonewalled me, again.

Microsoft's Trust Center was also updated to enhance its "transparency", so that ordinary users' can see what happens to their data, where it is stored, and the terms of the service agreement.

But at no point does it mention the PATRIOT Act, FISA, or any third-country law that the company may be under the thumb of. The chances are that Microsoft does enact its policy -- probably down to the letter -- and most certainly only to protect itself.

A Microsoft spokesperson said that the company will "make every effort to notify customers in advance" that data will leave European soil, "unless we are legally prohibited from doing so".

Invoke the PATRIOT Act, throw in a National Security Letter gagging order, and a cloud company can take what it likes from any datacenter it owns, without having to inform the customer who owns the data, back to headquarters for inspection by U.S. authorities.

The company's efforts in attempting to calm fears over foreign legislative implications are fair. After all, and I state this for the record, it is not Microsoft's fault. It is making the best of a bad situation. But it continues to ignore key questions in its documentation, online resources, and governing contracts.

Apple is just as guilty. So are Google and Amazon, and every other U.S.-based cloud provider with a presence within Europe.

What is clear from this announcement is that Microsoft is offering a slightly safer alternative to cloud service potentials. Google is yet to seek HIPAA compliance, meaning Microsoft's solution is at least a viable option should you fall within the direct jurisdiction of the United States.

One interesting point made by Wired suggests that should these companies lose enough money, revenue and business from the damaging fears of foreign legislation on European citizens, a collective of between 500--700 million people, perhaps they will fight in coalition with the same vigour as they are with the SOPA bill.

While the European Commission is expected to announce the draft version of the upcoming Data Protection Directive, members of the European Parliament are seeking emergency legislation to plug the flaws in the current directive immediately.


Also see:

Editorial standards