Microsoft's New 'Data Trustee' Plan May Put EU Data Out Of Reach For U.S. Government

After the recent invalidation of the Safe Harbor agreement between the EU and the U.S. by the Court of Justice of the European Union (CJEU), American companies had to quickly find alternative solutions to comply with EU privacy laws. Microsoft found a solution that could help it do that, as well as restrict the U.S. government from requesting EU data.

Microsoft announced that it will set new data centers in Germany, which will be under the control of Deutsche Telekom, a German telecommunications group. Therefore, the data held there will be protected by EU and Germany's strict privacy laws.

“This will help us meet growing demand for Microsoft cloud services in Germany, and across Europe, by providing an innovative, scalable and consistent cloud computing platform combined with a German data trustee model," explained Alex Stüger, Area Vice President for Microsoft Germany. According to the BITKOM study “Cloud Monitor 2015," 83 percent of all German enterprises expect their cloud provider to operate local data centers in Germany.

This looks like a strong privacy move by Microsoft, as well as an acceptance that the U.S. government isn't going to improve its privacy laws anytime soon to make them more similar to EU privacy laws, which the CJEU has required if any data transfers from EU to the U.S. are to be made again. This is regardless of whether a new Safe Harbor agreement will be made or not, as any new agreement will have to start with those requirements as a baseline.

"These new cloud services will be a first of their kind innovation from a global hyper-scale cloud provider, in that access to customer data stored in these new datacenters will be under the control of T-Systems, a subsidiary of Deutsche Telekom, an independent German company acting as a data trustee. Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision," said Microsoft in the announcement.

However strong this move seems to be, there may also be a catch. Deutsche Telekom will control the access to the data in these new data centers, but it will also be able to give Microsoft permission to access the data. It's likely that Microsoft will get access to any of the data that is held by Deutsche Telekom, even if it's under supervision. If Microsoft then transfers that data to the U.S. to improve its services or for whatever other reason, then the U.S. authorities could also demand that data.

Maximilian Schrems also said recently that such B2B "contractual solutions" are unlikely to pass CJEU scrutiny unless the data transfer completely abides by the EU's Charter of Fundamental Rights. In other words, Microsoft can't transfer any of the data unless it can guarantee that the data won't be accessed by the U.S. government, something the company itself simply cannot do, unless the U.S. laws are written accordingly.

The new data plan looks like a major improvement for the privacy of EU citizens who use American services, and it's something many surely hope to see Google, Amazon, and other cloud services providers offer in the near future. The issue is the plan will only be effective depending on how much U.S. companies want to use the data of EU citizens on U.S. territory. If they almost never want to transfer it from those EU data centers controlled by other EU companies, then everything should go smoothly. However, if they want to transfer much of it to the U.S., and only use the EU data trustees as some kind of loophole for EU privacy laws, then that may not work so well for them in the long term when they get involved in new lawsuits that once again reach the CJEU.


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • DrSparko
    and then we'll start launching datacenters into space to really confuse everyone.
  • falchard
    This is a problem with the patriot act. Now that we snoop without a warrant, other countries don't want us to investigate even with a warrant and criminal investigation.
    It will make tracking cyber criminals more difficult because the US is going against its own laws and constitution to do a warrantless search.

    The "Land of the brave and home of the free" is so scared of their own shadow that they've let their own government has become so totalitarian as to be rejected by the former autocratic genocidal country they fought in the name of human rights?

    Nifty job....
  • velocityg4
    I wonder if US users will have the option to use this data center. If you are really worried don't store anything in the cloud. At least encrypt everything before it leaves your computer. You could also make your own cloud storage device and not store anything on another companies system.
  • cats_Paw
    Well, its not like the NSA will stop hacking into peoples PCs....
    Seems we all aobut forgot about the fact that just about every Hard drive on the planet has a firmware that allows backdoors for the NSA.
    Why would you need a warrant or even competent hackers when the doors are already open?

  • junkeymonkey
    heck seems like we need to call up some air strikes , rest assure we will not put any troops on the ground , and will only back local resistance fighters and there organizations

    U.S.A all the way