After the recent invalidation of the Safe Harbor agreement between the EU and the U.S. by the Court of Justice of the European Union (CJEU), American companies had to quickly find alternative solutions to comply with EU privacy laws. Microsoft found a solution that could help it do that, as well as restrict the U.S. government from requesting EU data.
Microsoft announced that it will set new data centers in Germany, which will be under the control of Deutsche Telekom, a German telecommunications group. Therefore, the data held there will be protected by EU and Germany's strict privacy laws.
“This will help us meet growing demand for Microsoft cloud services in Germany, and across Europe, by providing an innovative, scalable and consistent cloud computing platform combined with a German data trustee model," explained Alex Stüger, Area Vice President for Microsoft Germany. According to the BITKOM study “Cloud Monitor 2015," 83 percent of all German enterprises expect their cloud provider to operate local data centers in Germany.
This looks like a strong privacy move by Microsoft, as well as an acceptance that the U.S. government isn't going to improve its privacy laws anytime soon to make them more similar to EU privacy laws, which the CJEU has required if any data transfers from EU to the U.S. are to be made again. This is regardless of whether a new Safe Harbor agreement will be made or not, as any new agreement will have to start with those requirements as a baseline.
"These new cloud services will be a first of their kind innovation from a global hyper-scale cloud provider, in that access to customer data stored in these new datacenters will be under the control of T-Systems, a subsidiary of Deutsche Telekom, an independent German company acting as a data trustee. Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision," said Microsoft in the announcement.
However strong this move seems to be, there may also be a catch. Deutsche Telekom will control the access to the data in these new data centers, but it will also be able to give Microsoft permission to access the data. It's likely that Microsoft will get access to any of the data that is held by Deutsche Telekom, even if it's under supervision. If Microsoft then transfers that data to the U.S. to improve its services or for whatever other reason, then the U.S. authorities could also demand that data.
Maximilian Schrems also said recently that such B2B "contractual solutions" are unlikely to pass CJEU scrutiny unless the data transfer completely abides by the EU's Charter of Fundamental Rights. In other words, Microsoft can't transfer any of the data unless it can guarantee that the data won't be accessed by the U.S. government, something the company itself simply cannot do, unless the U.S. laws are written accordingly.
The new data plan looks like a major improvement for the privacy of EU citizens who use American services, and it's something many surely hope to see Google, Amazon, and other cloud services providers offer in the near future. The issue is the plan will only be effective depending on how much U.S. companies want to use the data of EU citizens on U.S. territory. If they almost never want to transfer it from those EU data centers controlled by other EU companies, then everything should go smoothly. However, if they want to transfer much of it to the U.S., and only use the EU data trustees as some kind of loophole for EU privacy laws, then that may not work so well for them in the long term when they get involved in new lawsuits that once again reach the CJEU.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.