Last week I blogged about the Article 29 Working Party’s “approval” of Microsoft’s terms and conditions for its cloud based services such as Azure, Dynamics and Office365.
The Article 29 Working Party’s statement was relevant (from a PR perspective for Microsoft) because the Article 29 Working Party said that organisations signing up to Microsoft’s services using non-EEA data centres do not need to enter into a separate model clause agreement for the purposes of complying with the eighth data protection principle. The eighth principle is the principle which prevents transfers of personal data outside the EEA unless there is an adequate level of protection of personal data.
Notably, the Article 29 Working Party’s statement did not cast any judgement over the adequacy of Microsoft’s information security measures for its cloud services – whether within the EEA or elsewhere.
The US court order
This week hasn’t been quite so good for Microsoft.
A court in the United States has ordered Microsoft to disclose customer data held on a server at a Microsoft data centre in the Republic of Ireland.
Microsoft has said that it will continue to oppose the order, saying it will appeal the order to courts that have the authority to “correct” the US government’s views on the application of search warrants to content stored digitally outside the US.
As Microsoft’s deputy general counsel said in a blogpost:
A US prosecutor cannot obtain a US warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States.
We think the same rules should apply in the online world, but the government disagrees.
What does this ruling mean for users of cloud services?
The issue of extraterritorial orders is an increasing issue with cloud services, where the customer, the data subject, the service provider and the server may all be located in different countries.
At the moment, EU data protection law generally fails to deal with this adequately, focusing on administrative paper exercises (such as model clause agreements) rather than looking at the underlying risk to the data and ensuring that data subjects are aware of who might have access to their data.
The court’s order underlines the artificiality of the way that EU data protection law currently deals with international data transfers. The law is predicated on the basis that EU law sets out the gold standard for data security, and that any jurisdiction outside the EU should be viewed with some suspicion.
Whilst the Article 29 Working Party’s approach to Microsoft’s terms and conditions shows the beginnings of some pragmatism on this issue, this latest incident demonstrates that even when personal data is hosted within the EU, it may still be subject to the extended reaches of governments in other jurisdictions.
My point here is that whilst the European Commission has objected to the US court order applying to data held within the EEA, the situation would be no different had the customer in question agreed to the data being held in the US subject to the terms of the EU approved model clauses for data transfer, which are supposed to safeguard that transfer.
It will be interesting to see how the US courts ultimately deal with this issue. The United States is known for attempting to apply US law internationally (see, for example, the Helms-Burton Act in relation to trade sanctions on Cuba in the 1960s). Ultimately, Microsoft Corporation is a US entity, subject to US laws.
In the meantime, organisations either owned by non-EEA corporations or using infrastructure provided by overseas owned businesses (so most businesses) should ensure that they are not giving commitments to data subjects that they are unable to deliver.
On April 29, 2014