Microsoft is betting that Germans will trust their data to the Microsoft cloud if it is managed by a “Data Trustee”. When the Court of Justice of the European Union declared Safe Harbor not to be so safe in early October, the vulnerability of personal information held by big US corporations was in the spotlight. US data multinationals like Amazon, Microsoft, Google and Apple could promise whatever they wanted about keeping our information away from the prying eyes of the US government, but their international credibility was in question.
The first serious response came on November 11, when Microsoft announced that it would open two German datacenters in late 2016, which would provide German data residency for its cloud offerings. To assuage concerns about the US government (or others) being able to strong-arm them into turning over customers’ data, Microsoft announced the “Data Trustee”. Like the reveler who turns the car keys over to the host on the way into a party, Microsoft will lock itself out of its German datacenters. Partnering with Deutsche Telekom as Data Trustee, Microsoft is building a security model in which even they must ask permission to access customer data. Presumably Deutsche Telekom will ensure that only the right people can snoop around in the Microsoft cloud.
Will it work? Practically, it appears sound. Legally, it is unclear. These legal constructs are subject to legal challenge, and in the international privacy context those challenges will take years to sort out. What is clear is that the way information is protected needs to change. We are long past just trusting that our data is safe – and we are now seeing a shift to trusted non-state oversight. What they are called is not important – what matters most is who is holding the key and the circumstances in which they can be compelled to turn the key over.