The EU has been hit by Microsoft’s recent announcement that, in certain circumstances, it may be required to disclose personal data belonging to businesses using its new cloud service to US authorities - even if the data centres are based in the EU. Such disclosures would be carried out under the provisions of the Patriot Act, which was initially drafted as an anti-terrorism tool, and allows authorities access to personal data held by US-based companies, regardless of where it is stored in the world. Further uncertainty was added by the revelation that, despite Safe Harbor arrangements in place, Microsoft may be required to keep such disclosures secret both from the EU and from individuals to whom the data relates.
Safe Harbor is a framework under which US companies can self-certify that they comply with the obligations under EU data protection regulations. The framework allows for the sharing of data between the EU and self-certified US companies under certain restrictions, such as the promise of reasonable data security and informing the EU of the request for access to the data in question, so it can in turn inform the affected citizens about it. Microsoft’s announcement suggests that even where Safe Harbor provisions are in place, they would provide little protection should US authorities seek secretly to seize servers holding cloud data on EU based individuals under the Patriot Act, overriding one of the key principles of the Safe Harbor arrangements.
Cloud computing services undoubtedly offer businesses looking to minimise IT operating costs and streamline their systems a number of solutions. However, Microsoft’s recent announcements simply add to the serious data protection issues that businesses will need to consider before engaging such services. These issues are well documented, and a survey of businesses that use cloud services conducted earlier this year by the National Computing Centre summarised the issues as including systems failures, security incidents involving the supplier’s staff, corruption of data, data loss, and data theft. It will therefore be of paramount importance that businesses ensure their cloud provider has adequate security arrangements in place. This will be best achieved by carrying out independent security audits of the service provider and ensuring sufficient ongoing audit rights. Businesses should also assess their own internal governance and security policies for adequate provisions on the adoption and use of cloud services, before migrating data to the cloud.
Going forward, there will undoubtedly need to be increased scrutiny on cloud service providers, and legislation that effectively addresses the concerns will need to be put into place. Data protection regulation is undergoing necessary changes in Europe, and the European Commission has already stated its intention to adopt a proposal for a more effective new data protection framework over the course of 2011. This will aim to address challenges including the consequences of globalisation and transborder flows of personal data, and the development of technology especially in the online world. In light of Microsoft’s announcement, legislators may also be prompted to approach the review with the data protection risks posed by cloud services specifically in mind.