Feeds

EU cloud data can be secretly accessed by US authorities

US-owned companies bound by Patriot Act, says Microsoft

Internet Security Threat Report 2014

Personal information belonging to EU users of US-owned cloud-based services could be shared with US law enforcers without the user being informed, Microsoft has said.

The software giant said it could not guarantee that it would not have to hand over EU customers' data on a new cloud service it has developed whilst keeping details of the data transfer secret.

Cloud services allow internet users to store data online instead of locally.

EU data protection laws state that organisations must tell people when they are asked to disclose their personal information.

These EU provisions might conflict with obligations US-based firms, such as Microsoft, face under US law.

The USA Patriot Act gives law enforcement authorities the right to access personal data held by US-based companies, regardless of where it is stored in the world. The Act also gives law enforcers the right to prevent firms informing the customer that they have had to hand over the information. The controversial law was established as an anti-terrorism tool.

Microsoft is set to launch a new cloud service next week. It said it will allocate its customers a region where their information will be physically stored, but said it could not guarantee that it would tell EU customers' details if US authorities sought access to their data.

"In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service)," Microsoft said in its online data storage services' privacy policy.

"As a general rule, customer data will not be transferred to data centers outside that region," Microsoft said in an explanation about geographic boundaries for its new service.

"There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (eg, for technical support, troubleshooting, or in response to a valid legal subpoena)," the explanation said.

The USA Patriot Act caused controversy in Canada in 2008 when a Canadian university told its staff and students not to send private data over an email system.

The system was outsourced to the US, prompting staff to lodge an official grievance against the university.

Staff complained that the fact that their emails are routed through the US meant their contents were vulnerable to interception by US authorities.

Microsoft can already transfer personal data from Europe to the US under a special agreement drawn up by the European Commission and US Department of Commerce.

The Safe Harbor scheme allows US companies that meet the requirements of the EU's Data Protection Directive to transfer EU data to the US.

EU companies are generally prohibited from transferring personal data to countries outside the European Economic Area unless there is adequate protection for that data.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Providing a secure and efficient Helpdesk

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.