Feeds

EU cloud data can be secretly accessed by US authorities

US-owned companies bound by Patriot Act, says Microsoft

SANS - Survey on application security programs

Personal information belonging to EU users of US-owned cloud-based services could be shared with US law enforcers without the user being informed, Microsoft has said.

The software giant said it could not guarantee that it would not have to hand over EU customers' data on a new cloud service it has developed whilst keeping details of the data transfer secret.

Cloud services allow internet users to store data online instead of locally.

EU data protection laws state that organisations must tell people when they are asked to disclose their personal information.

These EU provisions might conflict with obligations US-based firms, such as Microsoft, face under US law.

The USA Patriot Act gives law enforcement authorities the right to access personal data held by US-based companies, regardless of where it is stored in the world. The Act also gives law enforcers the right to prevent firms informing the customer that they have had to hand over the information. The controversial law was established as an anti-terrorism tool.

Microsoft is set to launch a new cloud service next week. It said it will allocate its customers a region where their information will be physically stored, but said it could not guarantee that it would tell EU customers' details if US authorities sought access to their data.

"In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service)," Microsoft said in its online data storage services' privacy policy.

"As a general rule, customer data will not be transferred to data centers outside that region," Microsoft said in an explanation about geographic boundaries for its new service.

"There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (eg, for technical support, troubleshooting, or in response to a valid legal subpoena)," the explanation said.

The USA Patriot Act caused controversy in Canada in 2008 when a Canadian university told its staff and students not to send private data over an email system.

The system was outsourced to the US, prompting staff to lodge an official grievance against the university.

Staff complained that the fact that their emails are routed through the US meant their contents were vulnerable to interception by US authorities.

Microsoft can already transfer personal data from Europe to the US under a special agreement drawn up by the European Commission and US Department of Commerce.

The Safe Harbor scheme allows US companies that meet the requirements of the EU's Data Protection Directive to transfer EU data to the US.

EU companies are generally prohibited from transferring personal data to countries outside the European Economic Area unless there is adequate protection for that data.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
APPLE FAILS to ditch class action suit over ebook PRICE-FIX fiasco
Do not pass go, do cough (up to) $840m in damages
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.