Feeds

EU cloud data can be secretly accessed by US authorities

US-owned companies bound by Patriot Act, says Microsoft

Boost IT visibility and business value

Personal information belonging to EU users of US-owned cloud-based services could be shared with US law enforcers without the user being informed, Microsoft has said.

The software giant said it could not guarantee that it would not have to hand over EU customers' data on a new cloud service it has developed whilst keeping details of the data transfer secret.

Cloud services allow internet users to store data online instead of locally.

EU data protection laws state that organisations must tell people when they are asked to disclose their personal information.

These EU provisions might conflict with obligations US-based firms, such as Microsoft, face under US law.

The USA Patriot Act gives law enforcement authorities the right to access personal data held by US-based companies, regardless of where it is stored in the world. The Act also gives law enforcers the right to prevent firms informing the customer that they have had to hand over the information. The controversial law was established as an anti-terrorism tool.

Microsoft is set to launch a new cloud service next week. It said it will allocate its customers a region where their information will be physically stored, but said it could not guarantee that it would tell EU customers' details if US authorities sought access to their data.

"In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service)," Microsoft said in its online data storage services' privacy policy.

"As a general rule, customer data will not be transferred to data centers outside that region," Microsoft said in an explanation about geographic boundaries for its new service.

"There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (eg, for technical support, troubleshooting, or in response to a valid legal subpoena)," the explanation said.

The USA Patriot Act caused controversy in Canada in 2008 when a Canadian university told its staff and students not to send private data over an email system.

The system was outsourced to the US, prompting staff to lodge an official grievance against the university.

Staff complained that the fact that their emails are routed through the US meant their contents were vulnerable to interception by US authorities.

Microsoft can already transfer personal data from Europe to the US under a special agreement drawn up by the European Commission and US Department of Commerce.

The Safe Harbor scheme allows US companies that meet the requirements of the EU's Data Protection Directive to transfer EU data to the US.

EU companies are generally prohibited from transferring personal data to countries outside the European Economic Area unless there is adequate protection for that data.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Build a business case: developing custom apps

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.