Cloud Privacy: Why is this month a turning point?

Microsoft are involved in a landmark lawsuit at the moment against the United States government. It’s known as the “Microsoft Ireland” case and, to put it (very) simply, this is Microsoft fighting on behalf of the entire technology industry over privacy issues on data which is stored in the Cloud.

It’s a big deal – and not just for the US. The result of this case could affect the way we do business globally, and this case has made the dissolution of the Safe Harbour agreement all the more important. A decision on what to replace Safe Harbour with must be met by the 31st January deadline – I’ll come onto that later.

To give you a quick overview of Microsoft Ireland, the case started in 2013 when Microsoft refused to hand over the email (Hotmail) contents of an individual that the US government were investigating for narcotics crimes, after being asked to do by a New York district court judge (asked to do so is a polite way of putting it – Microsoft had a warrant placed against them).

The data within the emails was mainly held in Microsoft’s data centre in Dublin. Microsoft argued that the US government had no right to access data that was being held outside of the US and refused to adhere to the warrant, placing them in contempt of court.

Microsoft stated to the effect that all data should be protected by the laws of the country in which its servers are located, and usurping that would set a dangerous precedent for the future privacy of data stored in the Cloud. Not to mention put potential damage towards their cloud strategy outside of the United States.

The Irish Government have given their support to Microsoft, and said that the contents of the emails should only be disclosed to them. There is then the option of using a legal assistance treaty with the US, which exists to allow countries to share information of national/security importance about their citizens.

Although, as The Register points out, there may not be one still in force between Ireland and the US (and it’s looks unlikely that it was something the New York judge even considered when issuing the warrant to Microsoft to hand over the data) and, if not:

“Dealing with sovereign governments would take too long and, if they did not cooperate, would leave the US government without access to the data. The easiest way to get access to data, therefore, will always be via the US cloud provider.”

[Microsoft vs the long arm of US law: Straight outta Dublin – The Register]

It has brought the issue of where to draw the line between public safety and people’s right to privacy to the forefront. A decision must be made about that line – and that decision may well have a dramatic impact on the technology industry.

Microsoft are currently appealing the warrant. As well as the Republic of Ireland government, they have been publicly supported by other technology companies including Apple and AT & T who agree with Microsoft that a ruling which supports a government’s claim/right to retrieve data from anywhere in the world sets a dangerous precedent, which circumvents local authorities.

It could also cause businesses outside of the US to question where they store their data and who with (which they should question of course – but for the right reasons).

For example, a local/ in country hosting provider may well argue the case that US cloud companies like Microsoft or Amazon will give the US government access to everything, no matter where your data is stored. So why go with them when you could go with us and we can protect your privacy better?  It’s a lot less black and white than that of course.

This whole situation is further impacted by the dissolution of the Safe Harbour agreement in October last year.

Safe Harbour had stood since 2000. It allowed companies to transmit data between the US and Europe without going through complicated legal barriers in each country – instead it was based on 7 principles taken from the Data Protection Act of 1998, which companies would self-certify themselves as adhering to.

What ultimately prompted the dissolution of the agreement was a question around mass data collection brought up by Austrian law student Max Schrems, also a privacy activist.  He had concerns with Facebook Ireland (Facebook’s European headquarters) around the transfer of personal data to their US headquarters.

Edward Snowden’s mass exposure of US government documents didn’t help either. This revealed the extent of the US’ National Security Agency (NSA) apparent ability to obtain certain data without getting a warrant.

But it was the Facebook court case which caused the decision to dissolve Safe Harbour almost overnight.  Which means a new agreement is now needed.

Brad Smith, Microsoft’s President and Chief Legal Officer, has argued that the Safe Harbour agreement was probably out of date anyway and we needed a better resolution in place: “Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud,” he said on Microsoft’s blog.

“Privacy really is a fundamental human right” he continued.

There isn’t much time though. The EU data protection regulators have set the 31st January 2016 as the deadline for a new data sharing agreement to be reached.

The alternatives if an agreement can’t be found? A huge legal nightmare, not to mention lots of additional expense, for any European business who needs to share data with American companies. And vice versa.

US companies will not only have to abide by European law, they will have to abide by the laws of the country they’re doing business with. I’ve read some of the FCA documents that show proposed guidance on what you should adhere to when moving to Cloud services. The sheer complexity boggles the mind – it’s no wonder Safe Harbour found its existence.

The UK is a global leader when it comes to embracing business Cloud solutions. Microsoft recently released the figure of 84% – the percentage of UK companies who have adopted the Cloud.

This is one of the reasons why Microsoft are opening two UK datacentres this year – so that UK companies who need to (or want to) can have their data stored on UK soil, rather than in Ireland or the Netherlands which are the current European data centre locations. Office 365, Microsoft Azure, and Microsoft Dynamics CRM Online are among the main services being provided in the UK.

Where these new data centres are going to be, we don’t know yet. There are a lot of factors to consider – not least the question about whether there might be another Scottish referendum and if so, whether Scotland will remain part of the UK.

There is no sign of the Cloud’s popularity slowing down. Microsoft want to strengthen the position of Azure in UK and it is an incredibly robust and secure product (it has to be – Microsoft’s reputation relies on it). Plus Amazon announced at a coincidentally (or not) similar time that they were planning to have a UK data centre this year too.

Just this week Microsoft announced they were donating $1bn in cloud resources to non-profits and university researchers over the next three years. About which Satya Nadella said, “Microsoft is empowering mission-driven organisations around the planet with a donation of cloud computing services – the most transformative technologies of our generation.”

So given the investment by US companies in the cloud to support European companies, we should all be watching closely for the outcome of Microsoft Ireland and the Safe Harbour agreement.

Microsoft is urging the US government to update their laws in respect of the mobile world we now live in, because the vast amount of data we use is not being stored locally. And the existing laws were written at a time when they were. The game has completely changed because of the Cloud.

The main thing is that this is not an issue which should be allowed to remain unresolved. If the 31st January deadline gets missed, there are potential penalties and sanctions for any company transferring data across the Atlantic without going through the proper channels.

All this shows the complete evolution of privacy issues. Any questions we have over who could read our information are being addressed right now.  And we must pay close attention.