Cloud Safe
Image from Shutterstock.com

With American legal agencies claiming they have the right to demand customer data from U.S. companies stored anywhere in the world Canadian data centres have been expanding here to get the business of organizations worried that records of customers here can be reached by U.S. subpoenas.

Those data centres may soon have new partners if companies follow the lead of Microsoft.  The software company announcing a deal Wednesday in Germany that will see telco Deutsche Telecom build two data centres next year and become the data trustee for European customers of Microsoft cloud services. To lower the odds of U.S. courts getting access to that data, Microsoft won’t be able to access records without the telco’s permission.

In other words — in theory — the data isn’t under Microsoft’s control. That’s a key factor in U.S. laws that say American companies can be compelled to produce any record under their control, regardless of the country the data is held in.

“Microsoft is pioneering a new, unique, solution for customers in Germany and Europe. Now, customers who want local control of their data combined with Microsoft’s cloud services have a new option, and I anticipate it will be rapidly adopted”,  Timotheus Höttges, Deutsche Telecom CEO said in a statement.

Will Microsoft and other U.S.-based companies — such as IBM, Hewlett-Packard or Salesforce — try the same strategy here?

Yes, says Toronto privacy lawyer Barry Sookman of the firm McCarthy Tetrault. Putting customer data under trusteeship of a third party won’t completely block a U.S. court order, he said in an interview this morning. But it will be helpful.

“If the implication is that Microsoft will not have access to data then that will likely diminish Microsoft’s obligation to comply with Patriot Act orders they provide data on European citizens,” he said. However, he cautioned, American authorities have other ways to get at the data, such as mutual legal assurance treaties with foreign countries (including Canada). But in that case U.S. authorities would need the co-operation of the country.

Earlier this year Microsoft said it will build two new data centers here — in Toronto and Quebec –to meet data residency worries.

Sookman also sees the Deutsche Telecom arrangement as a way to counter a decision last month by the Court of Justice of the European Union (CJEU), and an ongoing fight with the U.S. Justice department demanding access to Microsoft customer data held in Ireland,

The CJEU decision invalidates the EU-U.S, privacy safe harbour agreement. That agreement provides that transfers of personal data to the U.S. from European Union countries is adequately protected if safe harbour principles are followed. With that agreement struck down, personal data can’t be moved across the Atlantic, even for corporate reasons.

Sookman pointed out the CJEU decision also imperils a safe harbour agreement the EU has with Canada.

Meanwhile Microsoft and the U.S. Department of Justice have been tied in a legal fight over a demand for access to certain email held by the software company in Ireland. The case is now before an appeal court.

Microsoft CEO Satya Nadella told the Financial Times the Deutsche Telecom deal was designed “to earn both trust of our global customers and operate globally. That’s at the cornerstone of how we’ve done business and how we will continue to do business.”

In fact, at the same time Nadella announced the deal with the German telco it also said it will expand its regional datacentres in Ireland and the Netherlands to offer more Azure and Office 365 services in Europe. However, customers will have a choice of having data stored in the Deutsche Telecom facility — at a premium price yet to be disclosed.