In a recent blog post, Julie Brill, Microsoft’s VP for Privacy and Regulation, pledged to safeguard user data by challenging data requests to fulfill the requirements of GDPR. The sentiment is respectable, and adding contractual commitments shows that Microsoft cares about data privacy. They even go so far as to offer to pay people if and when this strategy to protect user data is unsuccessful. This practically means Microsoft commits to compensate users for violations of their data privacy under certain circumstances.
Why it doesn’t work for all your data
Sadly, the regulatory framework in the US right now contradicts this careful and respectable stance. There are for example FISA court subpoenas in the US that regularly aren’t disclosed to the data subject, meaning the affected user might never learn about a disclosure. There are also government requests where there is no lawful basis to challenge them, those on national security grounds, say. Either way, Microsoft cannot simply wish the contradictions between US and EU data protection regulation away – those contradictions are the grounds for the ECJ ruling in July, also known as Schrems2, that invalidated the Privacy Shield data transferral framework. Also, paying up when unable to protect data isn’t something that Microsoft can choose to do to placate affected users, it is a requirement according to GDPR. We also think that the breach of GDPR happens way before the disclosure of data, but already with storing relevant data in reach of the government agencies of a country for which there is no adequacy decision. In conclusion, storing data in public clouds run by US providers only works for data that isn’t privacy sensitive.
But we want to use Microsoft anyway!
Look, we know this is hard. Users, especially in organizations, love Microsoft products. Most of us, even our Linux-loving developers, once had Windows on their first PC. IT procurement managers love Microsoft, as does a vast ecosystem of partners, service providers and resellers. And we know that Microsoft is passionate about great productivity software and wants to provide it to users around the world. To make its tools more integrated, it wants to put them all into the cloud, preferably its own public cloud.
In a world where anyone, regardless of location, could trust in the confidentiality of their files, we would not have to have this conversation. Sadly, there are government actors in this world that forcibly gain access to other peoples’ and organizations’ data, whether for legit law enforcement reasons, espionage or for the illicit but all too familiar rationale of giving homegrown companies a competitive edge. And there is, depending on your location, a wide spectrum of different expectations of privacy protections and the rule of law.
In search of a safe place
There are countries with whose public cloud providers no western company executive in his right mind would choose to store data. Some are even part of embargo lists, viewed upon as adversarial nation states. In other countires, foreign firms have sparse chances of legal redress when their data is illicitly used.
The US should not be part of such considerations. It is after all the land of the free, but sadly it is also the land of the Patriot Act and the land of the Cloud Act, the rather euphemistic acronym for Clarifying Lawful Overseas Use of Data Act. There is no one comprehensive federal data privacy regulation in the US.
In the European Union, we think we have found a balance between the right to privacy, appropriate and investigative powers for law enforcement and reasonable, but not overburdening obligations for organizations when it comes to protecting user data. Sadly, as a continent and a single market, we seem to lack the digital sovereignty to push this balance, codified in law and upheld by the courts as in the ECJ ruling against the US tech giants.
What Microsoft could do
From our users’ and customers’ perspective, Microsoft should just go on selling its current on-premises products beyond 2025. It should offer client software that does not call home, not even for telemetrics, and offer a possibility to switch off features that require data transfers to clouds that are in the scope of the US Cloud Act, so users in the EU can use these products without fear of maybe violating GDPR. Microsoft should continue to embrace open standards so its software can interact seamlessly with other, namely open-source software.
Coping strategy: Divide and conjure
Organizations should think about what they can do to prevent data flows that are incompatible with GDPR – while continuing to use Microsoft products. One possibility is set up a sovereign file cloud as a supplement to storage with public cloud providers like Microsofts, and to tag files relevant to GDPR compliance. Those files can then be automatically and policy-driven be handled exclusively within the sovereign file cloud, set up either on-premises or with a trustworthy storage provider based in Europe or in a country that has adequacy status according to GDPR. There’s nothing wrong with opening a job application by a European Citizen for a position with a European company with Microsoft Word, if this file is stored in a sovereign file cloud. It automatically syncs the file to the computer which runs Microsoft Word, and each step of processing and storage of this file – clearly relevant to GDPR – happens under the control of the company and within the scope of GDPR.