Microsoft cloud security issues

Updated August 2011

Microsoft has admitted that it may be required to disclose European customers' personal data, held on a new cloud service, to US law enforcement agencies without customers' prior knowledge.

The US Patriot Act, which was introduced as an anti-terrorist tool, gives US law enforcement authorities a right of access to information held by US companies regardless of where it is held. However, this is in direct conflict with the EU Directive on Data Protection which requires organisations to inform users if their personal information is disclosed.

Members of the European Parliament have asked the European Commission to clarify whether the Patriot Act overrules the EU Directive on Data Protection, and if so, what can be done to rectify the situation to ensure that US legislation does not take precedence over EU data protection laws.

As a general rule, European companies are not permitted to transfer personal data to countries outside the European Economic Area unless adequate protection is in place for that personal data. Companies can transfer personal data from Europe to the US under a special agreement (the US Safe Harbor scheme) between the European Commission and the US. However, the relevance of this scheme has now been called into question as, regardless of whether an organisation is signed up to the safe harbour principles, US companies may still be obliged to disclose information under the US Patriot Act.

Much depends on how the European Commission responds to the calls for clarification. However, in the interim, for European companies that have personal data in the cloud the only way to ensure compliance with data protection requirements is to seek out a cloud solution provider that can guarantee that their data will stay within Europe. This is unlikely to include any US providers.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.