Microsoft to Use German Data Centers for Privacy

November 16, 2015

NSA and MicrosoftMicrosoft recently announced modifications to its data network for cloud services designed to enhance user privacy.  Those modifications involve keeping customer data out of the United States and under the control of “data trustees” in an apparent effort to reduce the risk of U.S government surveillance and to facilitate compliance with European data privacy requirements.  This approach may become increasingly popular in the near future.

Microsoft indicated that it will make use of three data centers in Germany, in Frankfurt, Magdeburg, and Main.  Those centers will be used to store data from Microsoft cloud service customers located in Germany, the European Union, and the European Free Trade Association.

Worth noting is the fact that the data stored in those centers will not be under the control of Microsoft.  Instead, the German company, T-Systems, a subsidiary of Deutsche Telekom, will manage the data.  Acting in the role of “data trustee,” T-Systems, not Microsoft, will have operational control over the data of Microsoft’s European cloud customers.

Microsoft has apparently concluded that by storing the data outside of the United States, and by denying itself access to that data, the risk of U.S. government access to the data is significantly reduced.  This environment thus seems to provide greater privacy for the data of the European customers.  That enhanced privacy could also make it easier for Microsoft to ensure compliance with European data privacy rules, which are generally more rigorous than those in the United States.

The details associated with the data trustee arrangement have apparently not been publicly disclosed.  Presumably, Microsoft is obtaining the data trustee service from T-Systems through some form of contractual arrangement.  It would be interesting to identify the terms associated with that service, particularly those addressing issues such as data access and security.

Disclosures by Edward Snowden and others have indicated that National Security Agency surveillance includes monitoring of major international communications facilities.  Accordingly, it seems that even the measures now being taken by Microsoft can not fully ensure that the data of Microsoft’s European customers are protected from U.S. government access.

Microsoft’s strategy does appear, however, to increase the privacy of the data from European users of cloud services.  It could make U.S. government surveillance at least somewhat more difficult.  The structure could also reduce, at least in part, the ability of law enforcement authorities in the U.S.  to access European customer data through U.S. court orders.

This enhanced privacy could prove to be quite attractive to potential customers and might provide Microsoft with an advantage over other American companies in the competition for European customers.  This dynamic could encourage the other American companies to establish similar network configurations for cloud service offerings in Europe and other regions of the world.  It is reasonable to anticipate that an increasing number of data service providers will experiment with different versions of the offshore data trustee system.