Thursday, 14 July 2011

UK Companies signing up for Office 365 could find themselves breaking the law

In London, at the Office 365 launch, Gordon Frazer, managing director of Microsoft UK, admitted that data residing in Microsoft’s European Data Centres is not protected against the US’s Patriot Act.

The question put to Mr Frazer:

“Can Microsoft guarantee that EU-stored data, held in EU based data centres, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?”

Frazer explained that, as Microsoft is a U.S.-headquartered company, it has to comply with the United States law.

Though he said that “customers would be informed wherever possible”, he could not provide a guarantee that they would be informed.

He said: “Microsoft cannot provide those guarantees.”

The UK Data Protection act forbids an organisation acting as a “Data Controller” to pass user data outside the European Union unless the recipient country provides guarantees as to how the data will be used.

Due to compliance with the US Patriot Act, if Microsoft is not obliged to inform UK organisations that they have transferred the user data outside the EU, then they obviously will not be providing any guarantees as to what that data is to be used for. Microsoft could inadvertently put their UK customers in potential breach of UK law.

So how would anyone know?

If a UK user submits a Freedom Of Information Act request asking the UK organisation to divulge whether or not their data has been transferred out of the EU, that organisation in turn may feel obliged to submit their own FOI act request to Microsoft UK who would be obliged under UK law to investigate and reveal if this has in fact occurred.

If it had, then the UK “Data Controller” organisation will be in breach of the Data Protection Act and could be subject to heavy fines or could lose its Data Protect registration preventing it from holding any user data in future.

UK organisations may find it less risky to procure cloud based services from an EU company and not a US based vendor to avoid potentially high fines, legal fees to defend claims of breaching the Data Protection Act and a potential loss of their Data Protect Act registration.