Microsoft recently announced that the company will open two datacenters in Canada, to provide its Azure cloud service to the Canadian Government and businesses operating in that country. Kevin Turner, Microsoft’s chief operating officer, said “this substantial investment in a Canadian cloud demonstrates how committed we are to bringing even more opportunity to Canadian businesses and government organizations, helping them fully realize the cost savings and flexibility of the cloud.” (To read the full press release from Microsoft, see here.) In an article in Toronto’s Globe and Mail newspaper about the announcement, Janet Kennedy, president of Microsoft Canada, said, “there is no technical reason to do it.” The main reasons are data sovereignty and residency.
Data residency deals with where data is physically located and where it should not go without agreement from its owner. Data sovereignty focuses more on why and how a government should protect the data located within its jurisdiction, regardless of its ownership, from foreign government agencies.
These data issues have been hot topics both on personal and business levels, especially after the Edward Snowden incident. Since then, foreign government agencies and companies have tried to mitigate the risk of leaking their information. For example, the German Government terminated its contract with Verizon for Deutsche Telekom, shortly after the NSA’s reports regarding the agency’s spy acts were disclosed by Snowden. In the Canadian Government’s case, the government was not willing to store its sensitive information in the United States where it might be subject to investigation by the U.S. Government. Microsoft responded to the Canadian Government’s concern by proposing the new datacenter plan. (In 2014, Microsoft had launched a cloud service called Azure Government, dedicated to servicing the U.S. federal government via a datacenter isolated from the rest of the Azure network.) Although Microsoft is not the first or only cloud provider dealing with data sovereignty and residency issues, it has been thrust into the center of the debate.
With emergence of the cloud industry, physical borders between countries become porous, and in several instances governments have tried to subpoena data physically located in another country. One notable example is a U.S. Government court order for Microsoft to provide a customer’s emails and other data stored in Microsoft’s datacenter in Dublin, Ireland. The government’s argument is that there is no need for an American citizen to step on Irish territory to retrieve the data; a couple of keystrokes is all it would take. Microsoft, on the other hand, believes that electronic access to the datacenter should be considered as entering Irish territory, since the actual data is located in Dublin. The company has yet to provide the data and is appealing the court’s decision.
Brad Smith, Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs, has been addressing the conflict in the Microsoft on the Issues blog. Smith argues that Microsoft will not ignore the opinions of the 96 percent of the global population outside the United States.
More than 20 tech companies such as Apple and Cisco, as well as various interested organizations, have provided amicus briefs in support of Microsoft’s position in the case. The Irish Government also expressed its support towards Microsoft; it insists that it would cooperate with the United States to facilitate the process, but the United States should not be bypassing regulations that are currently in place.
Trying to avoid potential disputes and to protect data, some countries have established regulations preventing data from not only being subpoenaed, but also being accessed and distributed to another country without consent. The European Union is in the process of finalizing its General Data Protection Regulation which, among other things, will limit exporting of personal data and ask every global organization based in Europe to appoint a data protection officer. (Countries outside the European Union with data residency restrictions include Argentina, Australia, China, Mexico, New Zealand, and Russia.)
Recently, Microsoft started providing statistics on law enforcement requests, thanks to the USA Freedom Act, just enacted on June 2, 2015. In a report to be published every six months, Microsoft informs readers of its “principles in responding to government legal demands for customer data”:
- “[Microsoft] require[s] a valid subpoena or legal equivalent before [it] consider[s] releasing a customer’s non-content data to law enforcement;”
- “[Microsoft] require[s] a court order or warrant before [it] consider[s] releasing a customer’s content data;”
- “In each instance, [it] carefully examine[s] the requests [it] receive[s] for a customer’s information to make sure they are in accord with the laws, rules and procedures that apply.”
In the second half of 2014, data from 52,997 accounts were requested by law enforcement agencies around the globe in a total of 31,002 requests. Only 7.55% of the requests were rejected outright by Microsoft, and the company disclosed the data contents of 3.36% of the accounts requested. (In the majority of requests, Microsoft only disclosed subscriber or transaction information, not account contents. See the full report from Microsoft here.)
Microsoft is trying its best to protect itself and the cloud industry by setting a precedent with the Dublin case. Nevertheless, even if multiple countries are focusing efforts on preventing their own businesses from suffering data-related controversies, cloud service users and providers should not disregard these issues. As the cloud industry and the IoT grow, the data generation rate is going to increase exponentially. All businesses using cloud services now must consider data residency and sovereignty, in addition to data privacy and security.
This blog post was researched and written by Se Jin Park, VDC Research Assistant (with Steve Hoffenberg)