By Kelley Chittenden
In an attempt to assuage data security concerns in the cloud, Microsoft Corporation recently announced the decision to offer European customers an option to store their cloud data in German data centers under control of T-Systems, a subsidiary of Germany’s largest telecommunications company, Deutsche Telekom. In the words of Deutsche Telekom’s CEO, Timotheus Höttges, “Microsoft is pioneering a new, unique, solution for customers in Germany and Europe. Now, customers who want local control of their data combined with Microsoft’s cloud services have a new option, and I anticipate it will be rapidly adopted.”
The Financial Times reports Microsoft’s lawyers believe they have devised “bulletproof” legal arrangements in Germany. The company plans to offer cloud services such as Azure, Microsoft Office 365, and Dynamics CRM Online from two data centers located in Germany under the third party control of a “trustee model.”A trustee model restricts Microsoft from accessing customer data without consent of the customer or the third-party trustee, the T-Systems subsidiary, which operates under German data protection law – even if the United States government requests it. If Microsoft receives permission to access customer data in the German data centers, its access requires trustee supervision. In theory, the partly state-owned Deutsche Telekom will assume responsibility for approving data transfers in a neutral fashion.
Microsoft CEO Satya Nadella believes German data centers will “offer customers choice and trust in how their data is handled and where it is stored.” The German data center plan is a direct response to growing European concern over perceived inadequacies of U.S. data protection and fear sparked by the 2013 Edward Snowden revelations that U.S. agencies such as the National Security Agency can access customer data of non-U.S. citizens that use Microsoft cloud services. Last month, the European Court of Justice struck down the “Safe Harbor” agreement between the United States and the European Union as invalid. The pact permitted participating U.S. companies to transfer European customer data to U.S. data centers in compliance with EU data protection law.
Microsoft currently has twenty-four cloud “regions” and is spending £1.3 billion to expand its data center network in the Europe. Ars Technica points out that the significance of the announcement to unveil German data centers lies in the act of handing operational control to a local company under local law rather than simply installing local servers. The approach could potentially avoid situations such as Microsoft’s current dispute involving U.S. authorities demanding access to customer data located in Ireland in which U.S. technology companies struggle to comply with both U.S. law and EU data protection law.
On the other hand, releasing control to third-party, European companies could also be characterized as an acknowledgement that the United States cannot adequately protect data on its own. In the Financial Times, Stefan Heumann from the German think tank, Stiftung Neue Verantwortung, warns that the trend toward data localization may even lead to the danger of “Balkanizing” the Internet and notes the irony of purposeful fragmentation in the midst of advances toward unifying the digital market. In fact, the very nature of the cloud is non-territorial and location independence is a core aspect. For example, utilizing data centers across multiple jurisdictions allows the sharing of resources by customers in different time zones with peak usage hours occurring at different times and for seamless transfers in the event of failed infrastructure or natural disasters. In other words, data localization might ultimately dilute the benefits of the cloud.