The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
Microsoft has moved to dispel European mistrust of U.S.-operated cloud services by announcing a plan to offer cloud services, including Azure, Office 365 and Dynamics CRM Online, from data centers in Germany that are also operated by a third party company—in a so called trustee model.
Commenting on the launch in a statement, CEO Satya Nadella, said the trustee model will offer customers in German and Europe "choice and trust in how their data is handled and where it is stored". . . .
Microsoft said its 'cloud in Germany' will launch in the second half of 2016, and will be operated under German law by T-Systems, a subsidiary of telco Deutsche Telekom. The two data centers will be based in Magdeburg and Frankfurt am Main, with Microsoft stressing this "data trustee" model means it will not have any access to customer data without the consent of the trustee, and that it cannot therefore be compelled—"even by a third party"—to hand over customer data.
The story brings to mind what I wrote in this post on the Microsoft case:
If I'm reading the Magistrate Judge's opinion correctly, you're always interacting with Microsoft in the United States when you set up a Microsoft e-mail account. That's true regardless of whether you live in New London, Connecticut or London, England. If you're abroad, Microsoft might decide to place your e-mail on a server abroad to make it quicker for you to access your e-mail. But Microsoft in the United States maintains control of the account and maintains some records on United States servers. When a government comes to Microsoft seeking records pursuant to legal process, Microsoft activates its Global Criminal Compliance ("GCC") team from inside the United States to gather the records. The GCC team members in the U.S. gather the records from around the world, pulling them from servers wherever they are located.
Microsoft's decision to base everything in the U.S. might be very significant for the privacy implications of Microsoft e-mail accounts. If the U.S. government serves a warrant on Microsoft in the U.S. for the records, Microsoft in the U.S. has access to all customer data from around the world. They can get all the e-mails with a push of a button.
But Microsoft didn't have to set things up that way. They could have designed their business so that if you sign up for an account from outside the U.S., your relationship is entirely with the company's foreign subsidiary and the data isn't directly accessible from inside the United States. For example, when you sign up for a Yahoo account from Europe using Yahoo.uk, Yahoo.fr, or a similar European-based service, your legal relationship is with Yahoo EMEA Limited in Dublin instead of Yahoo in the United States. My understanding is that Yahoo keeps its accounts local, apparently at least in part to limit the laws under which it can be accessed.
This difference creates the prospect that a Microsoft loss in the Second Circuit could be addressed, entirely or at least in part, by Microsoft rearranging its network.
Thanks to Keith Kaplan for the link.