Microsoft to agree to local storage of foreign users' data

According to the Financial Times, Microsoft is going to break from the pack of other cloud service providers by agreeing to store data locally. FT.com content is behind an annoying paywall, but here's the gist of it along with some commentary.

Microsoft to shield foreign users’ data - FT.com

By James Fontanella-Khan in Brussels and Richard Waters in San Francisco

Microsoft will allow foreign customers to have their personal data stored on servers outside the US, breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal.

Brad Smith, general counsel of Microsoft, said that although many tech companies were opposed to the idea, it had become necessary following leaks that showed the US National Security Agency had been monitoring the data of foreign citizens from Brazil to across the EU.

“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides,” he told the FT. ...

This decision seems to be based on (or appealing to) the fiction that the location of data is somehow determinative of whether law enforcement or national security folks can get access to data. As I said, it's mostly a fiction. Governments can assert control over things, or people, or entities on a number of bases. One of them is the presence of the thing (a server) in the physical jurisdiction, but most importantly is the presence of the person who can obtain and hand over the data.

... Some critics of the idea have questioned whether such a move would be effective in putting the personal data of non-Americans outside the reach of the NSA, since US tech companies have to hand over information about specific users when ordered to by a secret US court, regardless of where it is held.

However, keeping the information off US soil and under local data protection rules should make it harder for the NSA to tap into illicitly, Mr Chester said. “If the data are not being transported, then it does stop that kind of access.” ...

While this isn't really a solution to the principal problem that many people associate with the USA Patriot Act and the FISA Amendments Act, it may be an economically rational decision since many customers will only ask where the data is, rather than what it really means.

Mr Smith acknowledged that it would be expensive but added “does it mean that you ignore what customers want? That’s not a smart business strategy.” ...

I do agree, however, that the big question which is the driver behind all of this needs to be addressed at a government-to-government level.

Mr Smith also said that the US and EU should consider signing an international agreement that ensures they will not try to seek data in each other’s territory via technology companies.

“If you want to ensure that one government doesn’t seek . . . to reach data in another country, the best way to do it is . . . an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process.”

He argued that the existing “Mutual Legal Assistance Treaty” mechanism used by the US and EU to protect individuals’ rights from the two blocs is outdated: “It needs to be modernised or replaced.”

Privacy Commissioner of Canada offers outsourcing guidance

Today, the Office of the Privacy Commissioner of Canada posted a "Fact Sheet: Privacy and Outsourcing", which leads to two resources depending on whether you're looking at the public sector (Privacy Act) or the private sector (PIPEDA).

The fact sheets are mostly a collection of useful links and resources, though there are some general statements. The one the I find most interesting is the following:

Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.

When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.

This has consistently been the position of the OPC, starting with a PIPEDA finding from 2005 when the Commissioner said that a bank should (not must) advise customers that the processing of data will be outsourced to a US service provider. I have to note, though, that PIPEDA doesn't contain any actual obligation to provide such notice. So I'm not sure where the obligatory language from the OPC's new fact sheet comes from.

In any event, the fact sheets do provide useful information about the OPC's take on cross-border outsourcing.