Microsoft and T-Systems Find Innovative Solution To Address Customer Data Privacy Concerns
The big public cloud providers, most of which are still from the United States, sometimes have a hard time finding ways to balance their legal obligations at home with the quite different sensitivities they encounter amongst their new international customers. For a long time, the toolkit has been pretty consistent: site data centres as close to the customer as possible, vehemently support political efforts to harmonize laws, and ocassionally be seen to stand up to the worst execesses of Government over-reach.
(Source: Flickr user Luigi Rosa. Image licensed under Creative Commons Attribution License)
Microsoft's announcements in Germany today appear, on the surface, to follow that model pretty closely. But there's a twist that's potentially very important as we move forward.
First, the standard bit. Microsoft, yesterday, announced new data centres will be operational in the UK next year, joining existing European facilities in Dublin and Amsterdam. Big competitor Amazon did much the same last week, announcing that a new UK data centre will be online in the UK by "2016 or 2017." Given the vague timescales, it might be easy to assume that Amazon was trying to steal a little of Microsoft's thunder with a half-baked pre-announcement. And then, today, Microsoft announced two new data centres in Germany. Amazon already has a facility there, of course.
So, why's this interesting?
The new German data centres will include Microsoft's Azure public cloud, the company's Office 365 productivity suite, and Dynamics CRM offering. So far, so good. But physical and virtual access will be controlled by a 'Data Trustee,' governed exclusively by German law. And German law is a real stickler for privacy. Microsoft, apparently, will have no access at all to the data centre or the data stored there, without the explicit permission of the Data Trustee or the customer. Even if it wanted to, Microsoft couldn't comply with a legal demand from the US Government (or anyone else).
Customers across Europe (it's open to organizations and individuals from the EU and EFTA) may wish to look closely at this offering, weighing up the benefits of increased privacy against the cost premium of running here rather than in Microsoft's 'normal' data centres elsewhere in Europe.
For more on the news, and its implications for cloud providers and their customers, my colleague Enza Iannopollo and I have prepared a Forrester Quick Take – Trust Us, We Are European.
We welcome your thoughts.
As you can probably imagine, there's been quite a lot of interest in this story, particularly in the European press. In a lot of those conversations, there have been variations of the same question. Is this, they asked, a defence against NSA snooping? (They always said 'NSA,' never 'GCHQ,' 'FSB,' or any of the other national agencies prone to poking where they shouldn't). No, it isn't. This is intended to be a defence against legal attempts to compel access to data in foreign data centres. The creation of a Data Trustee does nothing to stop a criminal hacker or a government-sanctioned snooper. T-Systems' physical and virtual security must still take on that job, as it does for their existing cloud offerings like the Open Telekom Cloud.