Listen to this article
What is Microsoft doing?
On Wednesday, Microsoft said it was creating two data centres in Germany. Crucially, it believes that it has secured legal and technical arrangements to put the information housed there beyond the reach of US government surveillance.
The new facilities are under the control of T-Systems, a subsidiary of Deutsche Telekom, the German telecommunications group. T-Systems will be the “data trustee” and will own the physical buildings, though both companies will contribute “significant capital” to build the centres.
Microsoft said its employees will not be able to access the data held there without explicit permission from the German company. That is critical because even though Deutsche Telekom has sizeable operations in the US, as a non-American company it is not legally subject to the same US data sharing rules.
Will it work?
Following the revelations of US government surveillance activities by Edward Snowden, the National Security Agency whistleblower, European corporate customers and consumers have been anxious about the ability of US tech groups to protect sensitive data. In response, American companies that built business models based on cloud computing services have been scrambling to find a solution.
Microsoft’s lawyers have spent two years devising their German policy, and say they have “bulletproof” legal arrangements with their German partner. They declined to set out what those processes were but as one Microsoft executive put it, if his company does not have the keys to the building, the US government can hardly demand that it open the doors.
Microsoft’s lawyers believe legal challenges are likely. But they say they are on firmer ground with this new arrangement than in a US court case in which the government demanded the company hand over data held on Microsoft servers based in Ireland.
What does this mean for Deutsche Telekom — and can they really stop snooping?
There are clear commercial benefits to Deutsche Telekom and other European cloud providers if, over time, they become the gateways through which US tech companies offer cloud services on the continent.
The incentive to follow Microsoft’s lead is particularly strong in Germany, where officials have made clear to companies doing business with the government that they cannot store data outside the country. “This is a strong signal to the market that if you want to do business in Germany, and you want to retain the trust of your customers, you should look to Deutsche Telekom as a partner,” said Stefan Heumann at think-tank Stiftung Neue Verantwortung. “It gives you complete legal certainty that your services comply with all data protection laws.”
Germany’s opposition Green party called Microsoft’s move an “amazing development”, which showed how data protection was becoming a more important economic factor. “If the German government had recognised this in past years, we would be in a much stronger position than we are now. Unfortunately it completely sleepwalked through the big opportunities which have emerged for both the German and European economy in the sphere of data protection and data security.”
But there are potential costs. The US, German and other governments will still attempt to demand access to information at these data centres. German security services have also been accused of employing their own internet surveillance techniques.
Microsoft may also be forced to find a different partner in each European country in which it operates. “The danger in all of this is that we’re moving to a Balkanised internet,” Mr Heumann said. “It’s ironic that just when we’re trying to build a digital single market, the trend towards data localisation could lead to further fragmentation.”
How will it affect the rest of the US tech industry?
Microsoft says particular customers have asked for data centres to be built under its “trustee” model, particularly German public sector groups which have to satisfy higher standards for compliance under the country’s strict data protection rules. In the wake of Mr Snowden’s revelations, these calls are increasing across Europe from private individuals and multinational companies.
Other US groups may have to adopt a similar model or risk losing privacy-conscious customers to Microsoft. This could add significant cost and complexity to their efforts, while undermining the original vision of a cheap and efficient public cloud available to all, wherever they are in the world.