Microsoft has reportedly dealt a blow to its claims that foreign data sovereignty is respected, admitting it processes UK data overseas.
Data sovereignty is an increasingly important element in cloud computing, as governments work to ensure data for their companies and citizens is processed in accordance with their laws, rather than the laws of other jurisdictions. The EU and the UK both have laws requiring cloud providers to guarantee data sovereignty.
According to Computer Weekly, Microsoft has admitted to the Scottish Police Authority (SPA) that it cannot guarantee that data collected in the UK will remain within the country, and that data is regularly transferred overseas for processing.
“They’ve confirmed for the first time that a guarantee of sovereignty for data at rest (which is what they give) does not extend to data being processed (which is what everyone chose to assume) and does not cover support (which everyone ignored),” said Owen Sayers, a security consultant who filed the freedom of information (FOI) request that resulted in the revelation.
“The sovereignty measures committed to by Microsoft do NOT extend to support of any services – this will always be likely to result in international transfers.”
The issue is made worse by the fact that the data in question is related to police operations, making it far more sensitive that data collected or processed on behalf of individual cloud users. With the FOI request, UK law enforcement can no longer claim ignorance regarding how Microsoft handles such data.
“A line has been drawn beneath the period of ‘we didn’t know’ and anyone using this technology now is knowingly breaching UK law,” he said.
In a statement to Computer Weekly, Microsoft said it previously worked with UK police forces on the issues.
“Microsoft has strong data protection and data residency commitments for Azure, which hosts Axon’s Digital Evidence Sharing Capability,” said a Microsoft spokesperson. “We have not made any contractual commitments that change how Azure services already run. We have worked with Police Scotland to clarify how Azure operates to help them determine that they can use DESC on Azure in compliance with the obligations for law enforcement set out under Part 3 of the Data Protection Act 2018.”
It remains to be seen if there will be additional fallout from the FOI revelation, or if other jurisdictions will follow up with their own investigations. Either way, the situation reveals the challenges that exist with cloud computing and maintain data sovereignty and data privacy.