Microsoft's sovereignty debacle: Between "flowery advertising" and "no panic"

A simple answer is making waves: Microsoft cannot guarantee under oath that data from EU customers will not be transferred to US authorities in the event of a request. Although the hearing referred to the French UGAP, the potential impact is far greater – US cloud providers are currently trying to win trust in the EU with promises of sovereignty. However, such a statement obviously counteracts this. In order to categorize this, we asked two experts for their opinions.

Dennis-Kenji Kipker

Dennis-Kenji Kipker ist Professor für IT-Sicherheitsrecht an der Hochschule Bremen und arbeitet dort an der Schnittstelle von Recht und Technik in der Informationssicherheit und im Datenschutz.

Stefan Hessel

Stefan Hessel ist Rechtsanwalt und Salary-Partner bei reuschlaw in Saarbrücken. Als Head of Digital Business berät er nationale und internationale Unternehmen zu Datenschutz, Cybersicherheit und IT-Recht.

Dennis Kipker, Research Director, cyberintelligence.institute, sees the fears confirmed:

Microsoft's concession does not come as a surprise – but is nonetheless insightful, as Microsoft has explicitly advertised measures in the past that are supposed to ensure greater data security in transatlantic data exchange or exclude access wherever possible.

It now turns out that these flowery advertising promises, the discussions about data boundaries and partially sovereign clouds are not effective protection mechanisms. This is all the more fatal as decisions made by companies and government institutions regarding secure and sovereign data storage depend on these advertising promises and it is now becoming clear that Microsoft's security promises are built on sand.

Microsoft admits that access has not yet occurred. However, this has not been the subject of the public debate so far –, which has only ever been about how the risk of access can be reduced or eliminated through legal, technical and organizational measures. And this brings us back to the old adage: as a US company, Microsoft must comply with US jurisdiction – no matter what the advertising promises say.

And even if it is argued that the authorities in the EU also have corresponding powers of access that are comparable to US law, this is misguided. After all, in Germany and throughout the European Union, we have a fundamental right to data protection that is enshrined in the constitution. There is nothing like this in the USA.

It is therefore all the better that this revelation has now become official so that companies and authorities can take it into account when weighing up the risks involved in cloud procurement decisions.

In the new free newsletter: The best test management tools

Do you already know the free iX newsletter? Register now and don't miss a thing on the monthly publication date: heise.de/s/NY1E. The next issue will focus on the cover topic of the August iX: modern test management.

However, Stefan Hessel, lawyer at reuschlaw, takes a different view of the situation:

A Microsoft manager's statement that he could not guarantee that the data would be secure before being transferred to these US is often seen as evidence of a loss of control when using US cloud providers. However, this conclusion falls short and ignores key legal framework conditions.

First of all, there is no transfer to a third country if the cloud contract with the EU subsidiary clearly stipulates that the data is processed exclusively in the European Economic Area. The case is therefore fundamentally different from a direct data transfer to the USA or to the US parent company, where direct access by the US authorities is possible. Instead, the core issue is the Cloud Act. This obliges US cloud providers to grant access to data on request, even if it is not processed in the USA. It is often concluded from this that US cloud providers could force their European subsidiaries to hand over data.

However, this is not legally tenable. EU subsidiaries of US companies are subject to European law like any other EU company and are bound by the GDPR when processing personal data. According to Art. 28 para. 3 GDPR, cloud providers as processors may only process data on the instructions of the customer. An exception to this principle only applies if they are obliged to process data under EU law or the law of an EU member state.

Non-European laws such as the CLOUD Act may not be taken into account. According to Art. 48 GDPR, personal data may only be disclosed to authorities in third countries such as the USA by way of mutual legal assistance. However, if this procedure is followed, it is also possible that the customer will not receive any notification of the data transfer. This is because Art. 28 para. 3 GDPR also stipulates that notification must be omitted if there is an important public interest to the contrary.

EU subsidiaries of US cloud providers may therefore only comply with requests for disclosure from their parent company if the requirements of the GDPR are met. The European data protection supervisory authorities and courts can fully review whether this is the case and effectively punish any infringements. So there is no need to panic.

(fo)