Is the Cloud Still a Safe Harbor?

Wednesday, September 30, 2015 by Rainer Stropek

Image source: https://flic.kr/p/ofiC5K, Creative Commons License

Data protection is an important topic when it comes to cloud computing. This is true especially for customers in Europe. Recently, discussions about whether cloud services can be considered as safe for European customers got fueled by a critical statement of the advisor to Europe's top court about the Safe Harbor agreement (read more). In this article I want to describe the current situation in Azure concerning EU data protection laws.

Microsoft Azure and the European Union

Microsoft’s Azure data centers are spread around the world. Currently, there are 19 data centers in six geographic regions (read more).

As the vast majority of our customers is based in Europe, we currently only use the European data centers of Microsoft Azure for time cockpit.

One of them is in Ireland and the other in the Netherlands. Having two data centers in Europe is important because Microsoft uses the data center pair for data redundancy purposes.

If you are in the software business yourself and you think about using Azure like we do, check the Service by Region matrix in Azure’s Trust Center to find out if the services you want to use are available in the European data centers.

Will My Data Ever Leave Europe?

Generally, your data will be stored and processed in European data centers. There are a few exceptions that you have to consider:

  • Application telemetry data used for monitoring and optimization purposes (e.g data about exceptions, feature usage statistics etc.) are partly stored in services that are globally available (e.g. Application Insights).
  • Some Azure services are global by nature (e.g. Content Delivery Network that speeds up downloads by distributing the content in data centers all around the world). We will only use such services for technical content necessary to run time cockpit efficiently (e.g. installation packages, logos, static images used inside the application etc.). We will never use such services to store your time cockpit data (e.g. customers, timesheet records, projects, etc.).
  • Microsoft support personnel is located around the globe to provide customer support 24x7. They are allowed to access our data to “provide customer support, troubleshoot the service, or comply with legal requirements” (source).

What About EU Laws for Data Protection?

In contrast to other – mostly consumer-oriented – services, Azure does process and transfer data not only under the Safe Harbor agreement. Additionally, Microsoft implements the EU Model Clauses. Microsoft is the first company to receive approval from the EU’s Article 29 Working Party for its strong contractual commitments to comply with EU privacy laws no matter where data is located.

All services that we use for time cockpit are covered (“in-scope”) by Azure’s implementation of the EU Model Clauses (read more).

Currently, Microsoft is challenging a U.S. government search warrant seeking access to customer emails in Dublin, Ireland. This case is important as it deals with fundamental problems emerging from conflicting legislation in the U.S. and Europe. Microsoft has set up a website (http://digitalconstitution.com/) you can use to keep up to date regarding this topic. The outcome of this case will be important for European SaaS providers like us using cloud platforms offered by U.S. companies like Microsoft.

Will my Data be Used for Advertising?

Microsoft is the first major cloud provider to adopt the first international code of practice for cloud privacy. ISO/IEC 27018 was developed to establish a uniform international approach to protecting the privacy of personal data stored in the cloud.

Neither Microsoft nor we share your data with advertiser-supported services. Additionally, your data is not mined for marketing or advertising.

Do You Want to Learn More?

Last week I was invited by Microsoft to do a webinar about data protection and Azure’s European data centers. It was recorded. If you speak German, you can watch the webcast here. Here are the slides (German) I used in the webinar:

Openness Lead to Trust

We believe that trust is the most important factor to enable business in the software as a service (SaaS) market. We want to build trust by being as open as possible about how we store and process your valuable data.

If you have any question about our use of cloud services, the contracts we have with Microsoft, etc., don’t hesitate to contact us.

We will do our very best to provide all the material you need to decide whether you want to confide in our software and services.

comments powered by Disqus