Microsoft Azure – Privacy and Control
We buy and use things that we trust, don’t we? Microsoft knows that and regarding Microsoft Azure speaks very frequently about Trustworthy Foundation. So what is it? It consists of the three following principles:
- Privacy by design. Those are regulations defining how do build and manage products and services to be able to keep users privacy. It describes standards and procedures contained in so-called Microsoft Online Services Privacy Statement https://www.microsoft.com/en-us/privacystatement/OnlineServices/Default.aspx?Search=true .
- Microsoft Privacy Standard. It gives insight into how to develop products and services with users’ privacy in mind so that developers and customers can better understand it, ref. https://www.microsoft.com/en-us/twc/privacy/practices.aspx .
- Data segregation. Describes how to manage and segregate critical private data.
Microsoft is also the very first public cloud provider that has adopted the first international code of practice for governing the processing of personal information by cloud service providers. It is called ISO/IEC 27018, ref. https://www.microsoft.com/en-us/TrustCenter/Compliance/ISO-IEC-27018 , which:
- Prohibits use of customer data for advertising and marketing purposes without customer’s express consent
- Prevents use of customer data for purposes unrelated to providing the cloud service.
Microsoft not only did adopt ISO/IEC 27018 but also as a first cloud provider that:
- Offered customers E.U. Standard Contractual Clauses that provide specific contractual guarantees around transfers of personal data for in-scope services.
- Abided by US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Program. Safe Harbor has been around for about 15 years, but now is being replaced by EU-U.S Privacy Shield Framework ref. https://privacy.microsoft.com/en-us/microsoft-eu-us-privacy-shield .
One of the most important things about privacy, particularly in Europe, is personal data protection, data transfer and how to comply with law. It is well described in EU Data Protection Directive 95/46/EC. But what is this Directive about?
“This directive sets the baseline for handling personal data in the EU. It provides the regulatory framework under which Microsoft transfers personal data out of the EU. Under this directive and our contractual agreements, Microsoft acts as the data processor of customer data. The customer acts as the data controller, with final ownership and responsibility for ensuring that the data can be legally provided to Microsoft for processing outside of the EEA.”
Ok, ok, but what does it mean? It means that as far as personal data is concerned, a transfer from EEA country of personal data to EEA countries (European Economic Area Countries) will be treated as transfer inside that country. The Directive assumes that both: all that countries and cloud provider provide the same level of security, protection and privacy. EEA consists of EU countries + Norway, Lichtenstein, Iceland. However, if you want to transfer personal data outside of EEA Countries, there are EU Model Clauses that could help you with that ref. https://www.microsoft.com/en-us/TrustCenter/Compliance/EU-Model-Clauses# .
All above comes to the statement Microsoft is trying to advertise that “You own and control your data”. As can be read on https://azure.microsoft.com/en-us/support/trust-center/ site Microsoft truly wants you to understand that your data belongs to you, you have the full control of where your data resides and that no one will get access to them without your prior permission:
“You own your own data. With Azure, you have ownership of customer data—that is, all data, including text, sound, video, or image files and software, which are provided to Microsoft by you, or on your behalf, through the use of Azure. You can access your customer data at any time and for any reason without assistance from Microsoft. We will not use customer data or derive information from it for advertising or data mining.
You are in control of your data. Because the customer data you host on Azure belongs to you, you have control over where it is stored and how it is securely accessed and deleted.
How we respond to government and law enforcement requests to access data. When a government wants customer data—including for national security purposes—it must follow the applicable legal process, serving us with a court order for content or a subpoena for account information. If compelled to disclose customer data, Microsoft will promptly notify you and provide a copy of the demand, unless legally prohibited from doing so. We do not provide any government with direct or unfettered access to customer data except as you direct or where required by law.”
If you are interested to read more how Microsoft provides privacy and control over its public cloud data, please visit ref. https://www.microsoft.com/en-us/TrustCenter/Privacy/default.aspx