Microsoft Seeks To Dispel Cloud Mistrust In Europe With German Trustee Model

Microsoft has moved to dispel European mistrust of U.S.-operated cloud services by announcing a plan to offer cloud services, including Azure, Office 365 and Dynamics CRM Online, from data centers in Germany that are also operated by a third party company — in a so called trustee model.

Commenting on the launch in a statement, CEO Satya Nadella, said the trustee model will offer customers in German and Europe “choice and trust in how their data is handled and where it is stored”.

The forthcoming Microsoft Cloud in Germany will be offered to customers of its cloud services as another option for local data storage, with Microsoft name-checking target sectors with particular concerns for the security of data, such as finance, health and the public sector. It also noted a 2015 BITKOM study which found a large majority (83 per cent) of German enterprises expect a cloud provider to operate local data centers in Germany.

The underlying context here is ongoing European concern over U.S. government mass surveillance practices and the impact those intelligence dragnets are having on the perception of data security in the commercial cloud. Also relevant: ongoing legal uncertainty following the landmark decision by Europe’s top court to invalidate the fifteen-year-old Safe Harbor transatlantic data transfer agreement between the U.S. and the EU last month — itself triggered in large part by the 2013 revelations of NSA whistleblower Edward Snowden.

Microsoft said its ‘cloud in Germany’ will launch in the second half of 2016, and will be operated under German law by T-Systems, a subsidiary of telco Deutsche Telekom. The two data centers will be based in Magdeburg and Frankfurt am Main, with Microsoft stressing this “data trustee” model means it will not have any access to customer data without the consent of the trustee, and that it cannot therefore be compelled — “even by a third party” — to hand over customer data.

The move comes in addition to recent regional European data center expansions by Microsoft, with the company this week announcing it will be opening local data centers in the U.K. in late 2016 (Amazon also announced its first AWS U.K. data center earlier this month) — and noting the completion of recent data center expansions in Ireland and the Netherlands. Microsoft said today it now has more than 100 data centers in 24 regions serving more than 140 countries, offering a mix of public, partner, private and hybrid cloud computing services.

However local data centers that are still operated by Microsoft currently offer little protection against U.S. intelligence agency demands for data — hence the additional option of a trustee model, relying on pro-privacy German law, in a bid to reassure European customers their data will not be sucked up by intelligence agency dragnets.

Despite Microsoft’s claims that customer data in its German trustee ran data center will be subject to German, rather than U.S., law, Forrester cloud computing analyst Paul Miller notes this is still an untested assumption, legally speaking.

“Microsoft’s lawyers and T-Systems’ lawyers argue that the German Data Trustee model, which is at the heart of this week’s deal and is governed by German law, will be effective in shielding data from U.S. demands. But, to be sure, we must wait for the first legal challenge. And the appeal. And the counter-appeal,” he said statement.

Miller added that “a far more harmonized set of laws” are needed at both the European and global level to create certainty for businesses around data security — albeit he said the latter remains “a long way” off.

Updated EU data protection legislation is still being negotiated, with European politicians hoping to have an agreement on a new General Data Protection Regulation by the end of this year.