Following the disclosures by Edward Snowden on the extent of privacy invasion by government intelligence agencies, the outlook for American IT vendors has been rather…well, cloudy.

Therein lies the problem–the extent to which it is possible to secure data stored in the cloud against government inspection remains an open question. This situation has been further complicated in the “Microsoft Ireland” case, in which the US Government is attempting to compel Microsoft to produce private emails stored in an Irish data center.

Last month, the European Court of Justice ruled that the EU-US “Safe Harbor” decision for the protection of personal data was invalid–in part, on the basis of the activities of US government intelligence agencies–making businesses that use US servers to process or store the information of customers in the European Union in violation of EU privacy protection laws.

Deutsche Telekom as Data Trustee

As part of a rollout of new physical data center locations for Microsoft’s cloud services, the company announced on November 11 that two new locations in Germany–Magdeburg and Frankfurt am Main–will be under the control of T-Systems, a subsidiary of Deutsche Telekom. This data center is responsible for providing Azure, Office 365, and Dynamics CRM services, among other Microsoft offerings, and storing user data for those services. These data centers are expected to come online in the second half of 2016.

This announcement creates a certain cognitive dissonance about cloud delivery–moving from on-premises services to the cloud is one thing, having that cloud provider outsource the data center operations to a third party is quite another. Naturally, Microsoft states that these data centers will operate with the “same security, service and quality standards as all Microsoft data centers.” In effect, it’s a third party of a third party–a new, higher level of abstraction that only a programmer could appreciate.

But, this level of abstraction is a clever legal tactic. According to the press release, “Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision.” In effect, the conceit of this strategy theoretically removes Microsoft as the (by US law) “owner” of the data, shielding them from subpoenas which require the company to provide customer data to US intelligence agencies–in violation of EU law–as in the case currently being litigated about email data in Ireland.

JotForm provides German servers for EU users

JotForm, a provider of embeddable remotely-hosted web forms, announced in late October that the company now supports restricting the data of EU customers to new servers located in Germany. The newly-deployed servers are operated by Hetzner in Nuremberg, and by Amazon at the AWS Frankfurt center. Data for all new accounts for EU customers will be automatically hosted in Germany, with existing account holders able to request immediate migration. Gradually, all preexisting accounts for EU customers will be moved to the European facilities. This change brings it into compliance with EU law, following the ruling which invalidated the previous Safe Harbor decision.

JotForm is no stranger to interference from the US government–in 2012, the US Secret Service seized the company’s domain name seemingly without a court order, interrupting service for 700,000 users. Despite cooperation from the CEO, and a willingness to disable any user-generated form and provide account information for offending users, the Secret Service agent provided as the primary point of contact indicated it would take a few days to merely review the case.

Regarding the introduction of German servers, JotForm CEO Aytekin Tank said:

When a new technology becomes mainstream, new problems also arise. The technology makes life easier but the problems need to be addressed. Internet has made life easier, but we also need to make sure that personal privacy is protected both from people with bad intentions and from governments. It is going to be really difficult and costly for all companies to store data in Europe. So, it is not an ideal solution. The ideal solution is for all countries to agree on some basic privacy rights for the Internet, so there will be no need keep the data in specific geographic locations.

What’s your view?

Do you have concerns about securing data in the cloud? Do you work in an industry, such as healthcare, that has additional requirements for data security? Are you currently developing a strategy for EU privacy compliance, in the wake of the end of Safe Harbor? Share your thoughts in the comments.