According to correspondence released by the Scottish Police Authority (SPA) under freedom of information (FOI) rules, Microsoft is unable to guarantee that data uploaded to a key Police Scotland IT system – the Digital Evidence Sharing Capability (DESC) – will remain in the UK as required by law.
While the correspondence has not been released in full, the disclosure reveals that data hosted in Microsoft’s hyperscale public cloud infrastructure is regularly transferred and processed overseas; that the data processing agreement in place for the DESC did not cover UK-specific data protection requirements; and that while the company has the ability to make technical changes to ensure data protection compliance, it is only making these changes for DESC partners and not other policing bodies because “no one else had asked”.
The correspondence also contains acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture. As a result, the issues identified with the Scottish Police will equally apply to all UK government users, many of whom face similar regulatory limitations on the offshoring of data.
[…]
Nicky Stewart, a former ICT chief at the UK government’s Cabinet Office, said most people with knowledge of how hyperscale public cloud works have known about these data sovereignty issues for years.
“It’s clearly going to be a concern to any police force that’s using Microsoft, but it’s wider than that,” she said, adding that while Part 3 of the Data Protection Act (DPA) 2018 clearly stipulates that law enforcement data needs to be kept in the UK, other kinds of public sector data must also be kept sovereign under the new G-Cloud 14 framework, which has introduced a UK-only data hosting requirement.
[…]
Microsoft’s commitment to not access customer data without permission is further complicated by the terms of service, which make that promise strictly conditional by giving the company the ability to access data without permission if they either have to fulfil a legal burden, such as responding to government requests for data, or to maintain the service.
[…]
He added that given Microsoft’s disclosures to the SPA, “it must now be obvious that M365 and Azure Cloud services do not meet the two key requirements” to be a legal processor or sub-processor of law enforcement data under the DPA 18.
“These are: one, to conduct all processing and support activities 100% from inside the UK; and two, to only make an international transfer if they are specifically instructed to make the particular transfer by the controller,” he said.
“Microsoft have confirmed that they do not and cannot commit to requirement one for their M365 services, or indeed for most of the services they operate and support in Azure. They have also said that they cannot ‘operationalise’ individual requests as required of them under section 59(7) of the act, thus failing to meet requirement two.
“There can be no clearer evidence than Microsoft’s own clarifications that they cannot meet the legal requirements for a processor or sub-processor of law enforcement data.”
Stewart said: “If it’s not possible to understand the simple question, ‘do you know where your data is all the time?’, then you probably shouldn’t be putting your data in that platform.”
[…]
Source: Microsoft admits no guarantee of sovereignty for UK policing data | Computer Weekly
With the EU and also some EU domain name registrars (looking at you, SIDN) working with these crazy cloud providers, it should have been blindingly obvious that putting data in a US cloud provider would open it up for US spying and a complete lack of data ownership. However idiots will be idiots.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft