Microsoft measures for EDPB guidance - enough to save the good ship Cloud?

Today, Microsoft responded directly to the EDPB supplementary measures guidance issued in draft and for consultation the week before last (10th November) with a set of commitments that they say meet or exceed the EDPB expectations - but do they? Let's have a look....

Firstly let us be clear - Microsoft are fast off the mark here and they are pitching their response directly to Public Sector users (who are pretty much all of UK Government these days) and many businesses. They ought to be applauded for such a rapid response of course; but does it also perhaps reflect a very real concern that the EDPB measures have effectively holed Public Hyper-Cloud below the waterline? I wrote a short post the other day to the effect that the EDPB might have just killed SaaS Cloud and a lot of people agreed with me - so maybe Microsoft have come to the same conclusion?

Microsoft call their new approach 'Defending your Data' - sounds snappy, but what does it actually say and commit them to?

Essentially they are making two commitment statements:

Commit to 'challenge every government request for public sector or enterprise customer data – from any government – where there is a lawful basis for doing so'.

Microsoft also say that 'this strong commitment goes beyond the proposed recommendations of the EDPB' and that's potentially factually correct because the EDPB only referred to Personal Data (and this statement seems to go beyond just personal data).

The commitment they make here is related to one of the EDPB recommended additional contractual measures - which they call the 'Obligation to take specific actions':

"The importer could commit to reviewing, under the law of the country of destination, the legality of any order to disclose data, notably whether it remains within the powers granted to the requesting public authority, and to challenge the order if, after a careful assessment, it concludes that there are grounds under the law of the country of destination to do so. When challenging an order, the data importer should seek interim measures to suspend the effects of the order until the court has decided on the merits. The importer would have the obligation not to disclose the personal data requested until required to do so under the applicable procedural rules. The data importer would also commit to providing the minimum amount of information permissible when responding to the order, based on a reasonable interpretation of the order."

The EDPC lay out two key conditions that must exist to enable this clause to have any positive effect:

1. The 3rd country must have an effective legal avenue to challenge the order to disclose
2. The challenge to the order must suspend the request under the law of the 3rd country (i.e. it halts the release of the data whilst the challenge is being heard)

I'm not sure that the CJEU felt the mechanisms to resist an order through legal channels were in fact effective - so that might be issue number one, and I really don't know if a Microsoft challenge DOES stop the clock on the request - I'd be grateful if someone could confirm this to be the case?

The EDPB do also make clear under this provision that the data importer (in this case that is Microsoft) must be able to document and demonstrate to the exporter the actions they have taken (and let's be under no illusions - if the disclosure order prevents them from telling you about the request then they can't really do this), plus the EDPB are clear that they believe this specific commitment gives 'a very limited protection' and 'will necessarily need to be complementary to other supplementary measures'.

In summary: This first measure is definitely better than nothing, but in reality it has very little positive effect to enable a data exporter to be confident in the commitment (or to rely upon it) to continue to send personal data to Microsoft, so what about the second commitment they make?

"we will provide monetary compensation to these customers’ users if we disclose their data in response to a government request in violation of the EU’s General Data Protection Regulation (GDPR)."

This is a really interesting commitment (and frankly a strange one because it essentially says - if we break EU law we will give you financial compensation). I have some bad news for Microsoft on this front - that's not a novel commitment from you, that's just the law...

If you then read the terms of that commitment in the associated document (here), you'll find that this compensatory largesse is quite heavily caveated, and it really just reflects the legal obligations that Microsoft already have under GDPR.

Therefore when Microsoft say this exceeds the EDPB’s recommendations and shows Microsoft's confidence in their ability to protect data, it does nothing of the sort - all they are doing is re-stating in a positive way that they are liable and you can sue them...

The message they are sending out here is - we are willing to pay you for our NOT being able to protect your data and on that basis we think everything is OK and you should keep sending us your data regardless.

Microsoft then round out their press release with four bullet points covering:

Encryption: 

Microsoft say they encrypt customer data both when it is in transit and at rest, and that encryption is a critical point in the draft EDPB recommendations.

Both of these are true - but what they DON'T say is that the way in which most Microsoft products work (and notably M365 services) fall under the EDPB encryption Use Case 6 - which the EDPB make 100% clear will NOT be a suitable supplementary measure.

(NOTE: Its really important to read the source stuff and not just the headlines MS are publishing here...)

They also say 'We do not provide any government with our encryption keys or any other way to break our encryption'. They may well not do the latter, but they really have no choice around the matter of the former - US (and some other Governmental laws to which they might be subject) cover encryption keys within the data disclosure order - so this is at best a misleading statement.

Standing up for customer rights: 

I have absolutely ZERO doubt that Microsoft will do this - and NO reason to doubt their honesty, BUT when they say "If a government demands customer data from us, it must follow applicable legal process" and "We will only comply with demands when we are clearly compelled to do so" what they are telling you is that actually they may have no choice but to disclose your data, and here they are also being honest - if a 3rd Country legislature covers their activity then they have to abide by that law (and FISA S.702 does cover Microsoft Cloud).

We are transparent:

Microsoft say they've been publishing info about data requests for years. I believe them - you can read about some of them here and here.

But be under no illusions - these are only the requests which they have not been legally barred from disclosing (in fact Microsoft themselves do say that the numbers they report are the ones they are authorised to disclose under permission from the US Government).

When you look at the numbers of reported requests they aren't necessarily huge, but the EDPB have poured cold water on the consideration of likelihood or specific attractiveness of a piece of personal data when it comes to assessing the legal basis on which you transfer it when they state "you should look into other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards." - essentially you need to assess if a public authority in a 3rd country CAN access the personal data, not if they actually shall. 

Track record of legal success: 

Microsoft claim to have more experience of going to court to establish the limits of government surveillance orders than any other company, and that they even took 'one case to the U.S. Supreme Court'.

I don't doubt that for one second - though it IS a claim others might contend - but its important to read the kicker clause on this Microsoft bullet point "No commitment to challenge access orders can assure victory, but we feel good about our record of success to date".

The fact that Microsoft feel good about themselves will - I am certain - make everyone else feel good about putting their data into their service (though that might not really be much of a basis for you in a defence against action from your DP Authority...)

The final piece of key comment from Microsoft is this:

"Some of the public discussion about the impact of U.S. government data demands focuses on U.S.-headquartered companies. But it is clear that U.S. laws regarding government access to data apply to companies that do business in the U.S., even if they are headquartered in Europe or elsewhere."

This is a more interesting tack - and whilst it could just be dismissed as Microsoft saying - 'everyone else is just as bad' - that would be both unfair and a little dismissive of an important point they are making, which is this:

Although Microsoft are certainly bound by US laws (as are AWS and a host of other Electronic Communication Service Providers [ECSP's] with HQ's in the US), it is also the case that some entities who are NOT HQ'ed in the US but who have licences to offer ECSP services might fall under parts of the US regime.

That is at least partly true - but there is a caveat to apply, since only those services actually operated or offered under that US licence could fall under such an obligation.

So for example OVHCloud (a major French based Cloud provider with about 30 data centres globally, some of which are in the US might well be hit with an order for data inside their US data centres or services; this would not apply to their services elsewhere. To such a request or order they could (and I suspect would) just shrug and say 'Désolé, mais NON!' and the discussion would be closed.

So what about the other EDPB Supplementary Measures?

The EDPB provided quite a lot of guidance crammed into their 38 pages of supplementary measures, and its worth pointing out that (thus far at least) Microsoft have said naught about most of those.

Technical Measures:

Use Case 1 is the use of a 'hosting service provider' - we can say 'cloud' here and it means basically the same - to store personal data that is encrypted BEFORE upload and only decrypted AFTER its downloaded using a key held outside of the 3rd Country.

Microsoft haven't discussed that - mainly because its really something DropBox could crow about, but not M365 perhaps...

Use Case 2, Pseudonomised data - yet again Microsoft might well be able to give you a service there, but if you've already pseudonomised the data then there's little left for them to do (and its possible that a lot of their more clever services won't really deliver THAT much value on such data - so its understandable that they don't go into it in any detail).

Use Case 3 - is all about encryption of data in transit. Here Microsoft DO say they encrypt in transit (and they do, as do most IT companies today), but the EDPB appears unimpressed with just IPSEC or TLS and is expecting MORE crypto than most services already provide. Could Microsoft engage with this and uplift their services when data is transmitting the world? Quite likely, but because of the 'Anti-Use Case' 6, there isn't really a lot of point for them to do so just yet perhaps?

Use Case 4 - 'Protected Recipient' really doesn't apply to anything they (or most other Cloud providers) do, and they definitely are not a protected recipient, so lets pass on...

Use Case 5 - Split or Multi-Part Processing: I reckon that the clever folks at Microsoft MIGHT be able to do something here, but its really, really complex and is getting well beyond the realms of a low price and commodity service so we will need to wait and see if the market drives things that way.

'Anti' Use Case 6 - Use of Encryption but processing data in the clear (like M365). Well Microsoft did try to kind of allude to their use of encryption in a positive way but to be frank the EDPB have terminated any hope a CSP might have had that 'encrypting at rest' or 'encrypting in transit' would sufficiently compensate for 'not encrypting anywhere else'.

'Anti' Use Case 7 - Remote access to data for a business purpose. Now this is a tricky one (and not just for Microsoft, because a LOT of companies do remote admin or support from a 3rd Country). Here the EDPB gives you zero hope for a technical solution:

"EDPB is incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights."

Use Case 7 should be giving a lot of IT people the world over quite a lot to be thinking about, and if they aren't they really don't understand its implications.

Summing up the Technical Measures:

The EDPB can't really make their position any plainer (or to have fired a bigger torpedo into the side of the CSP's and many other ICT providers) -

"In the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.

If this does not tell you that crypto won't work for most of the things you do in cloud today when those services include any processing in, from, or by a CSP HQ'ed in a 3rd country without a suitable and EU acceptable regime then you've clearly never even heard of Schrems II, nor understand why its a problem.

Non-Technical (contractual commitments)

The EDPB identifies a few non-technical measures (which is just as well because there are not many technical ones that work with existing 3rd Country or Cloud services), and Microsoft have covered just ONE of them in their new commitment (the 'Obligation to take specific actions'). The 'take specific action' EDPB measures also extend beyond what Microsoft have committed to do by obliging the importer (Microsoft in this case) to inform the requester of the incompatibility of their request with EU law, and to simultaneously advise the data exporter (normally the Controller) of the request. They'll do the former but not - I suspect - the latter.

Microsoft do of course talk about 'transparency' as well in their press release (which is one of the EDPB obligations too), but the MS version of transparency doesn't marry up at all really with the EDPB consideration of what they expect to see.

Under their 'Transparency Obligation' the EDPB are looking for the following:

1. "The exporter could add annexes to the contract with information that the importer would provide, based on its best efforts, on the access to data by public authorities, including in the field of intelligence provided the legislation complies with the EDPB European Essential Guarantees, in the destination country. This might help the data exporter to meet its obligation to document its assessment of the level of protection in the third country."
2. "The exporter could also add clauses whereby the importer certifies that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that national law or government policy does not require the importer to create or maintain back doors or to facilitate access to personal data or systems or for the importer to be in possession or to hand over the encryption key."
3. "The exporter could reinforce its power to conduct audits82 or inspections of the data processing facilities of the importer, on-site and/or remotely, to verify if data was disclosed to public authorities and under which conditions (access not beyond what is necessary and proportionate in a democratic society), for instance by providing for a short notice and mechanisms ensuring the rapid intervention of inspection bodies and reinforcing the autonomy of the exporter in selecting the inspection bodies."
4. "Where the law and practice of the third country of the importer was initially assessed and deemed to provide an essentially equivalent level of protection as provided in the EU for data transferred by the exporter, the exporter could still strengthen the obligation of the data importer to inform promptly the data exporter of its inability to comply with the contractual commitments and as a result with the required standard of “essentially equivalent level of data protection” and;
5. "Insofar as allowed by national law in the third country, the contract could reinforce the transparency obligations of the importer by providing for a “Warrant Canary” method, whereby the importer commits to regularly publish (e.g. at least every 24 hours) a cryptographically signed message informing the exporter that as of a certain date and time it has received no order to disclose personal data or the like. The absence of an update of this notification will indicate to the exporter that the importer may have received an order."

Sadly Microsoft are doing none of the above.

Finally, the EDPB have listed a host of other obligations which thus far Microsoft haven't called out that they are meeting, or that they have any intention or plan to meet:

• Empowering data subjects to exercise their rights
• Organisational Measures
• Internal Polices for Governance of Transfers
• Transparency and Accountability Measures
• Data Minimisation Measures

Some of these must be led by the Controllers seeking to perform an export to Microsoft in the first place, and as such these commitments might not be for Microsoft to lead per se; but since Microsoft do not generally allow a service consumer to write specific clauses into the Terms of Service, they should at least lay out the circumstances where they MIGHT be able to support these.

Summing Up

Under the approach oft presented as a politicians credo: "We must do something, THIS is something, so we must do THIS", Microsoft have published a paper that a lot of folks will be glad to see - but in practice its not going to help you one jot in establishing the compliance or otherwise of their services; nor does it insulate you from the fallout of Schrems II if you continue to use their services.

That is not really all Microsofts fault - at least not beyond the fact that they have adopted a structure and delivery model that is US based and Global in reach rather than one that is contained within EEA and GDPR friendly regimes. They might also have suggested in the past that it is YOUR responsibility as a controller to assess their services and not THEIR's as a processor to comply - but I think that position is softening and changing.

Microsoft (along with AWS and GCP) were represented at this weeks Gaia-X conferences and it seems likely that they will want to play a role in that new EU centric Cloud landscape (and why wouldn't they - the EU is a huge market and all of them already have a US version of their services just built for the US Government that they could readily replicate in EU if that's the cost of doing business).

For EU based companies and organisations this might be positive news, but for the UK is might be less favourable. time will tell, but for now these Microsoft changes really aren't the commitments you should be looking for, and they don't really reflect a serious attempt at change - they're just a plank and some shoring up on the hull of an increasingly leaking ship.