In a landmark decision last week, a United States Federal Judge upheld a magistrate’s ruling that requires Microsoft to provide emails and other data stored on servers located in Ireland to US federal prosecutors.
The decision calls into question how safe is your data when it is based on Cloud providers that are owned by US companies, even if their Cloud infrastructure is based within Australia. Many of the larger US owned Cloud providers have made a push to stand up local based deployments and infrastructure locally seeking to address the issue of data sovereignty, however based on this ruling the issue still appears to exist.
It is also important to note that the data was not requested under the Patriot Act, but under a long standing Electronic Communications Privacy Act, and the request originated from US federal prosecutors.
When combined with the updated Australian Privacy Principles (APP) released earlier this year (specifically Australian Privacy Principle 8 – cross-border disclosure of personal information), it appears that the best way to secure your data and comply with Australian regulations in the Cloud would be to use an Australian owned provider with Australian based data centres operating the services.
Microsoft is set to appeal the decision and given the ramifications of this ruling, they are receiving support from other US based companies such as Apple, AT&T and Verizon.