Why Microsoft customers don’t need to worry about EU-US Safe Harbour/Harbor

This content is 8 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

When European Courts judged the 15-year-old EU-US Safe Harbour/Harbor treaty to be invalid last October, Internet news sites started to report how terrible this was for EU companies placing data into cloud services offered (mostly) by American companies. For some, that may be true, but that assumes Safe Harbour is the only protection in place.

This week, IT news sites are at it again. The Register (the tabloid newspaper of IT news sites) has an article titled Safe Harbor 2.0: US-Europe talks on privacy go down to the wire but the actual URI belies a much more dramatic title of “Safe Harbor countdown to Armageddon”. Sensationalist at best, some might even say irresponsible.

I’m no lawyer but, for my customers, who are implementing Microsoft cloud services, there seems to be nothing to worry about and I’ll explain why in this blog post. Of course, Microsoft is just one of many cloud services providers – and for others there may be valid concerns.

The United States Export.Gov website currently displays the following text regarding Safe Harbor:

“On October 6, 2015, the European Court of Justice issued a judgment declaring as ‘invalid’ the European Commission’s Decision 2000/520/EC of 26 July 2000 ‘on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.’

In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.”

EU Model Clauses trump Safe Harbour

Microsoft President and Chief Legal Officer, Brad Smith, issued a statement on 6 October 2015. Quoting from that article:

“For Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place. This includes additional and stringent privacy protections and Microsoft’s compliance with the EU Model Clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the Safe Harbor. Both the ruling and comments by the European Commission recognized these types of steps earlier today.

Microsoft’s cloud services including Azure Core Services, Office 365, Dynamics CRM Online and Microsoft Intune all comply with the EU Model Clauses and hence are covered in this way.”

There’s also a follow-on post which talks in general terms about the wider issues and privacy beliefs but the key point is that Microsoft offers EU Model Clauses within its contracts, which go beyond Safe Harbour. Microsoft also has an FAQ on the EU Model Clauses that is worth a read.

Quoting again from the 6 October 2015 statement:

“We wanted to make sure all of our enterprise cloud customers receive this benefit so, beginning last year, we included compliance with the EU Model Clauses as a standard part of the contracts for our major enterprise cloud services with every customer. Microsoft cloud customers don’t need to do anything else to be covered in this way.”

That suggests to me that customers who have signed up to Azure Core Services, Office 365, Dynamics CRM Online or Intune since early 2014 already have greater privacy protection than was afforded by Safe Harbour – and that protection meets the EU’s current requirements. In short, Microsoft customers don’t need to worry about Safe Harbor (sic).

Will commoditisation drive us all to the public cloud (eventually)?

This content is 13 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Tomorrow night, it’s CloudCamp London, which has prompted me to write a post based on one of the presentations from the last event in March.  I already wrote up Joe Baguley’s talk on why the consumerisation of IT is nothing to do with iPads but I also wanted to mention Simon Wardley (from the CSC Leading Edge Forum)’s introduction to CloudCamp.

As it happens, Simon already wrote a blog post that looks at the topic he covered (private vs. enterprise clouds) and his CloudCamp slides are below:

  • The basic principle is that, eventually, services trend towards utility services/commodities. There are some barriers to overcome along the way but commoditisation will always come.
  • One interesting phenomenon to note is the Jevons Paradox, whereby, as technology progresses and efficiency of resource usage rises, so does the rate of consumption. So, that kills off the theory that the move to cloud will decrease IT budgets!
  • For cloud purists, only a public cloud is really “cloud computing” but Simon talked about a continuum from legacy datacentres to “the cloud”. Hybrid clouds have a place in mitigating transitional risk.
  • Our legacy architectures leave us with a (legacy) problem. First came N+1 resilience but then we got better hardware; then we scaled out and designed for failure (e.g. API calls to rebuild virtual machines) using software and “good enough” components.
  • Using cloud architectures and resilient virtual machines we invented “the enterprise cloud”, sitting somewhere between a traditional datacentre and the public cloud.
  • But we need to achieve greater efficiencies – to do more, faster (even if the overall budget doesn’t increase due to the Jevons Paradox). To drive down the costs of providing each virtual machine (i.e. each unit of scale) we trade disruption and risk against operational efficiency. That drives us towards the public cloud.
  • In summary, Simon suggests that public utility markets are the future, with hybrid environments as a transition strategy. Enterprise clouds should be expected to trend towards niche roles (e.g. to deliver demanding servive level agreements or to meet specific security requirements) whilst increasing portability between clouds makes competing public cloud offerings more attractive.