Microsoft: Look at our cloudy privacy award. Isn't it so ... meaningful?

Microsoft is in self-licking lollipop mode after its cloudy wares passed the privacy water mark set by the International Organisation for Standardisation, letting it paper over customers’ concerns.

Data sovereignty is a major hurdle for global companies trying to sign up customers to the fluffy white stuff, particularly in Europe where the scale of the NSA snooping programme upset the apple cart.

Brad Smith, Microsoft general counsel and exec veep for legal and corporate affairs, said it was the first to adopt the global standard for cloud privacy, memorably named ISO/IEC 27018.

The standard was published last year, considering EU data protection laws and opinions from its data protection body, the Article 29 Working Party.

At the same time, the British Standards Institute has verified that Office 365 and Dynamics CRM Online, as well as Azure, have met the code of practice for the protection of Personally Identifiable Information (PII) in the public cloud.

Meeting these standards means enterprise punters are in “control of their data” trilled Smith, and ensures “transparency about our policies regarding the return, transfer and selection of personal information you store in our data centres”.

“We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with,” he said.

Oh, and Microsoft promises to let customers know if there is a breach. This is comforting to know that they’ll let you know… but only if something bad happens.

“If there is unauthorised access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, we’ll let you know about this,” Smith added.

The standard defines restrictions on the way data is handled, including its transmission over public networks, storage on transportable media and processes for data recovery and restoration.

Smith at Microsoft saved the most important reason for last: the standard “requires that law enforcement requests for full disclosure of personal or company info must be disclosed to the customer, unless this is prohibited by law".

This is all well and good but it's the cloudy equivalent of knowing a burglar is swiping your possessions and being powerless to stop him.

Frank Jennings, partner at Wallace LLP, said Microsoft’s adoption of ISO 27018 is a “welcome step in an industry where the cloud is often dominated by uncertainty over data security and sovereignty.”

He said it was a “timely development” in Microsoft’s ongoing attempts to resist handing over customer info from its Dublin data centres to the US government – a legal battle that continues.

Yet Jennings added the standard allows Microsoft to “be able to say it is compliant with an international standard for the protection of personal data while possible having to comply with a ruling by the NY District Court forcing it to hand over personal data”.

Microsoft has yet to comply with the order from the District Court, which ruled in the US government’s favour last year. Microsoft has a list of other firms including Amazon, HP and Apple that agree with its position.

Compliance with the standard is a “good PR move by Microsoft and might offer a degree of comfort for some clients”, said Bill Mew, chief marketing officer at Compare The Cloud, a site which, er, compares vendors’ services.

“But it’s simply an agreement by them to work to a set of business standards that you’d hope they and most other players would be working to anyway,” Mew pointed out. “They are just being explicit about their practices with this move. It doesn’t alter their position with regard to any legal responsibility.”

Resolution on Microsoft's legal spat with the US government is expected this year. The fate of humanity – well, US cloud vendors' business outside of the US – hangs on this. ®