When it comes to cloud computing and services, privacy is at the front of every company’s mind. When the United States began to demand access to cloud-based data from Microsoft’s Ireland data center, customers recognized that their information might not be safe from privacy violations even if their information is not resident in the US. Many industry players, including Microsoft, have started to fight these demands. No matter what they decide to do, the EU or the US governments will not be happy.
Microsoft truly believes their customers own their own data, not the cloud providers who they store it with. Microsoft claims to be the first major cloud provider to adopt the ISO/IEC 27018. This is the first global standard for cloud privacy, and many of Microsoft’s programs have been evaluated for compliance by the British Standards Institute.
The ISO/IEC 27018 establishes commonly accepted control objectives and guidelines for implementing measures to protect identifying persona information in accordance with the 29100 policy. Microsoft’s general counsel Brad Smith said that they are optimistic that this policy can serve as a template for regulators and customers as they both desire strong privacy protection. Adherence to this policy will ensure that customer’s privacy will be protected in many ways.
First, customers will be in charge of their data, and Microsoft will only process personally identifiable information based on what the customer wants. Second, customers will always know what is happening to their data, all returns, transfers, and deletion of data will be transparent. Third, there will be restrictions on how Microsoft handles personal data, including restricting its transmissions over public networks, storage on transportable media and processes for data recovery. Fourth, the data will not be used for advertising purposes. Lastly, Microsoft will inform their customers about government access to data. The standard requires law enforcement requests for data must be disclosed to the customers.
Adherence to this standard is an important move to reassure its enterprise customers that their information is safe. However, the execution of these promises is worth more than making the promises. There are still lingering concerns and fears about data privacy and security around shifting to the cloud, so Microsoft’s announcement is a step in the right direction.