Top privacy questions a customer should ask their cloud provider

Microsoft Office 365 provides essential privacy features to all Office 365 customers. The purpose of this section is to describe these privacy features and how they meet the high standards of privacy set by EU authorities. On July 1, 2012, the EU’s Article 29 Working Party (WP29)—a group made up of the European Union’s national data protection authorities—adopted Opinion 05/2012 on Cloud Computing. The Opinion on Cloud Computing highlights the benefits of cloud computing, including enhanced efficiency and greater security. In the Opinion, the WP29 emphasizes the importance of choosing a cloud service provider that is transparent about its data protection practices and that respects the privacy of customer data.

The WP29 Opinion provides essential guidance for current and would-be cloud users. It also raises a number of questions that cloud customers, in their role as data controllers, should consider when selecting a cloud provider. The key privacy questions and the Office 365 responses are described here.

WP29 Opinion reference: In Section 4.1 (the first bullet under the heading “Compliance with fundamental data protection principles”), the WP29 states that “cloud providers should inform cloud clients about all (data protection) relevant aspects of their services…in particular, clients should be informed about all subcontractors contributing to the provision of the respective cloud service and all locations in which data may be stored or processed by the cloud provider and/or its subcontractors.” Section 3.4.1.1 (Transparency) further underscores the importance of transparency in the cloud provider-cloud customer relationship.

Office 365: Microsoft makes information about its privacy and security practices readily available in the Office 365 Trust Center. The Office 365 Trust Center contains information about where data is stored, who can access it and under what circumstances, and what subcontractors are involved in the processing of data.
WP29 Opinion reference: Section 3.4.1.2 (Purpose specification and limitation). The WP29 makes clear that “personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes” and that cloud customers are responsible to “ensure[] that personal data are not (illegally) processed for further purposes by the cloud provider.”

Office 365: Microsoft enterprise cloud services use customer data only to provide the services. This may include troubleshooting aimed at preventing, detecting, and repairing problems affecting the operation of the services and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam). Office 365 does not build advertising products out of customer data. We don’t scan your email or documents for building analytics, data mining, advertising, or otherwise improving the service.

Microsoft will not disclose customer data to a third party (including law enforcement, other government entity, or civil litigant, excluding our subcontractors) except as requested by our customer or unless required by law.
WP29 Opinion reference: Section 3.4.1.2 (Purpose specification and limitation) and Section 3.3.1 (Cloud client and cloud provider).

Office 365: Microsoft enterprise cloud servers are physically and/or logically separate from the servers for its consumer online services. Enterprise customer data, data in Microsoft consumer online services, and data created by or resulting from Microsoft scanning, indexing, or data-mining activities, are not commingled unless approved by the customer in advance.
WP29 Opinion reference: Section 3.4.1.2 (Purpose specification and limitation) and Section 3.3.1 (Cloud client and cloud provider).

Office 365: Microsoft does not scan emails or documents for advertising purposes. Microsoft enterprise services maintain, scan, and index customer data in order to provide rich features that allow customers to access and organize customer data. For example, end users can easily search for their documents and other content in Office 365.
WP29 Opinion reference: Section 3.4.3 (Technical and organizational measures of data protection and data security).

Office 365: The Office 365 commercial service is logically separate from consumer online services. Enterprise customer data and data in Microsoft consumer online services are not commingled unless approved by the customer in advance.
The WP29 concludes that traditional mechanisms for transferring data out of the European Economic Area have “limitations” when applied to the cloud. The WP29 singles out the Safe Harbor guidelines, advising cloud customers that “the sole commitment of the data importer to the Safe Harbor guidelines may not be deemed enough” for data transfers to U.S.-based providers. The WP29 also reminds cloud customers of the need to ensure compliance with any national law obligations that may apply.

Office 365 provides a comprehensive data protection agreement (DPA) and offers the EU Model Clauses in addition to self-certification under the U.S.-EU Safe Harbor framework. While the EU Model Clauses are specifically built for EU customers, the DPA is an aggregation of the best privacy practices of different countries and is offered to all customers regardless of geography or size. The processes that Office 365 has built to comply with the EU Model Clauses are not restricted to EU customers but are available to all customers.