The move was announced on 22 January by Microsoft's top lawyer and chief compliance officer, Brad Smith, who told the Financial Times:
“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.”
A Microsoft spokesperson confirmed to SCMagazineUK.com that the company is committed to providing “regional storage within existing Microsoft data centres in the customer's region for business and government customers”.
The reform does not however apply to individuals, only corporates, who can choose only the region where their data is held, not the country. For example, UK businesses could opt to have their data stored in Microsoft's Irish data centre.
The change comes shortly after a survey showed that 21 percent of UK small businesses were moving their hosted information out of the US because of security concerns.
It puts Microsoft at odds with other US tech companies who do not offer location choice, although industry watcher Bob Tarzey, director of research firm Quocirca, said that the change means Microsoft is simply mirroring what's already offered by major online data hosting providers like Amazon Web Services.
“I think Microsoft might have done this anyway,” he told SCMagazineUK.com. “Amazon has data centres hosting those services in the European Union. So from the point of view of British organisations that is the concern really.
“There might be organisations sitting there thinking we're not going to store data in America because we're worried that the American security services are going to come after it – but one of the main reasons they won't be storing the most sensitive data over there is either because they're not allowed to for compliance reasons, or secondly because you want to keep your Intellectual Property close to your chest. There are also some other benefits for Microsoft doing this.”
The move to allow non-US data storage is the latest in a series of steps Microsoft has taken to hang onto its European customers, in the wake of the reports of mass electronic surveillance by the US's NSA intelligence agency.
Last November, Microsoft confirmed that it was considering encrypting its customers' personal data sent over the internet. On 3 December, Brad Smith fleshed out the details of this in a blog post that controversially equated “government snooping” with an advanced persistent threat posed by cyber criminals.
“Customer content moving between our customers and Microsoft will be encrypted by default," wrote Smith. "All of our key platform, productivity and communications services will encrypt customer content as it moves between our data centres.”
“We will use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths. All of this will be in place by the end of 2014, and much of it is effective immediately.”
Privacy campaigners have pointed out that wherever data is held, US tech companies are still obliged to hand over information on specific users if required by a secret US court.
Smith tried to address this in his blog, saying: “We are committed to notifying business and government customers if we receive legal orders related to their data. Where a gag order attempts to prohibit us from doing this, we will challenge it in court.”
“We're taking additional steps to increase transparency by building on our long-standing programme that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors. We will open a network of transparency centres that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft's products. We'll open these centres in Europe, the Americas and Asia.”
US President Obama last week revealed his plans to reform the NSA, but the reforms were widely seen as not going far enough to answer UK and European privacy concerns.