Microsoft can't guarantee UK data sovereignty

UK policing data may be transferred overseas

Microsoft can't guarantee UK data sovereignty

Microsoft has said it can’t guarantee that UK policing data stored in Azure will remain in the UK.

Correspondence between the Scottish Police Authority and the Windows maker showed that Microsoft could not guarantee that data uploaded to a new trial system - the Digital Evidence Sharing Capability (DESC) - would remain in the UK, as required by law.

The correspondence was released under freedom of information rules and first covered by Computer Weekly.

Microsoft said the data processing agreement in place for the DESC does not cover UK-specific data protection requirements, but that it could make the technical changes needed to ensure compliance.

The correspondence shows that data uploaded to Microsoft's hyperscale cloud infrastructure is regularly transferred and processed overseas.

The issue goes beyond Scotland and the DESC. Microsoft Azure is widely used throughout the justice sector, and indeed the UK public sector. Many of those users will have regulatory limits on overseas data transfers.

At this point, Microsoft says it is only making changes for the DESC, and no other policing bodies, because "no one else had asked."

That said, it's unclear what – if anything – the company has changed, given that it told Computer Weekly it has "not made any contractual commitments that change how Azure services already run."

Data sovereignty demand

Keeping data sovereign, i.e. stored and processed in the same geographic location it is collected, is a requirement of various recent laws and regulations, not least the GDPR.

Several vendors, including AWS and Oracle, have launched their own sovereign cloud infrastructure to comply with data protection requirements.

Owen Sayers, who made the FoI request, said, "the statements from Microsoft make clear that they 100% cannot comply with UK data protection law...

"They've confirmed for the first time that a guarantee of sovereignty for data at rest (which is what they give) does not extend to data being processed (which is what everyone chose to assume) and does not cover support (which everyone ignored)."

"Knowingly breaching the law"

Sayers added that no UK policing body can now justifiably claim that Microsoft is processing data they upload legally, "and anyone using this technology now is knowingly breaching UK law."

The law he refers to is Part 3 of the Data Protection Act, which requires that law enforcement data must remain sovereign - though it's worth noting that data can be transferred overseas if it's subject to appropriate protections.

A Microsoft spokesperson told Computer Weekly that that company "has strong data protection and data residency commitments for Azure."

In addition, "We have not made any contractual commitments that change how Azure services already run. We have worked with Police Scotland to clarify how Azure operates to help them determine that they can use DESC on Azure in compliance with the obligations for law enforcement set out under Part 3 of the Data Protection Act 2018."

However, Microsoft did not respond when asked how it is preventing data from being stored and processed outside the UK for specific services known to do so, including Azure Cloud Services; Azure Data Explorer; Language Understanding; Azure Machine Learning; Azure Databricks; Azure Serial Console; preview, beta and other pre-release services.

The DESC does not use any of these functions, but other police forces in the UK are known to do so.