Nowhere is the uncertainty surrounding data protection currently greater than with regard to cloud services. Microsoft is on the right track with its extensive implementation of the EU standard contract clauses, writes Martin Kuppinger.

At the end of last year, Microsoft brought its Office 365 contracts into line with EU data protection and privacy regulations. But the real question when such an announcement is made is always: what’s really behind it?

In this case, Microsoft can arguably be considered a pioneer. Microsoft has taken a step that many other providers should emulate. An OASIS conference a few weeks ago discussed the Cloud Legal Project at QUML (Queen Mary University of London). In short: all reviewed contracts by large-scale cloud providers were inadequate. The companies in question were not the Googles and Facebooks of the world who draw so much – often justified – flack, but providers of enterprise solutions.

Microsoft has now responded. The company signed the Safe Harbour Agreement some time ago, and has now adapted its contracts. With this move Microsoft is sending the right message, which other cloud providers could follow. It is also clear that the US Patriot Act continues to pose a risk – which applies equally to all American cloud providers. Microsoft has however taken a decisive step towards meeting the demands of its European customers, and has implemented what it could. This is in the interest of its customers.

Risks nonetheless remain because the US Government is of course also pursuing political interests and the US Patriot Act is a general reason not to work with American cloud providers. However, nor should the interests of European governments and their handling of information be seen in too positive a light. Microsoft is at least demonstrating what can be done. What is contained in Microsoft’s contracts should therefore be considered the minimum that can generally be expected of cloud providers.