Microsoft cannot assure data sovereignty in the UK

Microsoft cannot assure data sovereignty in the UK



A recent correspondence between the Scottish police authority and Microsoft revealed that the tech giant could not guarantee that data uploaded to a new test system, the Ability to Share Digital Evidence (DESC), would remain in the UK as required by law. This information was disclosed under freedom of information rules and initially reported by Weekly Computer.

Microsoft admitted that the current data processing agreement for DESC does not cover UK-specific data protection requirements but stated that it could make necessary technical changes to ensure compliance. It was revealed that data uploaded to Microsoft’s cloud infrastructure is regularly transferred and processed abroad, raising concerns about data sovereignty and compliance with regulations such as the GDPR.

The issue extends beyond Scotland and DESC, as Microsoft Azure is widely used in the judicial and public sectors across the UK. Many users have regulatory limits on data transfers abroad, making data sovereignty a crucial concern for them.

Microsoft mentioned that it is making changes only for DESC and not for any other law enforcement agency, claiming that no other organization has requested such modifications. However, the company’s statements have raised questions about its ability to fully comply with UK data protection laws.

Owen Sayers, who initiated the freedom of information request, stated that Microsoft’s inability to guarantee data sovereignty raises concerns about compliance with UK laws. He emphasized that UK law enforcement agencies using Microsoft technology may be knowingly breaching the law by failing to maintain data sovereignty as required by Part 3 of the Data Protection Act 2018.

Microsoft asserted that it has strong data protection and residency commitments for Azure but did not provide detailed information on how it ensures compliance for specific services known to store and process data outside the UK. Despite clarifying how Azure operates for Police Scotland, Microsoft did not address concerns about data storage and processing for services like Azure Cloud Services, Azure Data Explorer, and Azure Machine Learning.

The DESC system does not utilize these specific features, but it is known that other UK police forces use them. This raises further questions about data sovereignty and compliance with data protection laws for law enforcement agencies utilizing Microsoft services.

Article Source
https://www.computing.co.uk/news/4326683/microsoft-guarantee-uk-sovereignty