Microsoft First Cloud Provider to Adopt Cloud Privacy Standard

Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs, Brad Smith, took to the Internet today to announce that Microsoft is the first of the big cloud service providers to adopt the first international standard for cloud privacy.

In a time when there are many questions about storing data in the cloud, attacks on public services, and privacy against government snooping, Microsoft has been on the front line fighting for their customers’ rights. Microsoft isn’t doing this out of the goodness of their hearts; the future of Microsoft is cloud services, from your grandmother using Outlook.com all the way to enterprise usage of Azure. When there are threats to cloud computing, there are threats to the economic viability of Microsoft.

Microsoft's General Counsel and Executive Vice President of Legal and Corporate Affairs, Brad Smith (Image Credit: Microsoft)
Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs, Brad Smith (Image Credit: Microsoft)

The ISO/IEC 27018 cloud privacy standard is described on www.iso27001security​.com as a standard that:

“…provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing PII (Personally Identifiable Information) entrusted to them.”


In other words, any hosting company that complies with ISO/IEC 27018 will be implementing processes, policies, and restrictions to security the privacy of their customers. Microsoft says that this means:

  • User’s control of data: Microsoft will not be able to do anything with data that you haven’t previously agreed to. Now you just need a lawyer to read through those lengthy end user agreements!
  • Transparency of data: You will know who is using your data, including any authorized third-parties. You have complete visibility “over the return, transfer and deletion of personal information,” according to Smith.
  • Security protection for data: Your data will be secure, either at rest or in transit. This ensures that personal information will be encrypted and only authorized employees (who have signed confidentiality agreements) can access your information. An interesting thing to note in the post is the phrase “transportable media”; many leaks by government agencies have involved this kind of data transport.
  • Data and advertising: Watch out, Google! Enterprise customers do not want advertising that is based on their data. That’s how companies such as Google make a profit. Microsoft does not do this sort of business, and this standard ensures that they will not be scanning your company’s data to advertise to your employees.
  • Government access to data: Microsoft wants to be very transparent about government access to data but various governments, particularly the USA, prevent this, going to such lengths as issuing search warrants from secretly convened courts. Microsoft does report on the quantity of warrants served, but there’s little they can do beyond that.


I believe Microsoft is fighting the good fight and trying to be as open as possible, and it’s in their best interest to do this. There is a history of this; Microsoft received “confirmation from European data protection authorities that Microsoft’s enterprise cloud contracts are in line with ‘model clauses’ under EU privacy law regarding the international transfer of data,” according to Smith. And Microsoft is currently appealing a decision to force the turnover of data from a mailbox stored in Ireland to the US FBI.