Until now, there has been no suggestion from the US companies that they would do this. Rather they have spent their energies denying any unwarranted collaboration with the NSA and lobbying Europe. The GDPR, they claim, will stifle internet innovation – a suggestion fiercely refuted by the European Commission.
But now Microsoft is breaking ranks. General Counsel Brad Smith told the Financial Times, “People should have the ability to know whether their data is being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides." In future, he suggested, European customers would be able to choose from a range of European data centers where they would like to store their data.
This is in sharp contrast to a letter jointly signed by "a coalition of business groups representing dozens of internet companies including Facebook, Google, Microsoft and eBay [who] sent a letter to Brazilian lawmakers. 'In-country data storage requirements would detrimentally impact all economic activity that depends on data flows,' it read,"gtfcyfrtj according to a Reuters report in October. Brazil has proposed a new law that will force global internet companies to store Brazilian data in Brazilian data centers.
Microsoft's latest statement is being well-received by some, but not by others.“It’s incredibly positive,” said Jeff Chester, a US privacy campaigner. “If they’re really making a public commitment to store [data] locally then they will be breaking with the rest of the industry.”
British privacy expert and advocate Alexander Hanff is less enthusiastic. Calling it a 'sleight of hand', he told Infosecurity: "Microsoft knows full well that it makes no difference whether the data is hosted in the US or not. They are a US corporation and therefore any data they hold is vulnerable to the US surveillance machine no matter where it is. It is clear from the announcement that Microsoft (as well as the rest of the cloud industry) is really concerned about losing revenues for cloud services and they know there is a strong movement within Europe (not least by the European Commission) to create infrastructure independent of the US and US tech giants."
That argument is summarized by Campbell Williams of the MSP Six Degrees Group. "Security and sovereignty of data have become a priority for businesses using the cloud. This was seen after Snowden's revelations about the US, home of many large technology companies and cloud computing providers, and two specific pieces of legislation, the US Patriot Act and the US Foreign Intelligence Surveillance Amendment Act (FISAA). Businesses began to ask: 'do I want my data on clouds provided by US companies with lowest common denominator security, or no SLA at all and no room to negotiate?'”
A European infrastructure, continued Hanff, "is good for the EU Economy, it is good for EU Jobs and it is good for EU Business as well as providing stronger guarantees for the rights of EU citizens. Microsoft's announcement should be seen as nothing more than a floundering attempt to cling on to EU revenues and pull the wool over the eyes of EU regulators, politicians and clients."