Did Microsoft Hide Key Data Flow Information In Plain Sight? (computerweekly.com) 14
An anonymous reader shared this report from Computer Weekly:
Policing data hosted in Microsoft's hyperscale cloud infrastructure could be processed in more than 100 countries, but the tech giant is obfuscating this information from its customers, Computer Weekly can reveal. According to documents released by the Scottish Police Authority (SPA) under freedom of information (FoI) rules, Microsoft refused to hand over crucial information about its international data flows to the SPA and Police Scotland when asked...
The tech giant also refused to disclose its own risk assessments into the transfer of UK policing data to other jurisdictions, including China and others deemed "hostile" in the DPIA documents. This means Police Scotland and the SPA — which are jointly rolling out Office 365 — are unable to satisfy the law enforcement-specific data protection rules laid out in Part Three of the Data Protection Act 2018 (DPA18), which places strict limits on the transfer of policing data outside the UK. The same documents also contain an admission from Microsoft — given while simultaneously refusing to divulge key information about data flows — that it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure. This echoes the statements senior Microsoft representatives made to the French senate in June 2025, in which they admitted the company cannot guarantee the sovereignty of European data stored and processed in its services generally.
The revelation that Microsoft may access customer data from more than 100 countries is a result of the correspondence previously disclosed under Freedom of Information and reported on by Computer Weekly... All in all, an analysis of Microsoft's distributed documentation — conducted by independent security consultant Owen Sayers and shared with Computer Weekly — suggests that Microsoft personnel or contractors can remotely access the data from 105 different countries, using 148 different sub-processors. Despite technically being public, Sayers highlighted how this information is not transparently laid out for Microsoft customers, and is distributed across different documents contained in non-indexed webpages.... "[A]ny normal amount of due diligence — even if it is conducted by skilled persons will likely fail to see the full scope of offshoring in play," he said...
Microsoft did not contest the accuracy of the remote access location figures cited by Computer Weekly in this story.
The tech giant also refused to disclose its own risk assessments into the transfer of UK policing data to other jurisdictions, including China and others deemed "hostile" in the DPIA documents. This means Police Scotland and the SPA — which are jointly rolling out Office 365 — are unable to satisfy the law enforcement-specific data protection rules laid out in Part Three of the Data Protection Act 2018 (DPA18), which places strict limits on the transfer of policing data outside the UK. The same documents also contain an admission from Microsoft — given while simultaneously refusing to divulge key information about data flows — that it is unable to guarantee the sovereignty of policing data held and processed within its O365 infrastructure. This echoes the statements senior Microsoft representatives made to the French senate in June 2025, in which they admitted the company cannot guarantee the sovereignty of European data stored and processed in its services generally.
The revelation that Microsoft may access customer data from more than 100 countries is a result of the correspondence previously disclosed under Freedom of Information and reported on by Computer Weekly... All in all, an analysis of Microsoft's distributed documentation — conducted by independent security consultant Owen Sayers and shared with Computer Weekly — suggests that Microsoft personnel or contractors can remotely access the data from 105 different countries, using 148 different sub-processors. Despite technically being public, Sayers highlighted how this information is not transparently laid out for Microsoft customers, and is distributed across different documents contained in non-indexed webpages.... "[A]ny normal amount of due diligence — even if it is conducted by skilled persons will likely fail to see the full scope of offshoring in play," he said...
Microsoft did not contest the accuracy of the remote access location figures cited by Computer Weekly in this story.
Conspiracy is bullshit (Score:5, Insightful)
Microsoft is clear about this. Using Office 365 means putting data in a hyperscale cloud -spread across datacenters all over the world. The data will not remain in your country. If this is important (or you know, Required by Law...) don't use Office 365.
Microsoft is not hiding this. Microsoft is not lying about it. Microsoft is telling you that their product does not meet the requirements, and that it will not meet the requirements.
It is the client (Scottish Police Authority) choosing to use the product, knowing full well that it is not legal for them to use it.
Re: (Score:2, Insightful)
To correct your own "solution": if Microsoft is unable to make Office 365 legally compliant, then Microsoft should not be in business. The onus is purely on Microsoft to not offer illegal products to the market.
Microsoft is following the law (Score:2)
it's only illegal to process other people's data with it without their express and explicit consent to do so. You can happily use all of Microsoft's products to process your own data (and personal data belonging to other people who have consented) perfectly legally. This means Microsoft is legally in the clear to sell it to anyone they like, as long as they do not warrant
Re: (Score:2)
There is a solution for this. Microsoft still sells both Microsoft Office 2024 Home and Professional for those that don't want to use the subscription-based Office365. Office 2024 is installed locally and any use of cloud storage is optional. If the Scottish Police Authority has network storage where they can guarantee that the data stays withing their control then they can use that instead. Office 2024 Home [microsoft.com]
Just wait until Recall is activated (Score:2)
Microsoft has several offerings... (Score:3)
And I suspect that this isn't true for all of them. Especially for their sovereign cloud plans, since that's the whole point of them. Choose the one that meets your budget and preferences.
Microsoft has a Sovereign Cloud solution (Score:5, Informative)
Right now, it is a pretty short list to check to see if your country has a sovereign cloud. If it does not and you have data protection laws that effectively require a sovereign cloud for an approach under consideration, perhaps you should look at other options. Not complain after-the-fact that the chosen platform doesn't meet your needs.
How is it that no other company has stepped up? (Score:1)
Police: Here are our requirements.
Microsoft: We can't meet those requirements.
Isn't the next step for the Police to issue a rfp for someone who CAN meet their requirements?
Re: (Score:2)
Simple solution for Police Scotland (Score:3)
Maybe dont store your (our) data in the cloud - run your own servers, you know, like how you used to do before you outsourced to cut costs.
Re: (Score:2)
Outsourced to cut their (your) costs.
Re: Simple solution for Police Scotland (Score:2)
Some costs shouldnt be cut.
Re: (Score:2, Insightful)
Outsourced to increase costs but gain useful experience to add to the CVs and résumés of the IT staff, for their next job
Re: Simple solution for Police Scotland (Score:3)
Exactly. If they can't satisfy the requirement why not just go with another vendor or run on premise? They are acting like this is the only choice.