Microsoft would like to set the record straight with respect to our commitment to the privacy of our customers’ data and our practices when it comes to requests for data we get from governments. Microsoft believes that our customers own their data and should control it how they see fit. We believe our customers have the right to know, and we have a right to tell them, when a government requests their data. When we believe those rights are being violated, we will go to court to protect them. And as shown by our history of fighting for our customer’s rights in court, we stand by our publicly stated principles on privacy and our contractual commitments to our customers’ more aggressively than any other cloud service provider in the world.
This week, various news outlets in India published articles mischaracterizing Microsoft’s policies for sharing customer data with the US government, specifically with US intelligence agencies. The articles also alleged disclosures by Microsoft of Indian customer data to the US government that do not match any data available to us.
To be clear, Microsoft does not provide any government with direct, unfettered access to customer data. All requests for customer data must be accompanied by an appropriate legal order, which in the United States requires court approval. When Microsoft gets a request for customer data, we review the request to ensure it is legally valid and challenge it in court if we don’t think it is. In addition, absent extraordinary circumstances, in the vast majority of cases we redirect governments to seek the data directly from the commercial customer or to allow us to tell our customer when the government requests their data unless prevented by law.
As part of our commitment to transparency, we publish a biannual Law Enforcement Requests Report, which brings together in one place the number of requests for customer data made by law enforcement, as well as government requests related to US national security. The data clearly shows that only a tiny fraction—a small fraction of a percent—of our customers have ever been subject to a government request related to criminal law or national security. For enterprise customers, that number drops further to a mere handful.
Protecting our customers’ data is one of our top priorities. Microsoft will not hesitate to sue the US government when we believe that our customers’ privacy rights are at stake, and our lawsuits have brought greater clarity to how the US government seeks customer data. We were part of a lawsuit suing the US government to allow us to disclose information about the number of Foreign Intelligence Surveillance Act requests we receive. We challenged a US government search warrant for access to customer data stored in our datacenter in Ireland and took it to the US Supreme Court, which ultimately resulted in the CLOUD Act. Our secrecy lawsuit forced the US Government to place limits on its use of gag orders.
We also worked with the US Department of Justice to reform government practices in enterprise investigations resulting in guidance that directs prosecutors to seek data from the customer first absent extraordinary circumstances.
For additional information, please refer to our Data Law site, where we detail everything we have done to protect our customers’ data as well as our principles explaining why we go to such lengths to fight for them.