Four legal and regulatory considerations when choosing a cloud provider

By Dervish Tayyip, Assistant General Counsel, Microsoft

Attention in-house lawyers and compliance officers: If your executives haven’t asked you yet about the legal and regulatory implications of moving to the cloud, they undoubtedly will soon.

That was evident last week at The General Counsel & Compliance Strategy Forum in London, where I had the opportunity to discuss some of the legal and regulatory issues that in-house legal and compliance departments need to consider in the rapidly evolving cloud services market.

To be clear, the cloud offers companies major benefits ranging from enabling greater innovation, greater organization agility and significant cost efficiencies. But not all cloud service providers are equal when it comes to how they deal with their customers’ legal and regulatory concerns.

At Microsoft, we believe there are four major areas customers should focus on when choosing a cloud provider.


We understand that our customers have compliance needs, and we design our cloud services to help them meet those requirements. Where there may be gaps, we have a track record of working constructively with customers and regulators to find solutions.

For instance, European data protection authorities have recognized that Microsoft’s enterprise cloud contracts meet the requirements of the EU’s “model clauses” for the transfer of data outside the European Economic Area. This ensures that our customers can use Microsoft services to move data freely through the cloud from Europe to the rest of the world.

And in November 2012, Microsoft came to an agreement with the Dutch National Bank, the Netherlands’ financial services regulator whereby Microsoft provided the regulator with a ‘right to inspect’ the cloud services. This enabled our customers to satisfy the regulator that it would continue to have effective supervisory authority over the regulated entity, when these entities place their data in Microsoft’s cloud.

Since then, we’ve developed similar agreements with financial services regulators around the world. This is an area where it is important for customers to understand their cloud provider’s history with regulators and be cognizant of situations where regulators may have imposed fines against the provider for privacy breaches or if they seek to maintain arguments in litigation that the provider is not subject to local data protection laws.


Customers are reasonably concerned with giving up a degree of control over their assets. Customer control can be enhanced through compliance with ISO 27018, the world’s first international standard for cloud privacy. Adherence to this standard is particularly important for multi-nationals as it was developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud.


There is no reason to adopt a cloud service if it can’t protect your data. We engineer our cloud services to have best-in-class security controls and practices and we adopt other innovative steps that can play a significant part in protecting our customers from cyber attacks.

Through the Microsoft Digital Crimes Unit (DCU), we have an international team comprised of legal and technical experts who work with industry partners and law enforcement to safeguard people and organizations from a variety of digital threats. And we use the intelligence we gain from these operations to strengthen the security of our cloud services so that our customers benefit directly from these efforts.


Designing great cloud services is meaningless unless customers are comfortable trusting us with their data. For that to happen, we must be transparent about our data handling processes to help ensure customers that we have their best interests in mind.

Customers need to understand the deal they are getting, which means that we need to have clear and concise contract terms. Those terms need to address the issues customers care about most: Where is their data stored? How will it be used? What subcontractors does a cloud provider work with and what safeguards are in place with subcontractors change?

Not only do we need to commit to performing audits of our obligations and controls, but we need to share the results of those audits.

It’s also more important than ever that customers have an opportunity to understand our policies and practices for responding to legal demands from governments. That’s why we’ve committed to providing meaningful data in our semi-annual Law Enforcement Request Report.

As all of these developments show, by clearly articulating their compliance needs to cloud providers and by engaging with their regulators to bring the regulators up to speed and comfortable with specific cloud arrangements, customers have a critical role to play in helping shape how the cloud computing market is evolving.


Related Posts