Top privacy questions a customer should ask their cloud provider
Microsoft Office 365 provides essential privacy features to all Office 365 customers. The purpose of this section is to describe these privacy features and how they meet the high standards of privacy set by EU authorities. On July 1, 2012, the EU’s Article 29 Working Party (WP29)—a group made up of the European Union’s national data protection authorities—adopted Opinion 05/2012 on Cloud Computing. The Opinion on Cloud Computing highlights the benefits of cloud computing, including enhanced efficiency and greater security. In the Opinion, the WP29 emphasizes the importance of choosing a cloud service provider that is transparent about its data protection practices and that respects the privacy of customer data.
The WP29 Opinion provides essential guidance for current and would-be cloud users. It also raises a number of questions that cloud customers, in their role as data controllers, should consider when selecting a cloud provider. The key privacy questions and the Office 365 responses are described here.
Does the cloud provider offer comprehensive and easy-to-understand information about its privacy and security practices in one central location? Does this information address important issues such as where data is stored, who can access it and under what circumstances, and what subcontractors are involved in the processing of data?
Does the cloud provider use customer data for any other purpose and in any other manner than to provide the service? If so, for what specific purposes? For example, will customer data be processed to build profiles for use in advertising or for any other commercial purposes? Or disclosed in any way to third parties (other than subcontractors or when legally required to do so)?
If the cloud provider offers both enterprise and consumer services, does the provider combine enterprise customer data with data that it collects from consumer services? If so, in what ways and for what purposes?
Does the cloud provider scan or mine customer content, such as email communications or documents? If so, for what purposes?
If the cloud provider also offers consumer services, does it commingle enterprise data and data gathered from those consumer services?
Does the cloud provider apply robust protections to data transfers in the cloud?
Office 365 provides a comprehensive data protection agreement (DPA) and offers the EU Model Clauses in addition to self-certification under the U.S.-EU Safe Harbor framework. While the EU Model Clauses are specifically built for EU customers, the DPA is an aggregation of the best privacy practices of different countries and is offered to all customers regardless of geography or size. The processes that Office 365 has built to comply with the EU Model Clauses are not restricted to EU customers but are available to all customers.