SDC - Microsoft Cloud - Data Sovereignty

I've long had concerns about cloud storage. Personally, I use Proton as my main service provider for e-mail and cloud storage. Pretty much everything is end-to-end encrypted. Proton themselves have absolutely no idea what I store. In my humble opinion this is the only way to handle personal information.

Customers of Microsoft, Google et. al. all have their data stored as plain text. This has long troubled me especially as Stroud District Council use Microsoft products extensively. But now they want to trial Power BI, Microsoft's business analytics service. This would involve using and storing datasets of sensitive residents data in the cloud. I've been seeking assurance that this data would not be used by Microsoft to 'train' their other products.

Following the reassurances given by SDC, at the last Audit & Standards Meeting, it has transpired that the US Administration actually has unwarranted access to all this data.

So after some back and fore to this was my e-mail:-

Thank you for addressing our questions from the last committee meeting. While your overview of Microsoft's cloud data storage practices is helpful, I would like to focus specifically on what I raised about the implications of using AI and Power BI datasets, which will contain extensive personal information about our residents; information that is highly sensitive.

I note that Microsoft has committed to requiring express permission for international data transfers related to technical support and similar functions. We also encourage that our data is kept within the UK or EU, stipulating that any transfers to the U.S. must meet security standards equivalent to GDPR. As you point out, GDPR is a crucial piece of legislation that safeguards individuals' privacy rights by mandating explicit consent and enforcing strict rules on how organisations handle personal data.

Rightly, you also highlighted the existence of legal frameworks that permit data access for purposes such as law enforcement and national security. In the UK, these processes are very clearly defined, with warrants issued by relevant authorities and oversight provided by the Investigatory Powers Commissioner, who regularly inspects and reports on these activities. These measures collectively provide a high level of assurance that our sensitive data will remain private and secure.

With all this I am satisfied.

However, since the last Audit & Standards committee meeting developments have significantly usurped these assurances. During proceedings in the French supreme court, Microsoft admitted (after years of obfuscation) that, as a U.S. incorporated entity, it would be compelled to comply with demands from any U.S. administration for access to data it holds (our data), regardless of where the data is physically located (UK, EU, or elsewhere). This means that all UK legal protections could be bypassed without notice or recourse, raising serious concerns about privacy, security and data sovereignty.

Whilst Microsoft and other major U.S. tech companies have stated they would resist such requests and, indeed, they claim it has never occurred, the risk remains. By the time such a precedent is set, our data will be so entangled in these cloud based products that it will be impossible to unpick.

Given these risks, I strongly suggest that we consider the use of a UK incorporated cloud hosting provider in our organisational data strategy to accommodate our highly sensitive datasets. This approach would effectively mitigate the identified risks while aligning with our responsibility to manage risk proactively.

Adopting a hybrid/multi-cloud strategy that includes a UK based provider would also reduce our dependence on a single supplier, enhancing our operational resilience and data sovereignty. It would enable us to migrate or switch services more easily if necessary, further strengthening our ability to adapt to future needs.

Additionally, this issue extends beyond technical considerations. As someone who who is elected to represent the residents of Stroud District, I am acutely aware that many of them, unlike my family who hold U.S. citizenship, do not enjoy the protections afforded by the U.S. Constitution against unwarranted state intrusion. Recent events, such as the deportation of individuals in the U.S. for expressing views similar to those I advocate for here in the UK, underscore the importance of safeguarding our residents' data from potential overreach.

For all these reasons, I will be urging the committee to carefully reconsider our current data strategy and explore multi-cloud alternatives that prioritise data sovereignty and residents' privacy.

I trust that this precisely articulates my concerns as an elected member of the Audit & Standards committee.

This was the reply which, in my humble opinion, doesn't really address the issue at all:-