Is Office 365 Subject to the Patriot Act?

Great Seal of the United States

 

David from Newcastle upon Tyne asks “is Office 365 subject to the Patriot Act?”

This is a very common question when dealing with cloud services, not just office 365.  In short, the USA Patriot Act makes lawful access to stored data easier in certain instances.  If the request is lawful and obligatory, Microsoft cannot simply refuse.  Nor can any other company.  And don’t forget, the UK has similar powers and made almost as many law enforcement disclosure requests as the US between July 2013 and December 2013 (4,213 requests from the UK against 5,652 from the US).

Customers can be assured that Microsoft follows clear principles in responding to any government legal demands for customer data (whether from the US government, UK or other bodies):

There must be a valid subpoena or legal equivalent before Microsoft will consider releasing a customer’s non-content data to law enforcement;
There must be a court order or warrant before Microsoft will consider releasing a customer’s content data;
In each instance, Microsoft carefully examines the requests received for a customer’s information to make sure they are in accord with the laws, rules and procedures that apply.

Because Microsoft is committed to transparency in regards to who has access to customers’ data, when and under what circumstances, they publish the details of the number of demands they receive each year in a Law Enforcement Requests Report which is updated twice a year.  They have just released a report on US government requests (as opposed to law enforcement requests) and between January 2013 and June 2013 there were less than 1,000 orders seeking disclosure of customer content.  Brad Smith, Microsoft’s General Counsel & Executive Vice President of Legal & Corporate Affairs highlights that “while our customers number hundreds of millions… only a fraction of a percent of our users are affected by these orders.”

It’s also possible for customers on Microsoft’s cloud services to find out whether someone has accessed their data.

Due to the frequency of this question, the Office 365 Trust Centre is a useful source of information around privacy and transparency.