The issue of data sovereignty arises a lot with cloud computing so it’s good to stay up-to-date with plans for local datacentres. Offering Office 365 services from local datacenters helps customers feel more confident about complying with regulations that require data to be kept in their own region. Microsoft has a regionalised data centre strategy with Office 365 and the billing address of the customer, which the customer’s administrator inputs during the initial setup of the services, typically dictates the Office 365 region and the primary storage location for that customer’s data. You can view these regions on the Microsoft Office 365 Data Maps page. For example, customer’s in Asia Pacific will have their Office 365 hosted in datacentres in Hong Kong and Singapore, however some data may reside elsewhere such as Active Directory and Global Address Book data.
Microsoft announced they’ll be launching Office 365 services from datacenters in Japan (December 2014), Australia (March 2015) and India (late 2015) and these regions will replicate data across datacenters in a single country only.
Customers should be able to create new tenants inside these additional regions as soon as they’re online (for example Japan is available now). Existing customers in the affected regions will have their data moved to the new Office 365 datacenters from September 2015 and will be given six weeks advance notice of their move date.
David from Newcastle upon Tyne asks “is Office 365 subject to the Patriot Act?”
This is a very common question when dealing with cloud services, not just office 365. In short, the USA Patriot Act makes lawful access to stored data easier in certain instances. If the request is lawful and obligatory, Microsoft cannot simply refuse. Nor can any other company. And don’t forget, the UK has similar powers and made almost as many law enforcement disclosure requests as the US between July 2013 and December 2013 (4,213 requests from the UK against 5,652 from the US).
Customers can be assured that Microsoft follows clear principles in responding to any government legal demands for customer data (whether from the US government, UK or other bodies):
There must be a valid subpoena or legal equivalent before Microsoft will consider releasing a customer’s non-content data to law enforcement;
There must be a court order or warrant before Microsoft will consider releasing a customer’s content data;
In each instance, Microsoft carefully examines the requests received for a customer’s information to make sure they are in accord with the laws, rules and procedures that apply.
Because Microsoft is committed to transparency in regards to who has access to customers’ data, when and under what circumstances, they publish the details of the number of demands they receive each year in a Law Enforcement Requests Report which is updated twice a year. They have just released a report on US government requests (as opposed to law enforcement requests) and between January 2013 and June 2013 there were less than 1,000 orders seeking disclosure of customer content. Brad Smith, Microsoft’s General Counsel & Executive Vice President of Legal & Corporate Affairs highlights that “while our customers number hundreds of millions… only a fraction of a percent of our users are affected by these orders.”