Microsoft says it will let users choose where data is stored, but things aren’t that simple

Microsoft(s msft)’s top lawyer has said the company will let non-U.S. customers choose to have their data stored outside the U.S. To an extent, this would be a boon for the privacy of the firm’s foreign customers — but privacy advocates should dampen their enthusiasm.

Brad Smith, Microsoft’s general counsel, told the Financial Times (subscription required) late Wednesday that a European customer, for example, could select Microsoft’s Irish data center for its storage:

“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.”

Firstly, I’m not sure how much this counts as Microsoft “breaking ranks” with other big U.S. tech firms, as the article suggests. U.S. firms storing non-U.S. data outside the country is no novelty – it’s not purely a latency move for Google(s goog), Facebook(s fb) and Amazon(s amzn) to have big data centers in Europe, as they do. Many business customers already demand it for compliance reasons.

That said, allowing consumers to demand the same would be a weightier and much more unpredictable affair, so Microsoft’s latest move would certainly move the situation on from the status quo. On that basis, it is to be commended.

But there are two big things to bear in mind if you’re non-U.S. and hoping Microsoft’s storage choice will let you evade the watchful eyes of the NSA:

  • The Patriot Act: Contrary to what many people believe, the U.S.’s post-9/11 Patriot Act (which largely underpins the current surveillance scandal) does not just compel U.S. tech firms to hand over what’s stored on U.S. soil. All that’s needed is for the cloud provider to itself fall under U.S. jurisdiction, which Microsoft most certainly does and will continue to do. In order for Microsoft to be able to guarantee that it can’t turn European customers’ data over to the U.S. authorities, for example, it would probably have to create an entirely separate European Microsoft.
  • Non-U.S. intelligence activities: The NSA has partners, and lots of them. Britain’s GCHQ, for one, has been shown through the Snowden leaks to be a very eager consumer of the world’s data, merrily tapping into communications that pass through its borders (which covers a lot) and quite likely beyond. And on the national level, even privacy-friendly countries such as Germany have strong intelligence ties to the U.S.

On the second point, it is still fair to say the non-U.S. user will enjoy better legal protections than they would if their data were stored in the U.S. And, as Microsoft has reacted to the NSA scandal by beefing up its encryption efforts, there’s a good chance GCHQ won’t be able to listen in so easily anymore.

But the first point remains a real problem. As it happens, Microsoft itself broke ranks back in 2011 by admitting, as none of its compatriots had done, that the Patriot Act meant it “cannot provide those guarantees” regarding data sovereignty. True, at this point it becomes a matter of targeted rather than bulk surveillance, but for many users — particularly those using Microsoft’s services for business or other sensitive information — the risk may remain unacceptable.

On this one, the devil will be in the details. When Microsoft follows through with its location-choice move, it will need to be very clear about what it can and cannot promise.

UPDATE (9am PT): Looks like Google’s Eric Schmidt is on the same wavelength on this one: