Microsoft to shield foreign users’ data

James Fontanella-Khan and Richard Waters

Microsoft will allow foreign customers to have their personal data stored on servers outside the U.S., breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal.

Brad Smith, general counsel of Microsoft, said that although many tech companies were opposed to the idea, it had become necessary following leaks that showed the U.S. National Security Agency had been monitoring the data of foreign citizens from Brazil to across the EU.

(Read more: NSA hacks Microsoft error messages: Report)

"People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides," he told the FT.

Mr Smith added that customers could choose where to store their data from a variety of existing Microsoft data centers. For example, a European client could choose to have their data stored in the group's Irish data center.

Getty Images

The scandal over the NSA's illicit internet surveillance and the bulk collection of phone records has caused tensions between the U.S. and even some of its closest allies. The revelations sparked a global backlash, from calls for tighter privacy rules in Europe to a draft law in Brazil that would require all data about citizens to be held inside the country. Internet companies argue that this would balkanise the internet, turning it into a patchwork of national or regional systems.

Microsoft's gesture was immediately welcomed by privacy advocates, though it looked set to open a rift between the tech companies as they struggle to deal with the damage from the surveillance scandal.

"It's incredibly positive," said Jeff Chester, a U.S. privacy campaigner. "If they're really making a public commitment to store [data] locally then they will be breaking with the rest of the industry."

(Read more: No Microsoft CEO decision until at least February)

Some critics of the idea have questioned whether such a move would be effective in putting the personal data of non-Americans outside the reach of the NSA, since U.S. tech companies have to hand over information about specific users when ordered to by a secret U.S. court, regardless of where it is held.

However, keeping the information off U.S. soil and under local data protection rules should make it harder for the NSA to tap into illicitly, Mr. Chester said. "If the data are not being transported, then it does stop that kind of access."

Who will lead Microsoft from here?

The Microsoft offer follows a joint statement from the main U.S. Internet companies last month denouncing any requirement to hold data locally, as has been proposed in a draft law in Brazil.

A person at one leading internet company, who refused to be named, said on Wednesday that being forced to set up data centers in every country would be prohibitively expensive, especially for start-ups that cannot afford facilities in multiple countries.

Mr. Smith acknowledged that it would be expensive but added "does it mean that you ignore what customers want? That's not a smart business strategy."

(Read more: World of spycraft: NSA infiltrates gamers' data)

Following revelations made by Edward Snowden, the former NSA contractor, EU companies and consumers have become concerned about the way U.S. tech groups such as Google, Facebook and Microsoft share their data with U.S. authorities.

Although all major U.S. tech companies have denied giving American security agencies a "back door" into their networks, overall trust among many of their service users in Europe remains low by their own admission. "Our entire industry is concerned that some customers outside the U.S. are feeling less confident with [American] online services today," Mr. Smith said. "Technology today requires that people have a high degree of trust in the services they are using . . . The events of the last year undermine some of that trust [and] that is one of the reasons new steps are needed to address it."

More from the Financial Times:

Expert panel to probe internet governance
Syrian Electronic Army hacks Skype
Apple denies it knew of alleged hacking bid

Mr. Smith also said that the U.S. and EU should consider signing an international agreement that ensures they will not try to seek data in each other's territory via technology companies.

"If you want to ensure that one government doesn't seek . . . to reach data in another country, the best way to do it is . . . an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process."

He argued that the existing "Mutual Legal Assistance Treaty" mechanism used by the U.S. and EU to protect individuals' rights from the two blocs is outdated: "It needs to be modernized or replaced."

By James Fontanella-Khan and Richard Waters of the Financial Times