Microsoft hides key data flow information in plain sight

Hidden in plain sight

The revelation that Microsoft may access customer data from more than 100 countries is a result of the correspondence previously disclosed under FoI and reported on by Computer Weekly.

In response to Police Scotland’s questions about where the data it uploads to M365 is stored and processed, the tech giant provided the force with a number of links to the “overview and definitions” section of Microsoft Learn, an online training platform and technical documentation library intended to provide users with a “comprehensive” overview of Microsoft products and services.

However, while the linked pages given to Police Scotland suggest its data may be transferred to up to 34 different countries (depending on how datacentres are being used), Microsoft’s own Learn web resources elsewhere list more than 100 countries where either Microsoft personnel or contract staff may remotely access customer data in M365 from.

According to one list dated 11 November 2024, there are around 70 countries that M365 data could be accessed from that hold no European or UK adequacy for law enforcement data. Outside of the EU and EEA, the UK is the only country with law enforcement data adequacy.

All in all, an analysis of Microsoft’s distributed documentation – conducted by independent security consultant Owen Sayers and shared with Computer Weekly – suggests that Microsoft personnel or contractors can remotely access the data from 105 different countries, using 148 different sub-processors.

Despite technically being public, Sayers highlighted how this information is not transparently laid out for Microsoft customers, and is distributed across different documents contained in non-indexed webpages.

“It has to be recognised that a few tables of sub-processors, subsidiaries, contract providers, call centre operators and locations distributed across the mass of marketing materials that uniformly promote the suitability of Microsoft Cloud for all types of use case creates a landscape where any normal amount of due diligence – even if it is conducted by skilled persons will likely fail to see the full scope of offshoring in play,” he said.

There is no indication in any of the previously released FoI documents that Scottish policing bodies were aware of this information, as it did not appear in the correspondence and was not addressed in the DPIAs.

Although the documentation – which is buried in non-indexed, difficult-to-find webpages – has come to light in the context of Computer Weekly investigating police cloud use, the issue of routine data transfers within Microsoft’s cloud architecture affects the whole of the UK government and public sector, which are obliged by the G-Cloud and TEPAS frameworks to ensure data remains in the UK by default.

According to multiple data protection litigation experts, the reality of Microsoft’s global data processing here, on top of its failure to meet key Part Three obligations, means data subjects could have grounds to successfully claim compensation from Police Scotland or any other force using hyperscale cloud infrastructure.

Police and Microsoft responses

Computer Weekly contacted Microsoft about every aspect of the story, but received no on-the-record response. Reiterating a statement given to Computer Weekly in August 2025, a spokesperson said: “Microsoft complies with all laws and regulations applicable to the provision of our products and services.”

Microsoft did not contest the accuracy of the remote access location figures cited by Computer Weekly in this story.

Computer Weekly contacted both Police Scotland and the SPA to ask whether they have now been made aware of the full range of Microsoft data processing locations and the full spread of their data globally. Computer Weekly also asked whether the information would affect their view of M365’s suitability for their operational needs.

A Police Scotland spokesperson said the force “continues to work with the Scottish Police Authority on plans to implement Microsoft 365 in common with other UK Law Enforcement agencies. We work closely with partners to ensure all required data security, protection controls and governance are in place. This includes with the Information Commissioner’s Office and the Scottish Biometrics Commissioner as required.”

The SPA – which is not currently using M365 in the cloud – confirmed that it is aware of all the relevant data processing locations, as set out on Microsoft’s websites, as well as all of the associated risks.

Given the material is not referenced in any of the previously disclosed FoI documentation, both organisations were also when and how they became aware of the information. Computer Weekly received no response on this point.

Identifying the data flows

The full range of countries where M365 data can be remotely accessed from was first identified by Sayers – also an enterprise architect with more than 20 years’ experience in delivering national policing systems – who only happened upon it after using “personnel” as a filter within Microsoft’s search function on the page.

This surfaced a page titled Locations of Microsoft Online Services Personnel with Remote Access to Data.

At the time of publication, the page with the processing locations list is not returned by many popular search engines using relevant key words or the direct URL, but can be found using advanced searches and full text queries.

“What’s really interesting is that I can’t find any listing or link to that page from the index in that section,” he told Computer Weekly. “Effectively, it’s a non-referenced page in the Learn section that Microsoft pointed Police Scotland and the SPA to. I had to put in that specific filter in to find the page.”

Given the difficulty associated with finding this (as well as other pages Sayers identified as containing relevant data processing information), Sayers said he suspects most Microsoft customers will have overlooked them.

He added while Microsoft has provided Scottish police with some information about international data flows within M365, the pages provided do not describe the full extent of its offshore data processing operations, or the global spread of its subsidiaries and contract staff with remote access to the data: “Microsoft Cloud is – in effect – operating as a big black data transfer box. Stuff goes in and comes out, but where it goes in between, to whom and for what purposes is still unclear.”

Commenting on the revelation, Bill McCluggage, a former director of IT strategy and policy in the Cabinet Office and deputy government CIO from 2009 to 2012, told Computer Weekly it would be “naïve” to argue Microsoft itself was unaware of the data flow information contained within its own documentation.

“Having worked for a large American tech company, one of the things you learn very quickly is that legal counsel has a huge degree of knowledge and control over what goes on,” he said. “So, I would expect Microsoft’s legal counsel to be all over this, because it’s the lifeblood of what they do.”

He further added that Microsoft will know the data flows “backwards and forwards”, because it is “load balancing backwards and forwards on a second-by-second basis across its data hosting facilities”.

McCluggage said while Microsoft services being spread all over the world creates a “complex environment” with global data access points, geofencing capabilities already exist that would enable customer data to be stored and processed within specific geographic locations, ensuring its sovereignty, security and integrity.

“It just so happens Microsoft doesn’t do it,” he said, adding part of the problem is UK authorities not having the expertise to challenge Microsoft and ensure the right capabilities are being deployed. 

While there is “clearly a wealth of information” in Microsoft Learn, Sayers added only a very small sub-set is directly indexed: “Microsoft have scattered this information in multiple documents on different parts of their voluminous websites, and it takes significant effort and days of analysis to establish where your data could end up. Even then, Microsoft don’t really seem to know exactly what customers data goes where, to whom, and for what purpose.”

Sayers added that if Microsoft are unable to give clearly defined data flows for a customer, it then becomes nigh-impossible to provide any assurance that they know where all of a specific customer’s data actually is: “If they don’t know where the data is and who might hold copies of it, then how can they and their sub-processors guarantee they’ve deleted it when told to do so?”

Sayers said while Microsoft may now be able to claim it can promote the link to these pages in the future and claim the information has always been available, “in real-terms its hiding-in-plain sight, buried in the morass of Microsoft information. That could just be bad presentation by Microsoft, or it could be a deliberate measure – it’s impossible to tell.”

He also highlighted that Microsoft have “not in any way sought to refute the fact that they are indeed sending data to administrators located in 105 countries around the world, including China and non-adequate nations, and that’s actually the nub of the issue here. Microsoft might seek to claim that their customers should have been able to join the dots, but they won’t find many DPOs and CTOs who’ll thank them for dropping that responsibility on their shoulders.”

Potential for compensation

Presented with the example of 857 people who were recently arrested in central London over their alleged support for Palestine Action, multiple sources told Computer Weekly that this potentially opens the door to people taking out legal action for compensation over their data being unlawfully sent overseas as a result of police forces deploying non-compliant hyperscale infrastructure.

“I’ve long warned policing about the real risks of compensation claims if data subjects feel their rights have been impacted,” said Sayers. “I wonder if all the people arrested by the Met for Palestinian support or in the subsequent protests realise they could make a claim for unlawful processing putting their interests at risk due to the international transfers of M365 and Azure data to the US and Israel, for example?”

Expanding on the point, McCluggage said it would be entirely possible for the US Department of Homeland Security or border authorities in Israel to deny people travel visas as a result of their personal data being processed in, or accessed from, those territories.

Highlighting the US Cloud Act – which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud – McCluggage further added that there is “friction” here with UK and European data protection rules, as it means the US government is capable of “forcing big tech to open their doors”.

The potential for data subjects to make compensation claims against policing organisations over their use of hyperscale cloud services was previously raised by Clement-Jones in a December 2024 Parliamentary debate on the UK government’s proposed data reforms (which have since become law).

Highlighting how cloud service providers routinely process data outside the UK, Clement-Jones said this non-compliance with Part Three creates significant financial exposure for the UK given the volume of data being processed: “If only a small percentage of cases result in claims, the compensation burden could reach hundreds of millions of pounds annually.”

Speaking with Computer Weekly about the potential for compensation claims against policing bodies using hyperscale cloud infrastructure, Adnan Malik, head of data protection at Barings Law, said that details recorded during arrests are some of the most sensitive information that can be collected about a person.

“If that information is being stored in countries with limited data protection laws or countries with complicated political situations, the risks multiply,” he said. “For example, the thought that data about campaigners could be stored in countries that may not support their cause is worrying.”

Malik added that the information uncovered not only raises technical compliance concerns, but also fundamental questions about legality, proportionality and trust: “People should not be left in the dark about where their data is being held or who has access to it. Transparency is the minimum standard we should expect, and without it, public confidence in both law enforcement and government data practices will be seriously undermined. As we saw with the Afghan data breach, secrecy only compounds the damage. Victims deserve openness and accountability, not silence.”

Lucie Audibert, a solicitor at AWO, also told Computer Weekly that if Police Scotland (or any other police force, for that matter) have deployed M365 in breach of their Part Three obligations around international data transfers, affected individuals may make a claim against for compensation under section 169 DPA 2018.

However, while Audibert said there was scope for compensation claims, she was also clear that a definitive opinion cannot be formed without all of the relevant documentation.

“Such a claim would have to be made against the police force as controller of the data, although a claim against Microsoft would be possible if it can be shown that the company has failed to comply with its own processor obligations under the DPA 2018, or has acted contrary to the controller’s instructions,” she said.

“Compensation is available for non-financial damage such as distress. Recent case law has confirmed that this includes the mere fear of one’s data having been exposed to risk, and that there is no minimum threshold of seriousness – though this fear must arise from the unlawful processing and must be well-founded or objectively rational.

“On the facts here (limited to what the documentation discloses), it is not fanciful for someone to claim compensation for the fear or possibility that their data has been unlawfully transferred abroad, especially to countries that Police Scotland define as ‘hostile’ in the DPIA.”

Audibert added that whether such a claim succeeds will depend on individual facts of the case, including the nature of the data in question and the potential impact that the unlawful transfers may have on the data subject.

Computer Weekly contacted Police Scotland about the potential for data subjects to sue the force for compensation, but received no response on this point. The SPA previously confirmed to Computer Weekly that it does not currently use M365 in the cloud.

Microsoft was also asked about the potential for itself and its law enforcement customers to be sued, but similarly received no response on this point.

Grasping the nettle

Sayers added that the information now published by Microsoft specifically confirms exactly where they send data – “or from where they allow access to it, which is the same thing” – under the “follow the sun model” the tech giant has previously confirmed to Computer Weekly it operates under.

“This introduces a number of issues; not least that UK government contracts (such as G Cloud) specifically state that data must by default stay in the UK,” said Sayers, noting that while that framework does allow for the offshoring of data, controllers must lay out every location the data is transferred to; something that likely is not happening due to Microsoft’s customers not being in full possession of the facts.

“On the face of it, it is hard to see how M365 is adhering to that HMG mandate, and in fact they appear to be sending UK government data to a significant number of countries where there are data and security concerns, including China.

“The question is – did the UK government know this to be the case when they awarded contracts to Microsoft, but gave them some sort of waiver; or did they not know, and if so, what do they plan to do about this now?"

In a further warning about the implications of Microsoft’s global data processing operations, McCluggage said that, so far, policing and other public organisations have not been asking for key information about data flows because “nobody wants to open this Pandora’s Box. Nobody gets rewarded for taking a risk and asking these questions.”

Commenting on the data flows due diligence conducted so far by the SPA, McCluggage said: “They’ve understood the issues and they’re willing to grasp the nettle.”