Technology company Microsoft has routinely shared the financial details of Indian bank customers with intelligence agencies in the United States, DNA reported on Tuesday. According to the newspaper, the Reserve Bank of India flagged its concerns on the matter in a risk assessment report it has placed before banks’ audit committees.

The central bank found that the data of customers who have accounts with banks using Microsoft’s Office 365 cloud-based email service could have been shared with the intelligence agencies. The RBI said Microsoft agreed to disclose information on 3,036 occasions between 2014 and 2016 in response to more than 4,000 government requests or legal demand requests for data of Indian customers in the US.

“All the mailboxes had been migrated to Office 365 Microsoft cloud environment,” the RBI noted in one case. “It was gathered from the Microsoft transparency hub that Microsoft is bound to share customers’ data under US Foreign Intelligence Surveillance Act and US national security letters as and when required by the US authorities.”

A commercial bank responded to the central bank’s observation, saying that according to their deal with Microsoft, the technology company can only share customers’ data if the government of India or an Indian court issue an order. But when it comes to the United States, “the US government issues gag orders for the same with prior intimation to us”, the bank said. “We have incorporated appropriate provision to that effect in the legal agreement.”

The State Bank of India, which responded to the newspaper’s request for comment, said that according to Microsoft, it had received “zero demands from the US law enforcement for commercial enterprise content located outside the United States” in 2016 and 2017. The Bank of Baroda said protecting the interests of its customers was of paramount importance. “The bank’s ‘systems and operations’ are robust – we stand committed to protecting our customers’ interests, and we have all the necessary systems in place to ensure the same,” it told DNA.

Microsoft did not respond to the specific queries of the newspaper but defended its privacy policy.

“No government has direct access to any of our users’ data,” said an unidentified company spokesperson. “Data privacy is a top priority for us. We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers that we have reviewed and consider legally appropriate and consistent with the rule of law and our Microsoft principles.”

The company said that in the majority of cases, it redirects “governments to seek data directly from commercial customers or to allow us to tell our commercial customers when the government seeks their data”.

Update:

In a letter to Scroll.in, Microsoft said this story “is extremely misleading, factually erroneous”.

The company denied allegations that it “provides the US government – or any government – with unfettered access to data or provides any customer data in contravention of our public statements and clearly articulated principles and contractual obligations”. It said the numbers mentioned in the RBI’s risk report, as reported by DNA, “do not match any data available to Microsoft and remain unverified”.