Re: Fine if you don't care about privacy
"I suggest you look up on Google how Microsoft DRM encryption works. The US can have all the laws they want to requiring access to data, but if I am a UK company, and keep my DRM infrastructure in the UK, then the USA can demand all they like, but they are not going to get access to my data, unless they fancy spending a few trillion compute hours trying every key combination...Microsoft woudl never have access in this circumstances."
Have you read 365's T & C's? Judging by your comment, you haven't. Neither did you read what I wrote, but I will repeat myself for clarity - "check M$'s T's & C's for Office 365 - there is a "We can look at your data/documents/contents anytime we want to" clause". I have had personal experience with this issue, through a customer questioning it (via their solicitors) with M$. Do you really have that much blind faith in M$ to trust them implicitly with your customers data?
"You havn't allowed for the cost of the Exchange Server license, the storage, backups, infrastructure, the management of it...."
A lot of my customers already have Exchange, either via the full product or SBS - but admittedly I didn't make that point. To answer your point though, most customers will have a lot of infrastructure in place already - if it's working why fix it? It's just costing the customer more money to change. And, again, you are losing control of your data.....
"You just don't have a clue what you are talking about. It makes near zero difference where I store it if I control the encryption keys. If I was a UK company then the USA can't touch me. The only way anyone is getting that Data is via a UK RIPA order - which applies the same if the data is onsite or in a cloud in Timbukto..."
Obviously I don't! I obviously haven't read the Patriot Act, which enables US Government agencies to walk into any datacentre and remove physical servers (so if your data is cohabiting on a server which has a "Person/Company of interest" to that agency, they will just take the whole server - including your data). So, using your analogy of you being a company in the UK and the USA can't touch you, they CAN touch your data! In fact, they can walk away with it at any time they want to! And IF the datacentre is in Timbuktu, the data [you have] stored on it will have to comply with the laws of both the UK and (in this case) Mali. An example of this is that you are not allowed to store images that are considered pornographic on a server in most Muslim countries. So, that topless picture of your other half could get your data seized. Encryption? Just ask Blackberry/Skype etc. about the trouble they have had in Saudi Arabia!
"Again - you just don't have a clue. You are not liable for anything for data access that was required by a law that you are subject to."
I suggest that you seek the advice of legal counsel. If the data is of a confidential nature - you (as the person creating that data) are liable for it - (at the risk of repeating myself) have a look at the Cloud provider's T's & C's. They are not liable and the contract you sign with them ensures that. In the example of 365, M$ SPECIFICALLY state they can examine your data at any time! And if the datacentre is in a different country, you are subject to the laws of BOTH places. Not all countries have identical laws, so your argument doesn't really stand up, does it? And before you start saying "use a datacentre in your country", just try getting a cloud provider to tell you exactly where your data IS being stored. Good luck with that one, by the way........ Remember, ignorance of the law is not a valid legal defence.
But it is interesting that you obviously place so much blind faith in cloud providers. Excuse me, but I don't trust anyone with my customer's sensitive data. The cloud (for sensitive data storage) means keeping the customers data in a place you can't control that also happens to be a legal minefield. If you want to run the risk - that's your choice.