, contextfree` wrote

At some point there are going to need to be verifiable, transparent, secure, auditable etc. standards for exactly how data gets used after it goes to someone's servers, not just a vague privacy policy.

If Microsoft is following any of the industry or government standards for dealing with private data, they will already have something like this.

They'll certainly have something like that for PII like emails, Azure, SkyDrive and Microsoft accounts, and will have at least PCI for credit card / bank account details.

Generally speaking the companies to worry about are not the big ones (when was the last time Microsoft or Google lost your data?). It's the ones that are big enough to have lots of customers and small enough to have not invested at all in security.