Microsoft president Brad Smith has announced a new pledge for EU commercial customers, allowing them to store and process most of their data within the EU by the end of 2022.
With the transatlantic Privacy Shield data transfer framwork in tatters, Microsoft is trying a new approach with a promise that European government and commercial customers can keep all their data in Microsoft’s core cloud services in data centers located within the EU.
“If you are a commercial or public sector customer in the EU, we will go beyond our existing data storage commitments and enable you to process and store all your data in the EU,” said Smith in a blogpost today.
“In other words, we will not need to move your data outside the EU,” he added.
SEE: IT Data Center Green Energy Policy (TechRepublic Premium)
Microsoft and other cloud providers have relied on Standard Contractual Clauses (SCCs) and Privacy Shield for EU-US data transfers. However, the Court of Justice for the European Union ruled Privacy Shield as invalid in July. It still allowed cloud giants like Google and Amazon Web Services to use SCCs as a legal mechanism of data transfers, albeit with adjustments to the clauses.
A concern is that the US government can access data of EU residents for national security reasons, which would conflict with the EU’s General Data Protection Regulation (GDPR). Data transfers to the US and US law conflicts with GDPR, which requires data controllers to properly secure customer information.
Privacy Shield was the successor to the EU-US Safe Harbor principle, which was struck down in 2015 after Austrian lawyer and activist, Max Schrems, challenged the agreement’s legality on the basis of Edward Snowden’s leaks about NSA mass surveillance under US national security laws.
Microsoft’s Smith said the new EU-only data pledge applies to Azure, Microsoft 365, and Dynamics 365. Work on redesigning its cloud will be complete by the end of 2022.
“We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it,” said Smith.
Microsoft is calling this plan the “EU Data Boundary for the Microsoft Cloud”.
Smith said Microsoft will consult with EU customers and regulators about the boundary plan in coming months, including “adjustments that are needed in unique circumstances like cybersecurity.”
Many of Microsoft’s cybersecurity products, such as Microsoft Defender for Endpoint and its SIEM solution Sentinel, are run from Azure. Sentinel is available in a Germany exclusively with a “sovereign” option.
The EU-only approach is still optional, however. Smith said Microsoft work had begun to ensure core cloud services “store and process in the EU all personal data of our EU commercial and public sector customers, if they so choose.”
“This plan includes any personal data in diagnostic data and service-generated data, and personal data we use to provide technical support. We will also extend technical controls such as Lockbox and customer-managed encryption for customer data across Microsoft core cloud services. We will build these EU Data Boundary Solutions into our core cloud services to enhance our current offerings for customers,” explained Smith.
SEE: Microsoft revealed the latest truths about working from home. One is truly disturbing
Microsoft will host an EU Cloud Customer Summit this fall where it will share more details about this work, according to Smith.
Microsoft has posted a detailed Q&A about the changes coming, with many questions unanswered, and clarifies the plan involves “minimizing” EU data transfers rather than eliminating them.
“Through our new EU Data Boundary program announced on May 6th, by the end of 2022, we will be taking additional steps to minimize transfers of both Customer Data and Personal Data outside of the EU,” Microsoft states in the Q&A.
Microsoft hasn’t said whether the changes will result in a price increase for EU customers beyond saying there “may be optional choices in the future, as is already the case with M365 MultiGeo”.
“Microsoft will implement the European Commission’s revised SCCs and continue to offer customers specific guarantees around transfers of personal data for in-scope Microsoft services. This ensures that Microsoft customers can freely move data through the Microsoft cloud from the EEA to the rest of the world. Customers with specific questions about the applicability of SCCs to their own deployments should consult their legal counsel,” Microsoft says.