Engineering work is underway to make sure that by 2022, no data is routed outside of the EU
Microsoft will allow European Union (EU) – based customers to store and process their data only within EU limits, rather than transferring it to other countries such as the United States.
The plan dubbed the EU Data Boundary for Microsoft Cloud, will see EU – based cloud and private sector customers are given the option to choose to store and process their data in the EU only.
Engineering work is now underway, with this commitment being applied to a wide range of cloud services, including Azure, Microsoft 365, and Dynamics 365. The plan is expected to be ready by the end of 2022.
“The new step we’re taking builds on our strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward meeting the customers who want much more data residency agreements, ” said Microsoft president Brad Smith.
“We will continue to consult with customers and regulators about this plan in the coming months, along with adjustments needed in unique circumstances such as cybersecurity, and we will move forward in a way that responds to their feedback.”
The data in question includes any personal data in diagnostic and service generated data, as well as personal data used by Microsoft to provide technical support. The company will also expand technical controls such as Lockbox and customer-managed encryption for data on its services.
Microsoft is already giving customers the option to have some data stored in the EU, while many Azure cloud services can be configured to process data in the EU as well. However, the company still has to make some transfers to territories outside the EU due to data center infrastructure shortcomings.
The EU’s Data Boundary project aims to minimize these further shifts, which involves Microsoft making “substantial and ongoing investments” in expanding the data center infrastructure. Microsoft currently operates data centers in 13 European countries.
Data residence has become a growing concern for the EU in recent years, as well as privacy activists concerned that data processed in other territories could be accessed by regimes. tracking those countries.
The Privacy Shield, for example, was validated in July 2020 after the European Court of Justice (ECJ) declared that it could not protect the data of EU residents from US surveillance mechanisms.
This mechanism is meant to guarantee that EU -based entities transferring data to the US are able to protect data with EU -level data protection standards. However, the ECJ decided that the Privacy Shield gave priority to the interests of law enforcement and national security agencies.
By allowing EU customers to process all their data only within the EU, the jurisdiction of countries such as the US or others will be strictly restricted, and the legal basis for requesting data will be limited.
In a FAQ post, Microsoft emphasized that all government requests for data, for example, from U.S. authorities, will be directed to customers, while the company challenges every request where there is a legal basis to do so.
Regarding whether any personal data could be transferred outside the EU after 2022, Microsoft reiterated that it has identified the technical and operational investments required to meet its commitment.
No exceptions have been provided, though the company plans to consult with customers and regulators about its plans in the coming months.
Although the EU’s GAIA-X unified cloud system is not yet complete, Microsoft also believes that these plans are complementary to the initiative.