Microsoft: Data of European companies/authorities remain in Europe

[German]Microsoft is responding to the fact that there is no legal basis for data exchange between European customers and the US. Therefore, Microsoft plans to adapt its products so that in the future, at some point, the data of European companies and government agencies will only be hosted on servers that are located in the EU.

The announcement can be found in this Microsoft blog post dated May 6, 2021. Microsoft has announced a new promise for the European Union. For commercial or public customers in the EU, Redmond wants to go beyond already existing data retention commitments. Microsoft wants to allow this customer base to process and store all of their data in the EU. This will eliminate the need to transfer data to servers outside the EU. This commitment will apply to all of Microsoft's central cloud services – Azure, Microsoft 365 and Dynamics 365.

It takes time

Microsoft plans to start working on this additional step immediately, and plans to complete all the technical work needed to implement it by the end of next year. Microsoft calls this plan EU Data Boundary for the Microsoft Cloud.

Microsoft's cloud services already meet or exceed the EU directives ahead of the above announcement, the company said. Microsoft already offers commercial and public sector customers the ability to store data in the EU. Many Azure cloud services can already be configured to process data in the EU as well.

In addition, Microsoft says it uses best-in-class encryption and robust lockbox solutions that meet current regulatory requirements. Many Microsoft services put control over the encryption of customer data in the hands of customers by having the keys managed by the customer. This, Microsoft claims, protects our customers' data from unlawful access by any government in the world.

Microsoft has already begun development to enable core cloud services to store and process all of our commercial and public sector customers' personal data in the EU, once the customer chooses to do so. This plan includes all personal data in diagnostic data and service-generated data, as well as personal data that Microsoft uses to provide technical support. Microsoft also wants to extend technical controls such as lockbox and customer-managed encryption for customer data to Microsoft's core cloud services.

Microsoft plans to build these EU Data Boundary Solutions into its core cloud services to enhance our current offerings for customers. An EU Cloud Customer Summit is planned for the fall to report more on this work.

Some Background

Microsoft is simply running into trouble in Europe with regard to data protection (GDPR). The Safe Harbor agreement with the U.S. was declared invalid by the European Court of Justice (ECJ) (see Safe Harbor: EuGH erklärt Abkommen für ungültig). The data exchange with the USA under the name Privacy Shield is also legally explosive, as this agreement was also overturned by the European Court of Justice (ECJ) (see European Court cancels EU-US "Privacy Shield").

What must also be emphasized quite clearly at this point: The data of private users are excluded from the whole action, their data remain unprotected and migrate to servers in the US. It is also unclear to me how the problem is to be solved that Microsoft is subject to US jurisdiction, i.e. it has to hand over data from its servers, regardless of where in the world it is stored. Moreover, it will take a lot of time to implement all of this. After all, the pressure from the people who don't go with the flow and put pressure probably had an effect on the manufacturer.

This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *