Microsoft to give EU business customers greater control over data storage

Engineering work is underway to make sure that by 2022, no data is routed outside of the EU

Microsoft will allow its customers based in the European Union (EU) to store and process their data only within the confines of the EU, rather than routing this to other countries such as the United States.

The plan, dubbed EU Data Boundary for the Microsoft Cloud, will see EU-based public and private sector cloud customers given the option to choose to store and process their data in the EU alone.

Engineering work is now underway, with this commitment applying across the breadth of its cloud services, including Azure, Microsoft 365, and Dynamics 365. The plan is expected to be ready by the end of 2022.

“The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments,” said Microsoft president Brad Smith.

“We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.”

The data in question includes any personal data in diagnostics and service-generated data, as well as personal data that Microsoft uses to provide technical support. The company will also extend technical controls such as Lockbox and customer-managed encryption for data across its services.

Microsoft already provides customers with the choice to have some data stored in the EU, while many Azure cloud services can be configured to process data in the EU as well. The company, however, still needs to make some transfers to territories outside of the EU due to shortcomings in its data centre infrastructure.

The EU Data Boundary project aims to minimise these additional transfers, which involves Microsoft making “substantial and ongoing investments” in expanding its data centre infrastructure. Microsoft currently operates data centres in 13 European countries.

Data residency has been a growing worry for the EU in recent years, as well as privacy activists concerned that data processed in other territories might be accessed by the surveillance regimes in those countries.

Privacy Shield, for example, was invalidated in July 2020 after the European Court of Justice (ECJ) declared it was unable to protect EU residents' data from US surveillance mechanisms.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

This mechanism was meant to guarantee that EU-based entities transferring data to the US were able to protect that data with EU-level data protection standards. The ECJ, however, ruled that Privacy Shield prioritised the interests of law enforcement and national security agencies.

By allowing EU customers to process all their data only within the EU, the jurisdiction of countries such as the US or others will be severely restricted, and the legal basis for requesting data will be limited.

In an FAQs post, Microsoft stressed that all government requests for data, from US authorities, for example, will be directed to customers, while the company will challenge every request where there’s a lawful basis to do so.

As for whether any personal data might be transferred outside the EU after 2022, Microsoft simply reiterated that it’s identified the technical and operational investments necessary to meet its commitment.

No exceptions to this were provided, although the company plans to consult with customers and regulators about its plans in the coming months.

Although the EU's GAIA-X unified cloud system hasn't yet been finalised, Microsoft also believes these plans are complementary to the initiative.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021