IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft to give EU business customers greater control over data storage

Engineering work is underway to make sure that by 2022, no data is routed outside of the EU

Microsoft will allow its customers based in the European Union (EU) to store and process their data only within the confines of the EU, rather than routing this to other countries such as the United States.

The plan, dubbed EU Data Boundary for the Microsoft Cloud, will see EU-based public and private sector cloud customers given the option to choose to store and process their data in the EU alone.

Engineering work is now underway, with this commitment applying across the breadth of its cloud services, including Azure, Microsoft 365, and Dynamics 365. The plan is expected to be ready by the end of 2022.

“The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments,” said Microsoft president Brad Smith.

“We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.”

The data in question includes any personal data in diagnostics and service-generated data, as well as personal data that Microsoft uses to provide technical support. The company will also extend technical controls such as Lockbox and customer-managed encryption for data across its services.

Microsoft already provides customers with the choice to have some data stored in the EU, while many Azure cloud services can be configured to process data in the EU as well. The company, however, still needs to make some transfers to territories outside of the EU due to shortcomings in its data centre infrastructure.

The EU Data Boundary project aims to minimise these additional transfers, which involves Microsoft making “substantial and ongoing investments” in expanding its data centre infrastructure. Microsoft currently operates data centres in 13 European countries.

Data residency has been a growing worry for the EU in recent years, as well as privacy activists concerned that data processed in other territories might be accessed by the surveillance regimes in those countries.

Privacy Shield, for example, was invalidated in July 2020 after the European Court of Justice (ECJ) declared it was unable to protect EU residents' data from US surveillance mechanisms.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

This mechanism was meant to guarantee that EU-based entities transferring data to the US were able to protect that data with EU-level data protection standards. The ECJ, however, ruled that Privacy Shield prioritised the interests of law enforcement and national security agencies.

By allowing EU customers to process all their data only within the EU, the jurisdiction of countries such as the US or others will be severely restricted, and the legal basis for requesting data will be limited.

In an FAQs post, Microsoft stressed that all government requests for data, from US authorities, for example, will be directed to customers, while the company will challenge every request where there’s a lawful basis to do so.

As for whether any personal data might be transferred outside the EU after 2022, Microsoft simply reiterated that it’s identified the technical and operational investments necessary to meet its commitment.

No exceptions to this were provided, although the company plans to consult with customers and regulators about its plans in the coming months.

Although the EU's GAIA-X unified cloud system hasn't yet been finalised, Microsoft also believes these plans are complementary to the initiative.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022