Microsoft to give EU business customers greater control over data storage

Engineering work is underway to make sure that by 2022, no data is routed outside of the EU

Microsoft will allow its customers based in the European Union (EU) to store and process their data only within the confines of the EU, rather than routing this to other countries such as the United States.

The plan, dubbed EU Data Boundary for the Microsoft Cloud, will see EU-based public and private sector cloud customers given the option to choose to store and process their data in the EU alone.

Engineering work is now underway, with this commitment applying across the breadth of its cloud services, including Azure, Microsoft 365, and Dynamics 365. The plan is expected to be ready by the end of 2022.

“The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments,” said Microsoft president Brad Smith.

“We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.”

The data in question includes any personal data in diagnostics and service-generated data, as well as personal data that Microsoft uses to provide technical support. The company will also extend technical controls such as Lockbox and customer-managed encryption for data across its services.

Microsoft already provides customers with the choice to have some data stored in the EU, while many Azure cloud services can be configured to process data in the EU as well. The company, however, still needs to make some transfers to territories outside of the EU due to shortcomings in its data centre infrastructure.

The EU Data Boundary project aims to minimise these additional transfers, which involves Microsoft making “substantial and ongoing investments” in expanding its data centre infrastructure. Microsoft currently operates data centres in 13 European countries.

Data residency has been a growing worry for the EU in recent years, as well as privacy activists concerned that data processed in other territories might be accessed by the surveillance regimes in those countries.

Privacy Shield, for example, was invalidated in July 2020 after the European Court of Justice (ECJ) declared it was unable to protect EU residents' data from US surveillance mechanisms.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

This mechanism was meant to guarantee that EU-based entities transferring data to the US were able to protect that data with EU-level data protection standards. The ECJ, however, ruled that Privacy Shield prioritised the interests of law enforcement and national security agencies.

By allowing EU customers to process all their data only within the EU, the jurisdiction of countries such as the US or others will be severely restricted, and the legal basis for requesting data will be limited.

In an FAQs post, Microsoft stressed that all government requests for data, from US authorities, for example, will be directed to customers, while the company will challenge every request where there’s a lawful basis to do so.

As for whether any personal data might be transferred outside the EU after 2022, Microsoft simply reiterated that it’s identified the technical and operational investments necessary to meet its commitment.

No exceptions to this were provided, although the company plans to consult with customers and regulators about its plans in the coming months.

Although the EU's GAIA-X unified cloud system hasn't yet been finalised, Microsoft also believes these plans are complementary to the initiative.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021