On May 6, 2021, we announced a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data residency commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU. This commitment will apply across all of Microsoft’s main cloud services—Azure, Microsoft 365, and Dynamics 365. We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it. We’re calling this plan the EU Data Boundary for the Microsoft Cloud.
The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers who want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months and move forward in a way that is responsive to their feedback.
What exactly will change in 2022 from today?
A: Many of our Online Services already offer customers data storage for Customer Data within customer-selected geographies, with many of Azure services offering the ability to choose to process and store Customer Data in customer-selected geographies. Through our new EU Data Boundary program announced on May 6th, by the end of 2022, we will be taking additional steps to minimize transfers of both Customer Data and Personal Data outside of the EU. We believe our new initiative will meet regulatory requirements and address the needs of our European customers who are looking for even greater data localization commitments.
We’ve identified the technical and operational investments necessary to meet this goal, and we believe we can accomplish it. In the coming months we’ll be discussing our plans with both customers and regulators, and we will be responsive to their feedback. See: Microsoft Privacy - Where your data is Located
Will this result in a loss of functionality within the EU Data Boundary?
A: The EU Data Boundary is a further development of our existing commercial services that we already offer within the EU and as such, will not require migration. Functionality and continued innovation will apply to the services within the new EU Data Boundary. Customers will still have the option to choose enhancements to services that leverage resources outside the EU boundary.
Will you raise prices as a result of this work?
A: There is no extra charge or price increase as a result of the work we are doing on the EU Data Boundary.
Do I need to wait until 2022 to migrate to the cloud?
A: No. Customers considering migrating on-premises workloads to the Microsoft cloud today can be assured that they can use Microsoft services in compliance with European laws. Microsoft cloud services already comply with or exceed European guidelines even without the plan we are announcing today. These new steps build on our already strong portfolio of solutions and commitments that protect our customers’ data, and new customers will automatically gain the benefits of the engineering changes we are making.
Will this solve all privacy and lawful access issues raised by the Schrems II case? Will U.S. law enforcement still get access to customer data?
A: Our approach to ensuring we comply with and exceed the requirements in the Schrems II decision remains unchanged. Our customers can continue to transfer data between the EU and U.S. consistent with the decision, and we’ve gone beyond EDPB guidelines by publicly committing to challenge every government request for public sector or enterprise customers data from any government where we have a legal basis for doing so. Our customers are separately telling us that data residency is important to them, and we hope this additional step will help. We also believe that data residency may bolster our ability to make legal challenges to some non-EU government demands for access to data. At the same time, it’s important to note that any technology provider with sufficient presence in the U.S. – even if it’s based in Europe – is subject to U.S. legal process.
Will EU Standard Contractual Clauses still be required or even applicable after 2022?
A: The EU Standard Contractual Clauses (SCCs) are used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the European Economic Area (EEA) will be transferred in compliance with EU data protection laws and meet the requirements of the EU Data Protection Directive 95/46/EC.
Microsoft will implement the European Commission’s revised SCCs and continue to offer customers specific guarantees around transfers of personal data for in-scope Microsoft services. This ensures that Microsoft customers can freely move data through the Microsoft cloud from the EEA to the rest of the world. Customers with specific questions about the applicability of SCCs to their own deployments should consult their legal counsel.
How will the US and other government requests be treated under the new EU Data Boundary?
A: Through clearly defined and well-established response policies and processes, strong contractual commitments, and if need be, the courts, Microsoft defends your data. We believe that all government requests for your data should be directed to you. We do not give any government direct or unfettered access to customer data. If Microsoft receives a demand for a customer’s data, we will direct the requesting party to seek the data directly from the customer. If compelled to disclose or give access to any customer’s data, Microsoft will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so. We will challenge every government request for an EU public sector or commercial customer’s personal data—from any government—where there is a lawful basis for doing so. And we will provide monetary compensation to our customers’ users if we disclose data in violation of the GDPR that causes harm.
Will any personal data be transferred outside the EU after 2022? Can you provide a list of exceptions?
A: We’ve identified the technical and operational investments necessary to meet this goal, and we believe we can accomplish it. We will continue to consult with customers and regulators about our plans in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.
Will the EU Data Boundary be consistent with GAIA-X?
A: While GAIA-X has not yet finalized its requirements, we believe the EU Data Boundary for the Microsoft Cloud will provide the technical and business basis to support our ongoing commitment to the GAIA-X initiative.