Today we announce a new pledge for the European Union. If you are a commercial or public customer in the EU, we go beyond our existing data retention obligations and enable you to process and store all of your data in the EU. In other words, we don’t have to move your data outside of the EU. This commitment applies to all of Microsoft’s core cloud services – Azure, Microsoft 365 and Dynamics 365. We are starting work on this additional step immediately and will complete the implementation of all engineering work required to run it by the end of next year. We call this plan the EU data boundary for Microsoft Cloud.
The new step we’re taking builds on our already strong portfolio of solutions and commitments protecting our customers’ data, and we hope it will Today’s update is another step in responding to customers who want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months, including adjustments required in special circumstances such as cybersecurity, and we will move forward in a way that responds to their feedback.
Microsoft Cloud -Services meet or exceed EU directives ahead of the plan announced today. We already offer commercial and public sector customers the ability to store data in the EU, and many Azure cloud services can already be configured to process data in the EU as well. In addition, we use first-class encryption and robust lockbox solutions that comply with current legal requirements. For many of our services, control over the encryption of customer data is in the hands of the customer through the use of customer-managed keys. We protect our customers’ data from unauthorized access by any government in the world.
We have already started the technical work so that our central cloud services will provide all personal data of our customers from the commercial and public sectors of the EU in the Save and process EU if you wish. This plan includes all personal data in diagnostic data and data generated by the service, as well as personal data that we use to provide technical support. We will also extend technical controls such as lockbox and customer-managed encryption for customer data to Microsoft core cloud services. We will integrate these EU data boundary solutions into our central cloud services in order to improve our current offer for customers. We will hold an EU Cloud Customer Summit this autumn, where we will report more about this work.
Today’s update is part of our commitment to the EU’s vision for a “Europe fit for the digital age” and a recognition the role that the technology sector must play to help Europe achieve its digital goals. In addition to processing the personal data of our commercial and public sector customers in Europe, we are creating a Privacy Engineering Center of Excellence in Dublin to help our European customers choose the right solutions for building robust data protection into their cloud workloads meet regulatory requirements. We are determined to help build “Tech Fit 4 Europe”.
Our EU data border for the Microsoft Cloud is supported by our substantial and ongoing investments in an expansive European data center infrastructure. We opened our first data center in Europe in 2009. Our EU data border for the Microsoft Cloud will use data centers that we have announced or currently operate in 13 countries: Austria, Denmark, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, Spain, Sweden and Switzerland. These data centers offer cloud services with which our European customers can realize their ambitions to achieve digital transformation and increase their competitiveness. In doing so, they can ensure that they can comply with all applicable laws and regulations. In addition to customers in EU member states, customers in Norway and Switzerland also have access to the EU data border.
Microsoft has long demonstrated our commitment to meet and exceed the requirements of EU data protection laws. For example, we were the first major tech company to reaffirm GDPR compliance and extend GDPR core rights and protections to our consumer customers worldwide – not just those in the EU. In addition, following the draft recommendation of the European Data Protection Board (EDPB) on measures that companies should implement as a result of the Schrems II decision, we announced our initiative to defend your data, which goes beyond the EDPB recommendations. We will contest any government request for personal information from an EU public sector or commercial customer – from any government – if there is a lawful basis to do so. And we will provide financial compensation to our customers’ users if we disclose data that violates the GDPR and causes damage.
Microsoft will continue to do everything in its power to encourage leaders on both sides of the Atlantic and beyond to Quickly address issues with legitimate access. We are encouraged by the ongoing discussions between the European Commission and the United States government to create a new framework for the personal data of Europeans transferred to the United States. We are optimistic that there will be a solution in the near future.
Brad Smith is Microsoft President and Chief Legal Officer. Smith plays a key role in representing the company externally and guiding the company’s work on a number of critical issues including privacy, security, accessibility, environmental sustainability and digital inclusion.
November 18, 2019 |
August 26, 2019 |
July 16, 2020 |
July 8, 2020 |
Microsoft corporate blogs