Microsoft To Allow Cloud Users To Store Personal Data In Europe

Microsoft has confirmed that it will allow cloud customers to store all their personal data within the European Union, in an effort to allay privacy concerns.

Microsoft confirmed the move in a blog post by Julie Brill, corporate VP & Chief Privacy Officer, in which she announced that Microsoft is updating the ‘EU Data Boundary for the Microsoft Cloud‘ as part of a phased rollout plan.

The tech giant had previously allowed the processing of some data in Europe, but is now also including the data automatically generated from using Microsoft services.

EU Data Boundary

It comes after European Union officials and American tech giants have been engaged in years of negotiations over the handling of European data.

European concerns centred over how the data of its citizens would be handled in the United States, which has less strict privacy legislation than the EU.

“Microsoft is empowering customers by bringing significant enhancements and new features to the EU Data Boundary for the Microsoft Cloud,” Microsoft’s Julie Brill wrote on Thursday. “With today’s update, Microsoft takes another decisive step in expanding its suite of trusted cloud services that respect European values and meet the specific requirements of our commercial and public sector customers in Europe.”

“To continue to offer our customers a spectrum of solutions that best meet their needs, we are proud to announce a significant step forward in delivering Microsoft’s EU Data Boundary for the Microsoft Cloud,” said Brill. “Last year, as the first step in our phased approach to the rollout of the EU Data Boundary, we delivered the ability to store and process customer data within the boundary for Microsoft 365, Azure, Power Platform, and Dynamics 365 services.”

“Today, building on that initial release, Microsoft further expands our local storage and processing to include all personal data, such as automated system logs, making Microsoft the first large-scale cloud provider to deliver this level of data residency to European customers,” said Brill.

Brill said that the enhancements for the EU Data Boundary for the Microsoft Cloud focus on three areas, firstly by delivering the EU data boundary graphic by expanding its European storage commitments to include all personal data within the boundary. This will include Azure, Microsoft 365, Power Platform, and Dynamics 365.

Second, Microsoft said its customers “need a clear and comprehensive view of the data handling, limited transfers, and data protection processes”, and therefore Microsoft is “providing new transparency resources, including documentation and other information, which customers can access on the EU Data Boundary Trust Center webpage.”

Thirdly, Microsoft has “made deep investments to deploy EU-based technology to further protect pseudonymised personal data in the boundary when it is accessed remotely for monitoring system health.”

Microsoft said this avoids the need for physical data transfers or storage outside the EU by deploying virtual desktop infrastructure in the EU Data Boundary for monitoring our systems.

In addition, Microsoft said it is maintaining its commitment to world-class cybersecurity, and alongside its continuous monitoring services, it will ensure that any data transfers outside the EU for security purposes will be documented, limited to what is required for crucial cybersecurity functions, and used only for these cybersecurity purposes.

2024 rollout

Going forward Microsoft said it launch the next phase of its EU Data Boundary for the Microsoft Cloud later this year, “by transforming the processing and storage capabilities for data required during technical support interactions.”

Microsoft is also developing a future paid support option that will provide initial technical response from within the EU.

“Our EU Data Boundary solution goes beyond European compliance requirements and reflects our commitment to provide trusted cloud services that are designed to take advantage of the full power of the public cloud while respecting European values and providing the most advanced sovereignty controls and features available in the industry today,” Brill concluded.

Other tech firms have been rolling out data storage and processing capabilities in the EU following privacy and security legislation.

Amazon Web Services for example said in October it would allow data storage on servers located in the EU, as part of its so called ‘AWS European Sovereign Cloud’.

Privacy concerns

The issue of transferring European user data to American servers has long been a bug bear for the European Commission and privacy campaigners.

Initially, the EU-US Safe Harbour deal which had been in place since 2000 governed data transfers to the US, but right from the start it proved controversial with ongoing concerns about US spying.

The European Court of Justice in 2015 suspended the original Safe Harbour agreement, in the wake of the Edward Snowden revelations about the scale of US and its NSA agency spying on friends and allies.

The Privacy Shield (or Safe Harbour 2.0) was then drafted, but the United States and the European Union were forced to change it after an initial agreement submitted in February 2016 was rejected by European Watchdogs for not being robust enough.

The two sides then agreed to stricter rules for American companies holding information on Europeans and clearer limits on US surveillance. And this reworked Privacy Shield agreement was then approved by EU member states and adopted in July 2016.

In July 2023 the he European Commission reached a new data transfer pact with the United States called the ‘Trans-Atlantic Data Privacy Framework’.

The EU said this agreement ensured an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework.