The European Union’s (EU) General Data Protection Regulation (GDPR) sets out requirements for transferring personal data outside the European Economic Area. These requirements not only restrict the use and transfer of personal data, but also ensure that personal data is adequately protected with enforceable rights and effective judicial remedies. In 2020, the EU invalidated the EU-US Privacy Shield, a framework that many US companies relied on when transferring data. However, large tech companies, including Microsoft, have ensured compliance with the GDPR’s transfer requirements through the use of standard contractual clauses (SCCs). These SCCs are “pre-approved” by the European Commission to ensure that adequate protections and safeguards are in place for data transfers.
On May 6, 2021, Microsoft announced they were expanding its existing commitments to data privacy in the EU through a plan called the EU Data Boundary for the Microsoft Cloud (EU Data Boundary Plan). This pledge grows Microsoft’s data processing and storing capabilities in the EU by removing the need to move customer data outside the EU. Full implementation of this plan is set for the end of next year.
Through the EU Data Boundary Plan, Microsoft’s EU commercial and public sector customers can choose to have all its personal data stored and processed in the EU exclusively. This includes any personal data in diagnostic and service-generated data, and personal data that Microsoft uses to provide technical support. In addition, they plan to expand technical controls, including customer-managed encryption and Lockbox services, for customer data. The plan extends to all Microsoft core cloud services: Azure, Dynamics 365, and Microsoft 365. Microsoft is also creating a Privacy Engineering Center of Excellence in Dublin, Ireland, to ensure its European customers meet regulatory requirements and take protective measures for its cloud workloads.
Microsoft also announced that the plan will be available to non-EU member states, Norway and Switzerland. Currently, Microsoft is either operating or planning to operate data centers that power cloud services in: Austria, Denmark, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, Spain, Sweden, and Switzerland. These data centers will be used to carry out the EU Data Boundary plan by ensuring Microsoft customers comply with pertinent data protection laws and regulations.
However, it is not clear whether Microsoft employees outside the EU will have access to these data centers and if they can view EU customer data. Such a situation may occur if Microsoft support is located in a country outside the EU. This can be especially important because the European Data Protection Board recently gave guidance that remote access from a country outside the EU is considered to be a transfer. If this occurs, and it is considered a transfer, Microsoft would still be conducting cross border transfers and would need to have Binding Corporate Rules (as defined in the GDPR) in place for intra-organizational transfers.
Microsoft’s pledge to provide customers the option to store and process its data within the EU reaffirms the tech giant’s commitment to protecting personal data. This move by Microsoft may influence other businesses, big and small, to seek to keep EU customers’ personal data within the EU to avoid the burden that comes with cross border transfers and to further commit to GDPR principles.
As always, we will continue to monitor developments in the EU as regulators and companies continue to adjust to the GDPR’s scope and requirements. What companies should take away from this development and discussion is that they should continue (or start) to think strategically about what personal data they control and where that data is being processed. Furthermore, while vetting and evaluating third-party processors is always essential to good data governance and risk management, that assessment should include the technical capabilities involved and how/if they meet applicable regulatory requirements. As other countries adopt GDPR approaches to data protection (see also: Brazil and China), now is not the time to stick your head in the sand and think such requirements will not reach your business. Taft’s Privacy and Data Security Practice stands ready to assist your business as you evaluate business compliance requirements and strategic opportunities, and striking the right risk balance with both.
Taft Summer Associate Salha El-Shwehdi also contributed to research and writing of this article.