Microsoft has announced a new initiative called the EU Data Boundary for the Microsoft Cloud, through which it aims to enable EU customers to store all their data in the region by 2022. As the name suggests, the plan applies to all of the company's core cloud services, namely Microsoft 365, Dynamics 365, and Azure.
Microsoft states that this will bring greater peace of mind to customers who want data residency and localization commitments. It will continue working with these organizations as well as regulators to ensure that its engineering efforts to implement this change are completed by the end of 2022.
The Redmond tech firm says that most of its online services allow users to select the geographical locations for data storage, but in the coming months, it will be further enhancing them to reduce data transfer outside of the EU. However, customers will still have the ability to utilize enhancements to services that make use of resources that lie outside the EU.
Microsoft has emphasized that new EU customers do not need to wait to use its cloud services, because even without this initiative, its services already follow the guidelines enforced by the EU. With respect to European regulations, the company went on to say that:
Microsoft Online Services already enable customers to comply with the GDPR even without this additional commitment to store and process data within the EU boundary. We implemented supplementary measures after the Schrems II decision to further support compliance for data transfers, which we believe meet and go beyond what is required by the Schrems II decision. We are making these additional investments to process and store data in the European Union by the end of 2022. This demonstrates our continuing commitment to our customers in Europe and simplifies post-Schrems II compliance by minimizing data transfers outside of the EU boundary.
The EU Standard Contractual Clauses (SCCs) are used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the European Economic Area (EEA) will be transferred in compliance with EU data protection laws and meet the requirements of the EU Data Protection Directive 95/46/EC.
Microsoft will implement the European Commission's revised SCCs and continue to offer customers specific guarantees around transfers of personal data for in-scope Microsoft services. This ensures that Microsoft customers can freely move data through the Microsoft cloud from the EEA to the rest of the world. Customers with specific questions about the applicability of SCCs to their own deployments should consult their legal counsel.
The firm has clearly indicated that it will not give the US government, or any other government, access to European data, and will redirect all such requests to the customers. Where possible, it will take the matter to court and will notify the customer unless it is prohibited by law to do so. Similarly, if any customer data is disclosed in violation of GDPR, the company will financially compensate the affected customer.
Although Microsoft has assessed from its perspective the engineering and technical effort required to implement these changes, it says that it will continue consulting with customers and regulators about potential adjustments that may be needed in exceptional circumstances.