EU data boundary for Microsoft cloud solutions – This is the current status
Microsoft promises that the data of customers from the European Union will only be stored in data centers that are also located in the EU. Microsoft calls this promise the “EU Data Boundary for the Microsoft Cloud”. Despite all the efforts on Microsoft’s part to increase the security of the data, there are voices urging caution.
Commercial cloud services have priority
In order to use data centers in the EU, it is not necessary for companies or organizations to apply for it, pay anything or adjust settings. Microsoft wants to implement the storage automatically for all customers from the EU. However, this change initially only applies to commercial services, such as Microsoft Azure, Microsoft 365 and Dynamics 365. Cloud services for end customers are not covered by this agreement. So if users in the company also use services such as Outlook.com for work, the data is not protected. This also applies to the use of OneDrive. Those who rely on OneDrive for Business in Microsoft 365 are reasonably safe after the changeover.
However, Microsoft does not want to fully implement the changeover until the end of 2022. It is therefore not yet certain that data will only remain in the EU. Of course, this is still ensured for services that offer a special configuration. Microsoft is very transparent regarding the “Data residency in Azure“. A list of services and in which regions they are available to guarantee storage in the EU can be found on the page “Products available by region“.
Microsoft wants to be a pioneer in climate protection and data privacy
From the end of 2022, Microsoft promises that all cloud services will be able to store exclusively in the EU. In addition to Microsoft 365 and Azure, this also includes Dynamics 365. Many services in Azure are already able to do this. At the “European Cloud Summit”, Microsoft plans to release more information on this at the end of November 2021. The EU data frontier for Microsoft is said to be part of the EU’s “A Europe fit for the digital age” strategy. In this context, data processing of cloud services for EU customers should largely take place in the EU and contribute to climate neutrality.
Azure and Microsoft 365 can already store data in the EU
Microsoft already complies with most of the EU regulations. Therefore, public offices and also companies that work with public offices are allowed to store their data in the Microsoft Cloud. For this purpose, the respective cloud services offer the corresponding options for storage on servers in the EU. In principle, almost all Azure services can be used in compliance with the General Data Protection Regulation (GDPR), at least to a large extent. Data protectionists are not yet fully convinced by the current regulations.
Parallel to the EU data frontier, Microsoft also plans to establish a “Privacy Engineering Center of Excellence” in Dublin, Ireland. This center is to support Microsoft customers in the optimization of their data protection implementation. The focus is on the use of cloud services under data protection conditions.
Microsoft service providers must also comply with or exceed the GDPR
Some Microsoft online services share data with third parties that act as Microsoft service providers. The publicly available list of Microsoft Online Services Subprocessors contains a list of companies that may process personal data. All service providers are contractually obligated to meet or exceed the contracts Microsoft has with its customers.
As a general rule, Microsoft does not grant third parties direct, general, or unrestricted access to customer data. In addition, third parties also do not gain access to platform encryption keys used to secure data. More on these privacy policies at Microsoft can be found on the page “Who can access your data and on what terms“.
Whoever wants to store personal data in the Microsoft cloud should address the issue. With encrypted data, U.S. authorities will not have access even if Microsoft has to hand it over. Since Microsoft does not have access to the keys, the company cannot hand over this data. However, in this case, companies must also encrypt the data and decrypt it during processing. This, of course, significantly increases the time and effort involved.
Data encryption in Azure also protects data from theft
In addition, the data can also be encrypted in many places. In this case, the data is generally always safe from unauthorized access, even if it is not stored in the EU. If the data is also stored in the EU, organizations receive maximum security with regard to data protection. From the end of 2022, it is then additionally guaranteed that the data of resources will also be stored in the EU that do not offer a direct setting for this.
With the encryption technologies currently in use, the subscribers themselves manage the keys for the encryption technologies. This ensures that there is no possibility of Microsoft passing on the key. In parallel, Microsoft also guarantees the protection of customer data from government access. To this end, Microsoft intends to challenge any request by a government agency for personal data of an EU customer from the public sector or private enterprise. Data will only be released if it cannot be legally challenged and the courts enforce the release.
That is also the current problem with the agreement. US companies can be obliged to hand over data even if the data is not stored in the USA. Microsoft won’t be able to do much about that either. The U.S. Cloud Act allows U.S. authorities comprehensive access to cloud data even if it is stored abroad. The GDPR has no effect on this. Since Microsoft’s headquarters is in the state of Washington, the company is also liable to the “Cloud Act”.
Only a legally binding agreement between the EU and the USA can solve this dilemma. Customers are to receive financial compensation if Microsoft has to disclose data in violation of the GDPR and this causes damage for users.
EU data border requires high investment
In order for Microsoft to be able to halfway guarantee that all data from EU customers will remain in the EU, the corresponding data centers in the EU are of course also necessary. Microsoft is currently expanding the infrastructure here. Data centers are planned in various countries of the EU and Switzerland: Germany, Austria, France, Denmark, Greece, Ireland, Italy, the Netherlands, Norway, Poland, Spain, Sweden and Switzerland. Many data centers are already completed, others are currently in the process of completion. Microsoft also wants to offer customers from Norway and Switzerland the opportunity to store data in secure data centers in the EU.
Here’s how data privacy advocates view Microsoft’s EU data border
In general, data protectionists are critical of Microsoft’s current approach. As long as there is no new, legally binding agreement between the EU and the USA, customers are largely unprotected, even if Microsoft denies this. Since the current “Privacy Shield” and “Safe Harbor” regulations have no longer been valid since 2015 and 2020, respectively, because the ECJ overturned them, companies and organizations find themselves in legal uncertainty.
About FirstAttribute AG
FirstAttribute AG is an independent, German cloud service and software company with a focus on Identity & Access Management (IAM) for AD and M365.
Since its foundation in 2001, FirstAttribute has worked with many well-known medium-sized and large companies in Germany and internationally.
The topic of data security also has a high priority for our company. Our software development focuses on solutions that ensure the security of identity data through sophisticated authorization management.
Get in touch with us, to learn how you can protect your user data with Identity & Authorization Management in the cloud.