Microsoft to give EU business customers greater control over data storage

Microsoft will allow its customers based in the European Union (EU) to store and process their data only within the confines of the EU, rather than routing this to other countries such as the United States.

The plan, dubbed EU Data Boundary for the Microsoft Cloud, will see EU-based public and private sector cloud customers given the option to choose to store and process their data in the EU alone.

Engineering work is now underway, with this commitment applying across the breadth of its cloud services, including Azure, Microsoft 365, and Dynamics 365. The plan is expected to be ready by the end of 2022.

“The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments,” said Microsoft president Brad Smith.

“We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.”

The data in question includes any personal data in diagnostics and service-generated data, as well as personal data that Microsoft uses to provide technical support. The company will also extend technical controls such as Lockbox and customer-managed encryption for data across its services.

Microsoft already provides customers with the choice to have some data stored in the EU, while many Azure cloud services can be configured to process data in the EU as well. The company, however, still needs to make some transfers to territories outside of the EU due to shortcomings in its data centre infrastructure.

The EU Data Boundary project aims to minimise these additional transfers, which involves Microsoft making “substantial and ongoing investments” in expanding its data centre infrastructure. Microsoft currently operates data centres in 13 European countries.

Data residency has been a growing worry for the EU in recent years, as well as privacy activists concerned that data processed in other territories might be accessed by the surveillance regimes in those countries.

Privacy Shield, for example, was invalidated in July 2020 after the European Court of Justice (ECJ) declared it was unable to protect EU residents' data from US surveillance mechanisms.

This mechanism was meant to guarantee that EU-based entities transferring data to the US were able to protect that data with EU-level data protection standards. The ECJ, however, ruled that Privacy Shield prioritised the interests of law enforcement and national security agencies.

By allowing EU customers to process all their data only within the EU, the jurisdiction of countries such as the US or others will be severely restricted, and the legal basis for requesting data will be limited.

In an FAQs post, Microsoft stressed that all government requests for data, from US authorities, for example, will be directed to customers, while the company will challenge every request where there’s a lawful basis to do so.

As for whether any personal data might be transferred outside the EU after 2022, Microsoft simply reiterated that it’s identified the technical and operational investments necessary to meet its commitment.

No exceptions to this were provided, although the company plans to consult with customers and regulators about its plans in the coming months.

Although the EU's GAIA-X unified cloud system hasn't yet been finalised, Microsoft also believes these plans are complementary to the initiative.