[German]In a news post Microsoft introduces new commitments, intended to defend customers’ data. It’s because of European GDPR rules don’t allow a transfer of user data to countries not bound by the GDPR rules. Or in other words: It’s Microsoft attempt, to increase the protection of data transferred to the USA for its European customers. Microsoft promises to take legal action to defend itself against demands for disclosure by the US government or the US judiciary. A brief overview of what is at stake.
The Microsoft Cloud and data transfer to the USA
Microsoft Cloud customers often do not know where their data is really stored. They may remain on the Azure network, but the servers on which they are stored are not always known. Microsoft published this blog post (in German) in early November 2020 with some explanations on this topic. But customers often have to transfer data between different countries – and that’s where data from Microsoft 365 customers may end up in the USA.
There was previously a data protection agreement called “Privacy Shield”, which had been concluded between the USA and the EU to give legal approval for the data transfer. But this very agreement was canceled by the European Court of Justice in summer 2020 (see European Court cancels EU-US “Privacy Shield”). The transfer of user data to the USA is therefore no longer permitted.
Microsoft intents to increase the protection level
In thisnews post Microsoft announces that it is the first company to respond to the draft recommendation of the European Data Protection Committee with new commitments. The steps announced below, which go beyond the legal requirements and the recommendations of the European Data Protection Committee (in Microsoft’s view), are intended to increase the level of data protection. Here are the announced measures.
- Firstly, Microsoft commits that any request from a government agency – regardless of the government – for data from Microsoft enterprise customers or public sector customers will be challenged if there is a legal basis for doing so. This comprehensive commitment goes beyond the proposed recommendations of the European Data Protection Committee.
- Secondly, Microsoft intends to compensate users of its customers financially if Microsoft has to disclose their data as a result of a request from a governmental body in violation of the EU Data Protection Regulation (EU-DS BER). This obligation also goes beyond the recommendations of the European Data Protection Committee.
It is Microsoft’s way of showing its confidence that it can protect the data of its enterprise and public sector customers and that this data will not be exposed to inappropriate disclosure. In the announcement, Microsoft writes that no government agency will be granted direct, unrestricted access to its customers’ data. If a government requests customer information from Microsoft, it must follow applicable legal procedures. Microsoft will only comply with the demands if the company is clearly forced to do so. Microsoft’s first step is always to attempt to communicate or notify our customers of such requests. If Microsoft is convinced that these requests are not legal, they are routinely denied or challenged.
A short evaluation
For me, all this reads like a fig leaf ‘we want to do something, but others decide whether we may’. German IT magazine Golem asked Stefan Brink, the data protection commissioner of Baden-Württemberg about his thoughts. According to this German article, Brink believes that the legal questions regarding the Schrems II ruling (mentioned above as EuGH decision) have been satisfactorily clarified. However, technical questions remain open (the data transfer is still taking place). Brink tells Golem that Microsoft’s proposals will be evaluated in the federal and state data protection conference. There the data protectionist expects a controversial discussion, because the greed of the US secret services and the US administration is unchecked.
The State Commissioner for Data Protection of Baden-Württemberg, Stefan Brink, has issued a press release on the subject entitled #DSGVOwirkt: Microsoft passt sich europäischem Datenschutz an. Overall: All in all, Microsoft’s announcement is nothing but a placebo. The data is not effectively protected against access by the US administration. And European users have no effective ways of filing a complaint in the USA – if the US administration wants access to the data, it gets access. This was exactly the reason for the ECJ’s ruling, which declared the Privacy Shield Agreement invalid.