Microsoft Cloud: Personal data can be kept within the European data border

[German]Microsoft has today announced an important expansion of its EU data boundary for the Microsoft Cloud. Customers will be able to store and process all personal data within the EU. This brings Microsoft closer to the goal it announced last year of ensuring local storage and processing of personal data for its cloud products within the EU.


Advertising

Microsoft has been working since last year to protect the personal data of European cloud users. Since January 1, 2023, Microsoft has been working on the gradual rollout of its "EU Data Boundary" solution. The aim: to keep the personal data of European entities in a virtual data room (EU Data Boundary). This includes hosting data for the entire Microsoft Cloud suite of online services, including Microsoft 365, Dynamics 365, Power Platform and Azure, on servers located in Europe. I reported on this in my German blog post  Microsoft rollt "EU Data Boundary" für die Europa-Cloud ab 2023 aus from 2023.

EU limit for data in the Microsoft Cloud

In today's announcement, Microsoft points out that it is now announcing an important extension to its EU data border for the Microsoft Cloud. This extension enables Microsoft Cloud customers to store and process all personal data within the EU.

Microsoft mentioned that in 2023, as a first step, the ability to store and process customer data for Microsoft 365, Azure, Power Platform and Dynamics 365 Services within the EU data border was already created. Building on this, local storage and processing will be extended to all personal data with immediate effect. This also applies, for example, to pseudonymized personal data contained in automated system logs.

According to Microsoft, this makes it the first major cloud provider to offer this type of data residency to European customers. Microsoft also offers new transparency resources that customers can view on the Trust Center website for the EU data border. Microsoft has published further details in the blog post Microsoft Cloud enables customers to keep all personal data within European Data Boundary.

More compliance as required?

According to Microsoft, the "EU Data Boundary" goes beyond European compliance requirements and demonstrates the company's commitment to providing trustworthy cloud services. These are designed to take full advantage of the public cloud while respecting European values and offering features to protect data sovereignty. It's the old credo: if you impose legal requirements on the manufacturer, it will move to avoid losing its customer base in the EU.


Advertising

US Cloud Act and US intelligence law

At the end of the day, we will have to wait and see how the lawyers see the whole thing under the US Cloud Act, which allows the US authorities to access data stored by US companies worldwide. Microsoft may be trying to pre-empt a decision by the European Court of Justice (ECJ) in the matter of the EU-U.S. Data Privacy Framework (DPF) data transfer agreement.

It is interesting that a blog reader noted in a German comment within my blog today: "Mike Kuketz published an article on his blog today (11.01.2024) that critically examines the access of US authorities to the data of European citizens." Kuketz goes into more detail in his German blog post Jenseits der Grenzen: Überblick über das US-Geheimdienstrecht. Kuketz addresses the sometimes excessive access to data or information by US authorities, which can even undermine the fundamental rights of European citizens. Kuketz's conclusion:

It's is wise, not to store any data in US clouds and to generally reduce dependency on US IT companies. Not to forget: Due to these powers of the US intelligence services and the legal situation, an adequate level of state data protection under the GDPR is fundamentally difficult or even impossible to implement.


Advertising

This entry was posted in Cloud and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).