On May 6, 2021, we announced a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data residency commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU. This commitment will apply across all of Microsoft’s main cloud services—Azure, Microsoft 365, and Dynamics 365. We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it. We’re calling this plan the EU Data Boundary for the Microsoft Cloud.

The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers who want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months and move forward in a way that is responsive to their feedback.


What exactly will change in 2022 from today?
A: Many of our Online Services already offer customers data storage for Customer Data within customer-selected geographies, with many of Azure services offering the ability to choose to process and store Customer Data in customer-selected geographies. Through our new EU Data Boundary program announced on May 6th, by the end of 2022, we will be taking additional steps to minimize transfers of both Customer Data and Personal Data outside of the EU. We believe our new initiative will meet regulatory requirements and address the needs of our European customers who are looking for even greater data localization commitments.
We’ve identified the technical and operational investments necessary to meet this goal, and we believe we can accomplish it. In the coming months we’ll be discussing our plans with both customers and regulators, and we will be responsive to their feedback.
See: Microsoft Privacy - Where your data is Located

Will this result in a loss of functionality within the EU Data Boundary?
A: The EU Data Boundary is a further development of our existing commercial services that we already offer within the EU and as such, will not require migration. Functionality and continued innovation will apply to the services within the new EU Data Boundary. Customers will still have the option to choose enhancements to services that leverage resources outside the EU boundary.

Will the changes result in a price increase for EU customers?
A: We will build these EU Data Boundary solutions into in-scope Online Services to enhance our current offerings for customers. There may be optional choices in the future, as is already the case with M365 MultiGeo. We will provide more information when it becomes available.

Do I need to wait until 2022 to migrate to the cloud?
A: No. Customers considering migrating on-premises workloads to the Microsoft cloud today can be assured that they can use Microsoft services in compliance with European laws. Microsoft cloud services already comply with or exceed European guidelines even without the plan we are announcing today. These new steps build on our already strong portfolio of solutions and commitments that protect our customers’ data, and new customers will automatically gain the benefits of the engineering changes we are making.

How will the new boundary impact my compliance with the GDPR and the Schrems II ruling?
A: Microsoft Online Services already enable customers to comply with the GDPR even without this additional commitment to store and process data within the EU boundary. We implemented supplementary measures after the Schrems II decision to further support compliance for data transfers, which we believe meet and go beyond what is required by the Schrems II decision. We are making these additional investments to process and store data in the European Union by the end of 2022. This demonstrates our continuing commitment to our customers in Europe and simplifies post-Schrems II compliance by minimizing data transfers outside of the EU boundary.
See: New steps to defend your data - Microsoft on the Issues

Will EU Standard Contractual Clauses still be required or even applicable after 2022?
A: The EU Standard Contractual Clauses (SCCs) are used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the European Economic Area (EEA) will be transferred in compliance with EU data protection laws and meet the requirements of the EU Data Protection Directive 95/46/EC.
Microsoft will implement the European Commission’s revised SCCs and continue to offer customers specific guarantees around transfers of personal data for in-scope Microsoft services. This ensures that Microsoft customers can freely move data through the Microsoft cloud from the EEA to the rest of the world. Customers with specific questions about the applicability of SCCs to their own deployments should consult their legal counsel.

How will the US and other government requests be treated under the new EU Data Boundary?
A: Through clearly defined and well-established response policies and processes, strong contractual commitments, and if need be, the courts, Microsoft defends your data. We believe that all government requests for your data should be directed to you. We do not give any government direct or unfettered access to customer data. If Microsoft receives a demand for a customer’s data, we will direct the requesting party to seek the data directly from the customer. If compelled to disclose or give access to any customer’s data, Microsoft will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so. We will challenge every government request for an EU public sector or commercial customer’s personal data—from any government—where there is a lawful basis for doing so. And we will provide monetary compensation to our customers’ users if we disclose data in violation of the GDPR that causes harm.

Will any personal data be transferred outside the EU after 2022? Can you provide a list of exceptions?
A: We’ve identified the technical and operational investments necessary to meet this goal, and we believe we can accomplish it. We will continue to consult with customers and regulators about our plans in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.

Will the EU Data Boundary be consistent with GAIA-X?
A: While GAIA-X has not yet finalized its requirements, we believe the EU Data Boundary for the Microsoft Cloud will provide the technical and business basis to support our ongoing commitment to the GAIA-X initiative.

Source: https://techcommunity.microsoft.com/...d/ba-p/2329098

Posted By: Brink
06 May 2021