Microsoft Outlines Plans To Meet EU Data Storage Legal Requirements
Microsoft announced on Thursday that its various services are expected to meet European Union (EU) data storage legal requirements by the end of 2022.
At that time, Microsoft expects to have assured EU-member countries that the data used with Microsoft's services will stay within those countries. This effort is called the "EU Data Boundary for the Microsoft Cloud," and it'll apply to "all of Microsoft's core cloud services -- Azure, Microsoft 365, and Dynamics 365," the announcement indicated.
Microsoft's definition of a cloud core service wasn't explained. Microsoft also has "supporting services" that are part of its cloud operations, noted Tony Redmond, a Microsoft Most Valuable Professional, in this Practical 365 post. In a test, he used PowerShell to discover that 27 of 46 services in an Office 365 EMEA datacenter region originated in the United States.
Existing Datacenters Used
The EU Data Boundary for the Microsoft Cloud will tap existing datacenters in 13 countries, namely "Austria, Denmark, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, Spain, Sweden, and Switzerland," Microsoft indicated. There won't be any need for data migrations to take place to use the program, per this Microsoft FAQ announcement.
Non-EU states Norway and Switzerland also will have access to the EU Data Boundary for the Microsoft Cloud, Microsoft added.
Microsoft is contemplating one exception under its EU Data Boundary for the Microsoft Cloud approach to data storage. The exception concerns cybersecurity, which is something that Microsoft is planning to discuss with regulators and customers "in the coming months," per the FAQ.
'Defending Your Data'
Microsoft claimed its services already comply with European laws, and that the EU Data Boundary for the Microsoft Cloud is just adding to those efforts.
U.S. government requests for data under the EU Data Boundary for the Microsoft Cloud effort would be handled in the following manner, according to Microsoft's FAQ:
If compelled to disclose or give access to any customer's data, Microsoft will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so. We will challenge every government request for an EU public sector or commercial customer's personal data -- from any government -- where there is a lawful basis for doing so.
Microsoft refers to this legal approach as its "Defending Your Data" assurance to customers. The approach is described in this 2020 announcement.
The most notable example of Microsoft's efforts in this regard was a long-running e-mail privacy case that involved a Microsoft datacenter in Ireland. That case eventually came to a murky end at the U.S. Supreme Court, and apparently got voided.
The Snowden Effect
EU data sovereignty concerns likely got amplified in 2013 with the Edward Snowden-inspired disclosures of widespread U.S. National Security Agency (NSA) spying, both foreign and domestic. The disclosed massive data collection effort happened in collaboration with U.S. Internet Service Providers (ISPs).
Microsoft had been the first ISP to sign up for the NSA's Prism data collection program, which tapped Internet traffic around the world, according to a leaked contractor slide.
Microsoft regularly gets requests for data from both the U.S. Foreign Intelligence Surveillance Act (FISA) court, a secret body, and from law enforcement agencies more generally. The counts for some FISA court requests are shown at this page. General law enforcement data request counts can be found at Microsoft's "Law Enforcement Requests Report" page.
The Law Enforcement Requests Report page includes an interesting FAQ section that indicates that most of the requests that Microsoft gets concern the use of Microsoft's free consumer services. "By comparison, we have received very few requests for data associated with our commercial services used by enterprise customers," it explained.
The FAQ also denied claims that Microsoft gave the U.S. government direct access to Outlook.com and Skype data flows. Leaked 2013 documents to that effect had just been misinterpreted, the FAQ claimed. Microsoft also denied in the FAQ that it added backdoors to its products, which had been another 2013 allegation.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.