Microsoft Announces Completion of Second Phase of Data Localization Rollout in EU
Microsoft has recently completed the second phase of its initiative to localize data in the European Union. This latest deployment to the “EU Data Boundary for the Microsoft Cloud” began at the start of last year and is expected to be completed by the end of 2024, maintaining the company’s promised schedule.
The effort to understand and track the processing and storage of digital information, known as data localization, has become increasingly crucial in light of EU data protection laws. In a blog post released today, Julie Brill, VP and chief privacy officer, announced the completion of the second phase, which now includes local storage and processing for all personal data, including automated system logs. The first phase was focused on customer data, meaning information actively inputted by customers, while this phase covers a wider range of data generated by customer activity, such as system logs.
In recent years, Microsoft has faced increased scrutiny from data protection authorities in the EU regarding the transfer of data from its cloud products. This scrutiny intensified when a data transfer agreement between the EU and the US was deemed invalid by the Court of Justice in July 2020. The decision was based on the incompatibility of US surveillance powers and EU privacy laws, leaving cloud services operating in Europe at risk.
In response, the EU adopted a new data deal, known as the “Data Privacy Framework,” which Microsoft has certified under and welcomed. However, there is no guarantee that this new arrangement will survive legal challenge, as previous agreements, such as Safe Harbor, have also failed legal review. In light of this uncertainty, it is not surprising to see major US cloud companies, like Microsoft, ramping up their data localization efforts in the EU. It not only improves their local public relations, but also serves as an insurance policy against regulatory risk.
However, Microsoft’s data localization efforts remain somewhat porous, as some data still transfers outside the EU. This will also continue to be the case after the planned final phase of the rollout, scheduled for December 31, 2024. Microsoft has not proposed a complete localization of data and processing, but instead will phase in more localization for customer data over time.
Through significant investments and dedicated efforts by thousands of engineers, our EU Data Boundary now enables the processing and storage of all data in the EU across Microsoft core cloud services – Azure, Microsoft 365, Power Platform, and Dynamics 365. – Julie Brill, VP and Chief Privacy Officer
With this expansion, the EU Data Boundary will include pseudonymized personal data found in system-generated logs, which are automatically produced as part of the standard operation of the services. Microsoft’s customers will now have the ability to store and process even more of their data within the European Union, providing them with greater control and compliance.
In addition to the completed rollout, Microsoft is releasing new documentation and transparency information to help customers understand data flows. This information can be accessed on the EU Data Boundary Trust Center webpage.
“We know that our customers need a clear and comprehensive view of the data handling, limited transfers, and data protection processes we are deploying in the EU Data Boundary,” Brill writes, without providing specific details of the additional information that will be available.
Another enhancement to the data localization initiative includes the deployment of virtual desktop infrastructure within the EU Data Boundary. This will allow remote access to system logs for monitoring system health, eliminating the need for customer log data to be physically transferred or stored outside the EU. However, some outflows of data will still be necessary for technical support interactions. The next phase of the Boundary rollout, scheduled to begin later this year, will focus on further limiting and securing these data transfers.
We will ensure that support data is stored within the boundary, and when access from outside the EU is required to enable world-class support, we will limit and secure any temporary data transfer required through technical approaches such as Virtual Desktop Infrastructure. – Julie Brill, VP and Chief Privacy Officer
Microsoft is also developing a future paid support option that will provide initial technical response from within the EU, further demonstrating their commitment to providing trusted cloud services that comply with European values and offer advanced sovereignty controls and features.