Microsoft has ticked off the second phase of its rollout of a data localization offering in the European Union. The latest deployment to the “EU Data Boundary for the Microsoft Cloud”, as it brands the infrastructure, kicked off in at the start of last year. Microsoft had said it expected the second phase of the rollout to be completed at the end of 2023 so it’s keeping roughly to schedule.
Efforts to understand where digital information is being processed and stored, and even to co-locate data in the same country/region as customers — aka data localization — can be important considerations under EU data protection laws.
In a blog post published today announcing the second phase, Julie Brill, VP and chief privacy officer, said the update expands the data localization offering to include local storage and processing for “all personal data” — including automated system logs. The first phase of the rollout focused on what Microsoft refers to as “customer data” — meaning information customers actively inputted, rather than the wider array of data that can be generated off of customer activity (such as through systems logs).
In recent years, Microsoft has faced growing scrutiny from data protection authorities in the EU about outflows of data from its cloud products. The regulatory risk for the tech giant became especially acute when a data transfer agreement between the bloc and the U.S. was struck down by the Court of Justice, in July 2020. At issue: The incompatibility of sweeping U.S. surveillance powers and EU privacy laws — a legal clash that’s twice tossed U.S.-based cloud services with European customers into an uncertain limbo.
Last July a new EU-U.S. data deal was adopted by the bloc, aka the “Data Privacy Framework” — which a Microsoft FAQ notes it “welcomes” and is “certified under”. However there’s no guarantee the latest arrangement will survive legal challenge, given Privacy Shield and the prior transatlantic deal (Safe Harbor) both failed legal review. Hence it’s no surprise to see U.S. cloud giants like Microsoft continuing to ramp up data localization efforts in the EU — as it’s both good local PR and an insurance policy against the risk of regulatory risk returning.
Albeit, it is perhaps mostly PR since Microsoft’s data localization remains porous by design. Some data still leaves the bloc, currently. And will, apparently, continue to do even after the planned final (third) phase of the rollout (slated for December 31, 2024) — since Microsoft has not proposed a total localization of data and no processing elsewhere. It’s just phasing in more localization for customer data flows over years.
“Through significant investments and dedicated efforts by thousands of engineers, our EU Data Boundary now enables the processing and storage of all data in the EU across Microsoft core cloud services — Azure, Microsoft 365, Power Platform, and Dynamics 365,” writes Brill. “This means the EU Data Boundary now includes pseudonymized personal data. This data is found in system-generated logs, produced automatically as part of the standard operation of the services. With this expansion, the EU Data Boundary allows our customers to store and process even more of their data within the European Union and enriches customer control.”
Microsoft is also releasing additional documentation and transparency information aimed at helping customers understand data flows. It says the new resources can be accessed via the EU Data Boundary Trust Center webpage.
“We know that our customers need a clear and comprehensive view of the data handling, limited transfers, and data protection processes we are deploying in the EU Data Boundary,” Brill writes, without setting out the exact additional information customers can expect to be able to find on the portal now.
Another enhancement of the data localization offer her blog post flags is the deployment of virtual desktop infrastructure within the EU Data Boundary. She says this is in order that it can be used for remote access to system logs for monitoring system health — i.e. rather than customer log data needing to be physically transferred or stored outside the EU. However technical support interactions continue to require outflows of data. But the next phase of the Boundary rollout, which will kick off “later this year” per Brill, is slated to focus on this area.
“We will ensure that support data is stored within the boundary, and when access from outside the EU is required to enable world-class support, we will limit and secure any temporary data transfer required through technical approaches such as Virtual Desktop Infrastructure,” she writes. “Microsoft is also developing a future paid support option that will provide initial technical response from within the EU.”
“Our EU Data Boundary solution goes beyond European compliance requirements and reflects our commitment to provide trusted cloud services that are designed to take advantage of the full power of the public cloud while respecting European values and providing the most advanced sovereignty controls and features available in the industry today,” Brill adds.
Microsoft to start multi-year rollout of EU data localization offering on January 1
Europe adopts US data adequacy decision