Microsoft will begin a phased rollout of an expanded data localization offering in the European Union on January 1, it said today.
The EU Data Boundary for the Microsoft Cloud, as it’s branding the provision for local storage and processing of cloud services’ customer data, is intended to respond to a regional rise in demand for digital sovereignty that’s been amplified by legal uncertainties over EU-US data flows stemming from the clash between the bloc’s data protection rights and US surveillance practices.
“Beginning on January 1, 2023, Microsoft will offer customers the ability to store and process their customer data within the EU Data Boundary for Microsoft 365, Azure, Power Platform and Dynamics 365 services,” it wrote of the forthcoming “data residency solution” for customers in the EU and EFTA (the European Free Trade Association), adding: “With this release, Microsoft expands on existing local storage and processing commitments, greatly reducing data flows out of Europe and building on our industry-leading data residency solutions.”
Earlier this week, the European Commission published a draft decision on US adequacy that’s intended to resolve differences between legal requirements with a new deal on secure data transfers. However this EU-US Data Privacy Framework (DPF) won’t be finalized until next year — potentially not before the middle of next year — and in the meanwhile transatlantic transfers of Europeans’ personal data remain clouded in legal risk.
Microsoft’s EU Data Boundary being rolled out in phases means there is no instant fix for the EU-US data flows risk on the horizon for its customers.
Nor is it clear whether the data residency solution will be comprehensive enough to address all the data flows and data protection concerns being attached to Microsoft’s products in Europe.
A long running review of Microsoft’s 365 productivity suite by German data protection regulators made uncomfortable reading for the tech giant last month — as the working group concluded there is still no way to use its software and comply with the EU’s General Data Protection Regulation (GDPR) despite months of engagement with Microsoft over their compliance concerns.
Microsoft disputes the working group’s assessment — but has also said it remains committed to addressing outstanding concerns, and it names the EU Data Boundary as part of its plan for this since the offering will also provide “additional transparency documentation” on customer data flows and the purposes of processing; and more transparency on the processing and location by subprocessors and Microsoft employees outside of the EU (since Microsoft is not proposing a total localization of European customers’ data and zero processing elsewhere; so the EU Data Boundary remains somewhat porous by design).
Its blog post today announcing the kick off of the phased rollout notes that as part of the first phase it will begin publishing “detailed documentation” on what it’s calling its “Boundary commitments” — including, transparency documentation containing descriptions of data flows.
Per Microsoft, these transparency documents will initially be published in English — with “additional languages” slated as coming later (NB: The EU has 24 official languages, per Wikipedia, only one of which is English).
“Documentation will be updated continually as Microsoft rolls out additional phases of the EU Data Boundary and will include details around services that may continue to require limited transfers of customer data outside of the EU to maintain the security and reliability of the service,” it adds, saying these “limited data transfers” are required to ensure EU customers “continue to receive the full benefits of global hyperscale cloud computing while enjoying industry-leading data management capabilities”, as its PR puts it.
The tech giant had been shooting for the EU Data Boundary to be operational by the end of 2022. But given the phased rollout, a January 1st launch date is a pretty meaningless marker. After this initial launch, Microsoft said “coming phases” of the rollout will expand the offering to include the storage and processing of “additional categories of personal data”, including data provided when customers are receiving technical support.
We’ve asked Microsoft for more details on which data will be covered by which phases and when subsequent phases will roll out and will update this report with any response.
Discussing its phased rollout approach with Reuters, Microsoft’s chief privacy officer, Julie Brill, told the news agency: “As we dived deeper into this project, we learned that we needed to be taken more phased approach. The first phase will be customer data. And then as we move into the next phases, we will be moving logging data, service data and other kind of data into the boundary.”
She also said the second phase of the rollout will be completed at the end of 2023 — and phase three will be completed in 2024. Hence the date for Microsoft’s EU Data Boundary fully operational remains years out.
“Based on customer feedback and insights, as well as learnings gained over the past year of developing the boundary, we have adjusted the timeline for the localization of additional personal data categories and data provided when receiving technical support,” it also writes in the blog post — explaining its “adjusted” timeline — and adding: “To ensure that we continue to deliver a world-class solution that meets the overall quality, stability, and security expectations of customers, Microsoft will deliver on-going enhancements to the boundary in phases. To assist customers with planning, we have published a detailed roadmap for our EU Data Boundary available on our Trust Center.”
In a similar move earlier this year, Google announced incoming data flows-related changes for its productivity suite, Workspace, in Europe — saying that by the end of the year it would provide regional customers with extra controls enabling them to “control, limit, and monitor transfers of data to and from the EU”.
Back in February, European data protection regulators kicked off a coordinated enforcement action focused on public sector bodies’ use of cloud services to test whether adequate data protection measures are being applied, including when data is exported out of the bloc — with a ‘state of play’ report due from the European Data Protection Board before the end of the year — a timeline that’s likely to have concentrated US cloud giants’ minds about the need to expand their compliance offerings to European customers.