Privacy authorities across Europe approve Microsoft’s cloud commitments

The following post is from Brad Smith, General Counsel and Executive Vice President of Legal and Corporate Affairs at Microsoft.


This is an important week for the protection of our customers’ privacy. The European Union’s data protection authorities have found that Microsoft’s enterprise cloud contracts meet the high standards of EU privacy law. This ensures that our customers can use Microsoft services to move data freely through our cloud from Europe to the rest of the world. Building on this approval, we will now take proactive steps to expand these legal protections to benefit all of our enterprise customers.

The EU’s 28 data protection authorities acted through their “Article 29 Working Party” to provide this approval via a joint letter. Importantly, Microsoft is the first – and so far the only – company to receive this approval. This recognition applies to Microsoft’s enterprise cloud services – in particular, Microsoft Azure, Office 365, Microsoft Dynamics CRM and Windows Intune.

By acknowledging that Microsoft’s contractual commitments meet the requirements of the EU’s “model clauses,” Europe’s privacy regulators have said, in effect, that personal data stored in Microsoft’s enterprise cloud is subject to Europe’s rigorous privacy standards no matter where that data is located. This is especially significant given that Europe’s Data Protection Directive sets such a high bar for privacy protection.

Our customers benefit in three key ways:

First, should the EU suspend the Safe Harbor Agreement with the U.S., as called for recently by the European Parliament, our enterprise customers won’t need to worry that their use of our cloud services on a worldwide basis will be interrupted or curtailed.

Second, even if the Safe Harbor Agreement remains in place, it covers only transfers from Europe to the U.S. Our approved contractual commitments, by contrast, enable transfers globally.

Third, we have had and will continue to do the hard work to ensure that we can comply both technically and operationally with the stringent obligations imposed by these contractual commitments. All of our customers, whether they have operations in Europe or elsewhere, benefit from the strong engineering protections we have put in place as a result.

Other companies talk about their commitment to comply with EU privacy law – but we’ve enshrined that commitment in our contracts. And Microsoft has done the technical and legal work to ensure our customers with European operations can legally move their data through our services. For customers who care about privacy and compliance, there is no more committed partner than Microsoft.

Starting July 1, we will ensure that all our enterprise customers benefit from this privacy recognition through our standard agreements. The EU approval requires that customers execute a short, standardized addendum to their current agreements in order to take advantage of this new recognition, and we will create a very simple process to facilitate this.

Predicting the future is hard. But looking forward, we expect both governments and customers to demand greater transparency and control over how customer content and personal data are protected and where they are stored. While we join others in our industry in calling for governments to respect the free flow of information, we also believe in putting our customers’ needs first. That’s why we previously announced our commitment around implementing encryption and enabling enterprise customers to store their content in existing data centers in their region.

Ultimately, customers will entrust their information to the cloud only if they have confidence that it will remain secure there. This week’s approval by the European data protection authorities is another important step in ensuring customers trust Microsoft’s cloud services. And this is just the beginning: there is more to come soon.

For more information about this news and the regulations and data protection authorities mentioned here, please read this FAQ.