Microsoft outlines plan to store European cloud data in the EU

Engineering work to redesign the cloud has already started, according to the company

Microsoft has pledged to allow its commercial and public sector customers in the EU to store and process the majority of their data within the Union by the end of 2022.

The new programme, dubbed the 'EU Data Boundary for the Microsoft Cloud,' will apply to all of Microsoft's core cloud services, including Azure, Dynamics 365 and Microsoft 365, Microsoft president Brad Smith said in a blog post.

The engineering work to redesign the Microsoft cloud is currently underway, and the company aims to have completed it by the end of 2022.

This data in question includes any service-generated data or personal data in diagnostics, as well as the personal data that Microsoft uses to provide technical support to customers.

The company also plans to extend technical controls, such as Lockbox and customer-managed encryption for data, across its cloud services.

Smith added that the company will consult with EU regulators and customers about the Data Boundary plan in the coming months, including any changes needed in unique circumstances like cyber security.

Wariness over data residency is on the rise

Microsoft's announcement comes amid growing unease in the EU over the data residency issue, and the reach of law-enforcement agencies in other terrorities - including the US - into European users' personal data.

Microsoft and other cloud service providers have, for years, relied on Standard Contractual Clauses (SCCs) and Privacy Shield for EU-US data transfers.

In 2013, Max Schrems, an Austrian law student and privacy activist, asked the Irish Data Protection Commissioner (DPC) whether Facebook sending his personal data to the US was in breach of EU's data protection law.

The complaint revolved around the way that US security services could access data on European citizens, as revealed by Edward Snowden.

However, instead of making a ruling on Schrem's complaint, the DPC took the case to the Irish High Court, which - following a lengthy discussion - referred the issue to the European Court of Justice (ECJ) for further guidance.

The ECJ eventually annulled the EU-US data sharing agreement, called Safe Harbour, in 2015. It was replaced by the Privacy Shield framework.

Last July, the ECJ ruled Privacy Shield invalid, stating that it was unable to protect European users' data from US surveillance mechanisms. However, the ECJ still allowed cloud companies like AWS and Google to use SCCs as a legal mechanism of data transfers, with some adjustments.

Microsoft says its EU Data Boundary programme will use data centres in 13 countries, namely France, Germany, Greece, Austria, Denmark, Ireland, Italy, Norway, Spain, Poland, Switzerland, Sweden and the Netherlands.

There won't be any requirement for customers to migrate their data to use the programme. Moreover, there will be no additional costs or change in price.

"Today's update is part of our commitment to the EU's vision for a 'Europe Fit for the Digital Age,' and an acknowledgement of the role the technology sector needs to play in helping Europe realise its digital aspirations," Smith said.

"In addition to processing our commercial and public sector customers' personal data in Europe, we are also creating a Privacy Engineering Centre of Excellence in Dublin to guide our European customers in choosing the right solutions for building robust data protection into their cloud workloads, including to meet regulatory requirements."

"We are committed to helping build 'Tech Fit 4 Europe'."