Microsoft's EU Data Boundary data residency option to launch in January

Builds on the company's existing data storage commitments as moves towards data residency grow worldwide

Microsoft will begin rolling out its cloud EU Data Boundary solution to EU organisations from 1st January 2023.

EU Data Boundary, an enhancement of Microsoft's existing data residency arrangements which ensure data does not leave its original jurisdiction, will cover Microsoft 365, Azure, Power Platform and Dynamics 365.

It was first announced last year as going "beyond our existing data storage commitments [to] enable you to process and store all your data in the EU".

In a blog published this week, the company said: "With this release, Microsoft expands on local storage and processing commitments, greatly reducing data flows out of Europe, and building on our industry-leading data residency solutions."

"In coming phases of the EU Data Boundary, Microsoft will expand the EU Data Boundary solution to include the storage and processing of additional categories of personal data, including data provided when receiving technical support."

EU Data Boundary uses existing Microsoft data centres in 14 EU countries, and the company says it has plans to build several more.

The move comes after years of concern about personal data being transferred to the US for processing, which came to a head during the Snowden revelations. Since that time, Europe in particular has been tightening the conditions under which data may be transferred to that country, which offers few reciprocal arrangements.

While Microsoft, as a US company, could be commanded by the US government to hand over data on its servers anywhere in the world, it has successfully challenged such requests in the past, such as when emails stored in an Irish data centre were demanded. Nevertheless, such provisions remain a severe sticking point in bilateral agreements.

The EU and US are still working through arrangements over the transfer of personal data following the collapse of the Privacy Shield regime.

Microsoft is taking a phased approach to the rollout, starting with customer data then moving onto other areas such as service data and logs, with plans to complete the operation by 2024.

There is a growing move towards requiring data to remain in country with countries including Israel, Russia, Australia, India and South Korea all introducing their own measures. With each bloc introducing its own distinct data protection legislation, large multinational organisations can find it difficult to ascertain where their data is and whether it is compliant with regulations such as the GDPR. Therefore, keeping data in one jurisdiction can be a simplifying measure.

However, some see the growing move towards data sovereignty around the world as a threat to innovation.

Caroline Carruthers, CEO of global data consultancy Carruthers and Jackson, said: "The creation of Microsoft's new EU Data Boundary fundamentally makes data flow less efficient, but doesn't fully prevent personal information being accessed in other jurisdictions. Data does not respect geography, and attempting to ringfence it will never give 100% protection to customers.

"Putting up data boundaries and restricting free flow of data is a regressive step for wider data transformation. Instead of trying to pull up the castle moat on European data, governments and multinationals should be pushing for global data standards to ensure enhanced security does not stifle data innovation."