Microsoft is expanding its cloud storage localisation offerings in the European Union, making it easier for customers to have data stored and processed on the continent rather than being transferred to the US. The move could lead to Microsoft and the other cloud hyperscalers expanding operations in the EU and taking over small European data companies, an analyst believes.

Microsoft says it has spent $12bn rolling out data centre operations in Europe over the past two years. (Photo by Gorodenkoff/Shutterstock)

Microsoft says it has spent $12bn over the past two years expanding its data centre operations within the European Union in response to growing demand for data localisation, driven in part by a need to comply with GDPR legislation. The legality of data transfers between the US and EU is questionable after two transatlantic agreements governing the flow of information were struck down by the European Court, following challenges from privacy campaigners.

A new agreement between the US government and European Union, the Data Privacy Framework, was agreed earlier this year and enacted by President Joe Biden via executive order in October. But the legality of this agreement has yet to be tested in court.

The new Microsoft cloud EU data boundary, first announced last year, will come into force on 1 January. When it announced the plan, MSFT said the boundary would be in place by the end of 2022, and it has stuck to its deadline.

Full details of the Microsoft cloud EU data boundary yet to be revealed

The new data residency and proximity tools will be available to customers using the full Microsoft Cloud suite, including Microsoft 365, Power Platform and Azure.

The data boundary tools are being rolled out in phases, and whether they will be comprehensive enough to reduce the risk of a company falling foul of GDPR is unclear.

Caroline Carruthers, CEO of global data consultancy Carruthers and Jackson said the new data boundary “fundamentally makes data flow less efficient, but doesn’t fully prevent information from being accessed in other jurisdictions” as “data doesn’t respect geography”.

She said any attempt to ringfence data will never give 100% protection to customers and so putting up data boundaries and restriction-free flow of data is “regressive for the wider data transformation efforts” without fully addressing the risks.

The latest rollout expands on existing local storage and processing commitments for European companies and organisations, which “also acts to greatly reduce data flows out of Europe and builds on our industry-leading data residency solutions,” Microsoft said.

The phased release will include storage and processing of additional categories of personal data than already come under localisation products, including data provided when receiving technical support.

Microsoft says this will ensure “sector customers have the choice and flexibility they need to enjoy hyperscale products at the cutting edge of innovation while also meeting regulatory requirements and industry-specific standards,” which is particularly relevant to the public sector.

Microsoft says it also plans to publish “detailed documentation” on its “boundary commitments” that include transparency documentation outlining the exact flow of data through its platform.

“Documentation will be updated continually as Microsoft rolls out additional phases of the EU data boundary and will include details around services that may continue to require limited transfers of customer data outside of the EU to maintain the security and reliability of the service,” the company wrote.

EU data boundaries benefit the hyperscalers

Google announced its own data-flow changes for its Workspace productivity suite within Europe earlier this year, saying that regional customers will have tighter controls enabling limits on the transfer of data to and from the EU.

The flurry of hyperscaler policy changes come off the back of EU regulators enforcing action on public sector bodies’ use of cloud platforms and whether appropriate levels of data protection are being applied when data leaves the region.

But such policy interventions are counter-productive, Carruthers argues. “Instead of trying to pull up the castle moat on European data, governments and multi-nationals should be pushing for global data standards to ensure enhanced security does not stifle data innovation,” she says.

She told Tech Monitor these latest enforcement actions and EU acts will prove to be good news for the hyperscalers and small EU cloud providers, explaining they will “likely cause far more collaborations (partnerships) and acquisitions between companies across the Atlantic. By doing this, they will be able to fulfil the standards of both sides and not have to worry about finding a means to comply.”

This is good for the small companies who can sell up and good for large businesses who can expand or buy smaller companies to comply but not so good for medium sizes businesses as they “are too small to acquire another business and too big to be acquired, meaning they will likely struggle to grow and expand into different regions,” Carruthers says.

Read more: Cloud sovereignty – why European tech firms are partnering with the hyperscalers