Microsoft has pledged that all information from European clients using its cloud services will be stored and processed on the continent by the end of 2022. Legal experts say the policy, which comes in response to an EU court ruling against international data transfers, is a step in the right direction, but have warned customers to be on their guard as they could still end up footing the bill for breaches of data protection legislation.

The plan, known as the Microsoft EU Data Boundary, will apply to the company’s Azure, Microsoft 365, and Dynamics 365 cloud products, according to a blog post from Brad Smith, president and chief legal officer at Microsoft. “We will go beyond our existing data storage commitments and enable you to process and store all your data in the EU,” Smith said. “We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it.

Microsoft EU Data Boundary: why now?

The vast majority of European businesses using public cloud services do so via a non-EU-headquartered provider. Indigenous cloud providers only accounted for 15% of the European cloud market in Q3 2020, down from 26% of the market four years ago.

Microsoft and other cloud providers such as AWS and Google Cloud have been forced to change the way they handle data from European customers by the European Court’s ruling in the Schrems II case last year, which declared the EU-US Privacy Shield, an agreement which allowed companies to transfer customer information from the EU to the US, was not compatible with Europe’s general data protection regulations (GDPR). This is because US law allows its government to requisition client data from companies on national security grounds, something which is prohibited under GDPR.

Data transfers between the continents using another mechanism, standard contractual clauses (SCCs), are still legal following the Schrems II judgement, but with more stringent controls and checks than before, and it appears Microsoft is now keen to cut its use of SCCs. “It’s an interesting step and a recognition that data transfers out of Europe, to the US in particular, are increasingly difficult, perhaps even impossible,” says Jonathan Kirsop, an information law partner at Pinsent Masons law firm. “It seems like they’re trying to pre-empt further debate on this issue by saying we’ll ringfence all data [within Europe]. I would expect this will put pressure on the other cloud providers to offer something equivalent.”

Can putting a data boundary around Europe work?

Europe is already home to data centres for most leading cloud companies. This helps offer “greater control of data,” says Jagvinder Singh, international and UK head of IT, and partner, at law firm Mills & Reeve. “You know where the data is, what the access controls are and who is going in and out,” he says. “It’s much harder for the US government to send someone in if the data centre is in the UK or Europe.”

But while storage in Europe is common, processing is another matter, Singh says. “The way Microsoft and other big cloud providers operate is to have staff around the world, including in the US,” he says. “So even if the data is ‘at rest’ in Europe, if staff are accessing it from overseas there is still an international data transfer.” Singh says that it isn’t clear how Microsoft will get around this problem, and until more details are made public it is difficult to judge how practical the plan is. “They are saying all the data will be processed in Europe, but how will that work when they have technical support centres in India?”

A further problem, Kirsop says, is that even if all data is stored and processed in Europe, the likes of Microsoft, Amazon and Google may still fall under the “extraterritorial effect” of US legislation which isn’t compatible with GDPR. “If you’re a US company or its subsidiary you can in theory still be subject to requests for data,” he says. “So even with this statement from Microsoft, there is still a potential loophole the US government could use. I would expect EU regulators to welcome this step, but it doesn’t entirely eliminate the risks they’re concerned about in the Schrems II decision.”

How can businesses safeguard their data in the cloud?

Even with the renewed commitment from Microsoft it is important for businesses to carry out due diligence on their cloud provider and request sufficient information about where their data is stored and handled, says Singh, otherwise they could be held responsible for breaches of EU or UK rules. “This is not information the cloud companies always readily provide,” he says. “You have to request it and point out that they are obliged to give it to you by law. What a lot of customer organisations and their data controllers don’t realise is they need this information about international data processing and the safeguards around it so they can reflect that in their own documentation for their customers.”

Microsoft’s says it will “challenge” any requests from authorities to gain access to data from EU customers, and “will provide monetary compensation to our customers’ users if we disclose data in violation of the GDPR that causes harm.” But Singh says businesses shouldn’t assume this means Microsoft will cover any fines issued for breaches. “Organisations dealing with the big cloud providers must look at exclusions and limitations of liability very carefully, and the amounts that will be paid in the event of a data breach or violation of GDPR,” he says. “Some might be quite surprised by the number of exclusions and limitations. This means that if there is a problem the customer could end up footing the bill without having any comeback on their service provider.”

Home page image by hafakot/Shutterstock.com.