How companies and public bodies benefit from the European Microsoft Cloud
Microsoft has announced that the EU Data Boundary will be rolled out to enterprises and public sector entities starting 1 January 2023. In a total of three phases, Microsoft customers will then be able to use cloud products, such as Microsoft 365, Dynamics 365 and Azure, within an EU data boundary. The EU Data Boundary leads to a significant limitation of data transfers to third countries, especially the United States. At the same time, the transparency of data processing is further increased. The accusations recently made by the German data protection supervisory authorities that data protection at Microsoft is too lax are unlikely to be tenable in their current form.
The EU Data Boundary at a glance
With the first phase of the EU Data Boundary , Microsoft customers can store and process their customer data exclusively within the EU Data Boundary. Data flows to third countries, such as the United States, are thus significantly reduced. At the same time, Microsoft is creating transparency by providing detailed information on the data processed within the EU as well as on the remaining third-country transfers on the EU Data Boundary Trust Center Page. In the second phase, starting at the end of next year, pseudonymised personal data from log files within the EU Data Boundary will be processed in addition to customer data. Here, too, appropriate documentation on remaining data transfers is to be provided. In the third phase, which is announced for mid-2024, data processed when Microsoft uses support services will finally also be included in the EU Data Boundary.
Our assessment
With the introduction of the EU Data Boundary as of 1 January 2023, Microsoft is once again strengthening its efforts to provide more data protection and GDPR compliance. While German data protection regulators claim to see “only minor improvements”, Microsoft is creating facts on the ground, having invested $12 billion in European cloud infrastructure over the past two years, for example. Even if the volume of third-country transfers remains low for now, the EU Data Boundary represents a strong commitment by Microsoft to compliance with European law and the GDPR in particular.
What companies and public agencies should do now
According to Microsoft, European customers are automatically covered by the EU Data Boundary, so no further action is needed for now. However, companies and public bodies should adapt their data protection documentation, particularly existing data protection impact assessments, at the latest with the roll-out by Microsoft. For more information on using Microsoft 365 in a privacy-compliant way, check out our free one-page brochure.
back