Micro­soft 365: More data pro­tec­tion through the EU Data Boundary!

How com­pa­nies and public bodies bene­fit from the Euro­pean Micro­soft Cloud

Micro­soft has announ­ced that the EU Data Boun­da­ry will be rol­led out to enter­pri­ses and public sec­tor enti­ties start­ing 1 Janu­ary 2023. In a total of three pha­ses, Micro­soft cus­to­mers will then be able to use cloud pro­ducts, such as Micro­soft 365, Dyna­mics 365 and Azu­re, within an EU data boun­da­ry. The EU Data Boun­da­ry leads to a signi­fi­cant limi­ta­ti­on of data trans­fers to third count­ries, espe­ci­al­ly the United Sta­tes. At the same time, the trans­pa­ren­cy of data pro­ces­sing is fur­ther increased. The accu­sa­ti­ons recent­ly made by the Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties that data pro­tec­tion at Micro­soft is too lax are unli­kely to be tenable in their cur­rent form.

The EU Data Boun­da­ry at a glance

With the first pha­se of the EU Data Boun­da­ry , Micro­soft cus­to­mers can store and pro­cess their cus­to­mer data exclu­si­ve­ly within the EU Data Boun­da­ry. Data flows to third count­ries, such as the United Sta­tes, are thus signi­fi­cant­ly redu­ced. At the same time, Micro­soft is crea­ting trans­pa­ren­cy by pro­vi­ding detail­ed infor­ma­ti­on on the data pro­ces­sed within the EU as well as on the remai­ning third-country trans­fers on the EU Data Boun­da­ry Trust Cen­ter Page. In the second pha­se, start­ing at the end of next year, pseud­ony­mi­sed per­so­nal data from log files within the EU Data Boun­da­ry will be pro­ces­sed in addi­ti­on to cus­to­mer data. Here, too, appro­pria­te docu­men­ta­ti­on on remai­ning data trans­fers is to be pro­vi­ded. In the third pha­se, which is announ­ced for mid-2024, data pro­ces­sed when Micro­soft uses sup­port ser­vices will final­ly also be included in the EU Data Boundary.

Our assess­ment

With the intro­duc­tion of the EU Data Boun­da­ry as of 1 Janu­ary 2023, Micro­soft is once again streng­thening its efforts to pro­vi­de more data pro­tec­tion and GDPR com­pli­ance. While Ger­man data pro­tec­tion regu­la­tors cla­im to see “only minor impro­ve­ments”, Micro­soft is crea­ting facts on the ground, having inves­ted $12 bil­li­on in Euro­pean cloud infra­struc­tu­re over the past two years, for exam­p­le. Even if the volu­me of third-country trans­fers remains low for now, the EU Data Boun­da­ry repres­ents a strong com­mit­ment by Micro­soft to com­pli­ance with Euro­pean law and the GDPR in particular.

What com­pa­nies and public agen­ci­es should do now

Accor­ding to Micro­soft, Euro­pean cus­to­mers are auto­ma­ti­cal­ly cover­ed by the EU Data Boun­da­ry, so no fur­ther action is nee­ded for now. Howe­ver, com­pa­nies and public bodies should adapt their data pro­tec­tion docu­men­ta­ti­on, par­ti­cu­lar­ly exis­ting data pro­tec­tion impact assess­ments, at the latest with the roll-out by Micro­soft. For more infor­ma­ti­on on using Micro­soft 365 in a privacy-compliant way, check out our free one-page bro­chu­re.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.