Answering Europe’s Call: Storing and Processing EU Data in the EU

The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cyber-security, and we will move forward in a way that is responsive to their feedback.

Microsoft cloud services already comply with or exceed EU guidelines even before the plan we’re announcing today. We already provide commercial and public sector customers the choice to have data stored in the EU, and many Azure cloud services can already be configured to process data in the EU as well. In addition, we use world-class encryption and robust lockbox solutions that meet current regulatory guidance. Many of our services put control of customer data encryption in customers’ hands through the use of customer-managed keys, and we defend our customers’ data from improper access by any government in the world.

Today’s update is part of our commitment to the EU’s vision for a “Europe Fit for the Digital Age,” and an acknowledgement of the role the technology sector needs to play in helping Europe realize its digital aspirations. In addition to processing our commercial and public sector customers’ personal data in Europe, we are also creating a Privacy Engineering Center of Excellence in Dublin to guide our European customers in choosing the right solutions for building robust data protection into their cloud workloads, including to meet regulatory requirements. We are committed to helping build “Tech Fit 4 Europe.”

Our EU Data Boundary for the Microsoft Cloud will be powered by our substantial and ongoing investments in an expansive European data centre infrastructure. We opened our first data centre in Europe in 2009, and our EU Data Boundary for the Microsoft Cloud will leverage data centres we’ve announced or currently operate in 13 countries: Austria, Denmark, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, Spain, Sweden, and Switzerland. These datacenters power cloud services that help our European customers realize their ambitions to achieve digital transformation and increase their competitiveness with the assurance that they can operate in compliance with all applicable laws and regulations. In addition to customers in EU member states, customers in Norway and Switzerland will also have access to the EU Data Boundary.

Microsoft has long demonstrated our commitment to meet and exceed the requirements of EU data protection laws. For instance, we were the first major technology company to affirm our compliance with the GDPR and to extend core GDPR rights and protections to our consumer customers globally – not just to those in the EU. In addition, following the European Data Protection Board (EDPB) draft recommendations on measures that companies should implement as a result of the Schrems II decision, we announced our Defending Your Data initiative, which extends beyond the EDPB recommendations. We will challenge every government request for an EU public sector or commercial customer’s personal data—from any government—where there is a lawful basis for doing so. And we will provide monetary compensation to our customers’ users if we disclose data in violation of the GDPR that causes harm.

Microsoft will continue to do all we can to encourage government leaders on both sides of the Atlantic and beyond to address lawful access issues quickly. We’re encouraged by the ongoing discussions between the European Commission and the United States government to build a new framework for Europeans’ personal data that is transferred to the United States. We are optimistic that there will be a resolution in the near future.