This week privacy authorities from all 27 European Union member states adopted a long-awaited Opinion clarifying what companies must do to safeguard the private information of Europe’s citizens when these companies use cloud services. Known as the Article 29 Working Party, the Opinion from these experts is essential reading for every business considering moving to the cloud.
In issuing this Opinion, European regulators provided the strongest endorsement to date for the European Model Clauses, a set of contractual safeguards that cloud service providers can use to demonstrate their commitment to the world’s most stringent data protection requirements. The Clauses provide a set of formal commitments that businesses can rely on to ensure that their cloud services provider adheres to the highest standards in its operations and data processing activities. Microsoft is the only cloud services provider willing to make this commitment and to offer the European Model Clauses to our customers.
In this week’s Opinion, the Article 29 Working Party repeatedly emphasizes that the cloud customer remains on the hook for ensuring compliance with EU data privacy regulations: “The client as the controller must accept responsibility for abiding by data protection legislation and is responsible and subject to all the legal obligations mentioned in [the EU Data Protection Directive].” The experts go on to say that cloud customers “should select a cloud provider that guarantees compliance with EU data protection legislation” and that commitments should be clearly set out in the contract between the customer and its cloud service provider.
This is exactly what the European Model Clauses do, and is exactly why Microsoft has been offering Model Clauses to our customers for over a year and even today remains the only cloud services provider willing to make this important contractual commitment. For Microsoft it is not just about words on paper. We have invested in the operational processes required to meet the exacting standards of the Model Clauses, and have spent the past year working closely with Data Protection Authorities from nearly every EU country on this matter. They have reviewed our compliance with the Model Clauses, and we have refined our approach to reflect the feedback they provided. We made this significant investment because we want to ensure our customers have peace of mind that our approach has been reviewed and acknowledged by the authorities. No other cloud service provider can say this.
We’ve delivered Model Clauses to customers across Europe as well as to companies outside Europe that have operations on the continent. Today, more than 500,000 users at companies large and small use our cloud services under contracts that include the Model Clauses, and this number grows each month. The EU has truly set a high bar for data protection, and Microsoft stepped up to meet it for every customer.
We encourage all customers to read the detailed report from the expert Article 29 Working Party and to use it to form their own tough questions for cloud providers. Any discussion should include two important questions. First, is their cloud services provider willing to commit contractually to offer Model clauses? Second, has their cloud services provider done the detailed work with the data protection authorities across Europe to ensure that their implementation complies with the requirements of these important regulators?
We applaud the EU’s Article 29 Working Party for its leadership on this issue and for helping create clarity for customers. We’re confident that customers considering Office 365 will find that no other provider is offering customers the level of cloud privacy and security that we are, including by offering a contractual commitment to back up our word, and an approach that has been reviewed and acknowledged by the key regulators across Europe. This is important not only for our European customers, but for customers elsewhere around the world who also want to be sure that their cloud service provider has met Europe’s high standard for data privacy protection.