A message to our customers about EU – US Safe Harbor

We appreciate that some of our customers have questions about the impact of the ruling today by the European Court of Justice (ECJ) about the EU – US Safe Harbor Framework. In particular some customers may ask if this means that they will no longer be able to transfer their customer data from the European Union to the United States.

For Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place. This includes additional and stringent privacy protections and Microsoft’s compliance with the EU Model Clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the Safe Harbor. Both the ruling and comments by the European Commission recognized these types of steps earlier today.

Microsoft’s cloud services including Azure Core Services, Office 365, Dynamics CRM Online and Microsoft Intune all comply with the EU Model Clauses and hence are covered in this way.

We also don’t believe today’s ruling has a significant impact on our consumer services. Our terms of use make clear that to provide these services, we transfer data between users, which occurs for example, when one user sends email or other online content to another user. We also have data centers in many countries and regions, including several located in Europe.

Our ability to rely on these alternative legal safeguards is no accident. We recognized the possibility of today’s legal ruling and put in place contingency measures for our enterprise customers. These built on work we’ve pursued for more than four years to increase protections for customers and ensure they are able to comply with laws and regulations when moving to Microsoft’s cloud. We’ve taken a number of steps:

  • We undertook extensive engineering, operations and legal work so that, beginning in 2011 we could offer the EU Model Clauses in our cloud contracts. And earlier this year, Microsoft became the first major cloud provider to adopt the world’s first international standard for cloud privacy, ISO 27018.
  • In April of 2014 we obtained confirmation in Europe from the Article 29 Working Party that our implementation of the EU Model Clauses provisions in our contracts was in line with their stringent requirements. The Working Party represents all of the data protection authorities across the EU, and they are the leading experts on these issues. We were the first tech company to obtain this confirmation. As we announced last April this means that the customers who use our cloud services can rely on this protection to continue to move data to the United States and elsewhere.
  • We wanted to make sure all of our enterprise cloud customers receive this benefit so, beginning last year, we included compliance with the EU Model Clauses as a standard part of the contracts for our major enterprise cloud services with every customer. Microsoft cloud customers don’t need to do anything else to be covered in this way.

Our commitment to privacy extends beyond doing the difficult work of ensuring our cloud services comply with the EU Model Clauses.

  • In December of 2013 we announced a number of additional measures to increase protection for customer data. These included a significant expansion of encryption across our services, increased transparency of our code, and stronger legal protections for customers when governments seek customer information.
  • If any government wants access to our customers’ data, it must do so through appropriate legal process directed at specific accounts or identifiers. As the data we publish show, only a tiny fraction of our customers are impacted by data requests from governments.
  • Where appropriate we have challenged these targeted legal orders in court with success.
  • We have invested significantly in data centers around the world, in part to keep data closer to customers. We now have over 100 data centers in 19 regions and 40 countries.

Today’s decision obviously raises important points and makes it even more important for the European Commission and the U.S. Government to reach agreement on a path forward. We support this effort. It also makes clear the need for broader reforms of digital privacy laws around the world to strike a better balance between personal privacy and public safety. This is something we’ve been arguing for some time.

There are also steps that can be taken quickly in the U.S., such as passing the ECPA Amendments Act, the LEADS Act, and the Judicial Redress Act. These would all help.

We hope that governments on both sides of the Atlantic will work toward the same end. Many European nations are currently considering amendments to their surveillance laws. Rather than just expand governments’ surveillance authority as some are seeking to do, the focus should be on striking the right balance between security and privacy without sacrificing one for the other.

While Microsoft’s cloud customers can continue to do business today, it is clear that the world will benefit from a renewed agreement – and reforms – in this area between Europe and the United States. We’re committed to work in close partnership with others in the industry and to supporting data protection authorities and governments to help achieve the goals that the ECJ ruling set out. People won’t use technology they don’t trust. We need to work together to build that trust.

About the Author

President and Chief Legal Officer

Brad Smith is Microsoft’s president and chief legal officer. Smith plays a key role in representing the company externally and in leading the company’s work on a number of critical issues including privacy, security, accessibility, environmental sustainability and digital inclusion, among others.