Assuring Customers About Cross-Border Data Flows

Today the Court of Justice for the European Union issued a ruling in a case examining transfers of data from the EU. We appreciate that some of our customers may have questions about the impact of this ruling.

We want to be clear: if you are a commercial or public sector customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.

For years we have provided customers with overlapping protections under both the Standard Contractual Clauses (SCCs) and Privacy Shield frameworks for data transfers. Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid. Our customers are already protected under SCCs.

Today’s ruling also does not change data flows for our consumer services. We transfer data between users, for example, when one person sends email or other online content to another. We will continue to do so in compliance with today’s ruling and further guidance from EU data protection authorities and the European Data Protection Board.

In addition to continuing support for customers who need data to flow across the Atlantic, we will also work proactively with the European Commission and the U.S. government to address the issues raised by the ruling. We recognize the Court raised some important topics for governments to consider as they set policy on how data moves across borders. We’re committed to playing our part, as we’ve done before, in working with governments and regulators on both sides of the Atlantic to help address them. We also know the European Commission and U.S. government will be very focused on resolving these issues and are grateful they are actively engaged.

We routinely work to advance our protections for customers based on developments like today’s. We were the first cloud provider to work with European data protection authorities for approval of Europe’s model clauses, the first to adopt new technical standards for cloud privacy, we embraced Privacy Shield as a successor to Safe Harbor after that framework was invalidated, and we extended core GDPR rights to our worldwide customer base.

Finally, we will continue to take steps to stand up for the rights of our customers. We’ve gone to court to challenge orders seeking access to people’s data or to protect our ability to tell customers about them, taking one case to the U.S. Supreme Court. Our challenges have led to greater protections and transparency for our customers, including through a settlement that enabled us to begin disclosing transparency reports about the number of U.S. national security orders we receive and established new policies within the U.S. government limiting the use of secrecy orders.

Privacy is an ongoing journey, and today’s ruling is not the final word. Our customers can be assured that we are committed to ensuring their data will continue to flow through our services, that we’ll continue our work to provide greater protections based on the issues raised in today’s ruling, and that we’ll work collaboratively with governments and policymakers as they shape new approaches.

Julie Brill
Corporate Vice President and Chief Privacy Officer