Assuring Customers About Cross-Border Data Flows

Today the Court of Justice for the European Union issued a ruling in a case examining transfers of data from the EU. We appreciate that some of our customers may have questions about the impact of this ruling.

We want to be clear: if you are a commercial or public sector customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.

For years we have provided customers with overlapping protections under both the Standard Contractual Clauses (SCCs) and Privacy Shield frameworks for data transfers. Although today’s ruling invalidated the use of Privacy Shield moving forward, the SCCs remain valid. Our customers are already protected under SCCs.

Today’s ruling also does not change data flows for our consumer services. We transfer data between users, for example, when one person sends email or other online content to another. We will continue to do so in compliance with today’s ruling and further guidance from EU data protection authorities and the European Data Protection Board.

In addition to continuing support for customers who need data to flow across the Atlantic, we will also work proactively with the European Commission and the U.S. government to address the issues raised by the ruling. We recognize the Court raised some important topics for governments to consider as they set policy on how data moves across borders. We’re committed to playing our part, as we’ve done before, in working with governments and regulators on both sides of the Atlantic to help address them. We also know the European Commission and U.S. government will be very focused on resolving these issues and are grateful they are actively engaged.

We routinely work to advance our protections for customers based on developments like today’s. We were the first cloud provider to work with European data protection authorities for approval of Europe’s model clauses, the first to adopt new technical standards for cloud privacy, we embraced Privacy Shield as a successor to Safe Harbor after that framework was invalidated, and we extended core GDPR rights to our worldwide customer base.

Finally, we will continue to take steps to stand up for the rights of our customers. We’ve gone to court to challenge orders seeking access to people’s data or to protect our ability to tell customers about them, taking one case to the U.S. Supreme Court. Our challenges have led to greater protections and transparency for our customers, including through a settlement that enabled us to begin disclosing transparency reports about the number of U.S. national security orders we receive and established new policies within the U.S. government limiting the use of secrecy orders.

Privacy is an ongoing journey, and today’s ruling is not the final word. Our customers can be assured that we are committed to ensuring their data will continue to flow through our services, that we’ll continue our work to provide greater protections based on the issues raised in today’s ruling, and that we’ll work collaboratively with governments and policymakers as they shape new approaches.

Julie Brill
Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer

Building on her distinguished public service career spanning more than two decades at the state and federal level, Julie Brill now leads Microsoft’s international work to elevate privacy as a fundamental human right. Leading the team at the forefront of many of the regulatory issues that underpin the digital transformation, Julie serves as a global authority concerning policy and legal issues involving privacy; internet governance; telecommunications; accessibility; and corporate standards. In 2018, she spearheaded Microsoft’s global adoption of the European Union’s General Data Protection Regulation (GDPR), and now leads Microsoft’s advocacy for complementary privacy mandates around the globe. Nominated by President Barack Obama and confirmed unanimously by the U.S. Senate, Julie Brill served for six years as a Commissioner of the U.S. Federal Trade Commission, where she worked on many issues of critical importance to consumers, including privacy, fair advertising practices, financial fraud, and competition. While at the FTC, Julie was named “the Commission’s most important voice on Internet privacy and data security issues,” a “key player in national and international regulations,” one of the “top minds in online privacy,” one of the top four U.S. government players “leading the data privacy debate,” and one of the “top 50 influencers on big data.”