Today we are announcing a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data storage commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU. This commitment will apply across all of Microsoft’s core cloud services – Azure, Microsoft 365, and Dynamics 365. We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it. We’re calling this plan the EU Data Boundary for the Microsoft Cloud.
The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.
Microsoft cloud services already comply with or exceed EU guidelines even before the plan we’re announcing today. We already provide commercial and public sector customers the choice to have data stored in the EU, and many Azure cloud services can already be configured to process data in the EU as well. In addition, we use world-class encryption and robust lockbox solutions that meet current regulatory guidance. Many of our services put control of customer data encryption in customers’ hands through the use of customer-managed keys, and we defend our customers’ data from improper access by any government in the world.
We have already begun engineering work so our core cloud services will both store and process in the EU all personal data of our EU commercial and public sector customers, if they so choose. This plan includes any personal data in diagnostic data and service-generated data, and personal data we use to provide technical support. We will also extend technical controls such as Lockbox and customer-managed encryption for customer data across Microsoft core cloud services. We will build these EU Data Boundary Solutions into our core cloud services to enhance our current offerings for customers. We will conduct an EU Cloud Customer Summit this fall where we will share more about this work.
Today’s update is part of our commitment to the EU’s vision for a “Europe Fit for the Digital Age,” and an acknowledgement of the role the technology sector needs to play in helping Europe realize its digital aspirations. In addition to processing our commercial and public sector customers’ personal data in Europe, we are also creating a Privacy Engineering Center of Excellence in Dublin to guide our European customers in choosing the right solutions for building robust data protection into their cloud workloads, including to meet regulatory requirements. We are committed to helping build “Tech Fit 4 Europe.”
Our EU Data Boundary for the Microsoft Cloud will be powered by our substantial and ongoing investments in an expansive European datacenter infrastructure. We opened our first datacenter in Europe in 2009, and our EU Data Boundary for the Microsoft Cloud will leverage datacenters we’ve announced or currently operate in 13 countries: Austria, Denmark, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, Spain, Sweden, and Switzerland. These datacenters power cloud services that help our European customers realize their ambitions to achieve digital transformation and increase their competitiveness with the assurance that they can operate in compliance with all applicable laws and regulations. In addition to customers in EU member states, customers in Norway and Switzerland will also have access to the EU Data Boundary.
Microsoft has long demonstrated our commitment to meet and exceed the requirements of EU data protection laws. For instance, we were the first major technology company to affirm our compliance with the GDPR and to extend core GDPR rights and protections to our consumer customers globally – not just to those in the EU. In addition, following the European Data Protection Board (EDPB) draft recommendations on measures that companies should implement as a result of the Schrems II decision, we announced our Defending Your Data initiative, which extends beyond the EDPB recommendations. We will challenge every government request for an EU public sector or commercial customer’s personal data—from any government—where there is a lawful basis for doing so. And we will provide monetary compensation to our customers’ users if we disclose data in violation of the GDPR that causes harm.
Microsoft will continue to do all we can to encourage government leaders on both sides of the Atlantic and beyond to address lawful access issues quickly. We’re encouraged by the ongoing discussions between the European Commission and the United States government to build a new framework for Europeans’ personal data that is transferred to the United States. We are optimistic that there will be a resolution in the near future.
More information for customers can be found here.