Today, the European Commission and the U.S. government announced an important agreement governing the transfer of data between the EU and the U.S. This new Trans-Atlantic Data Privacy Framework is designed to rebuild and strengthen the data protection bridge between the EU and the U.S. by addressing the concerns of the Court of Justice of the European Union when it invalidated the original Privacy Shield framework in 2020. Microsoft applauds the European Commission and the U.S. government for achieving this important milestone. We greatly appreciate the enormous effort required for this important step, and we look forward to doing our full part to support these new measures and ensure that the new framework’s fundamental privacy protections are fully realized.
Microsoft is committed to embracing the new framework and will go beyond it by meeting or exceeding all the requirements this framework outlines for companies. We will do this through enhancements to how we handle legal requests for customer data and providing further support for individuals concerned about their rights.
This is how it will work:
First, Microsoft will confirm that any demand for personal data from the U.S. government complies with the newly announced Trans-Atlantic Data Privacy and Security Framework. If we believe the demand is not compliant, we will use all lawful means to challenge it.
Second, Microsoft will support the redress process under the new agreement by putting our full legal resources to work and seeking to actively participate in the judicial review of an individual’s claim of harm related to Microsoft’s public sector and commercial cloud services.
Our new commitments build upon our existing Defending Your Data protections, through which we will challenge – on all legal bases – any government demand for personal data we hold on behalf of our public sector and commercial customers, and we will provide monetary compensation if such data is disclosed unlawfully in response to a government request.
What’s new in the EU-U.S. framework for trusted data transfers
This framework addresses two concerns of the Court of Justice in the EU related to U.S. surveillance laws: (1) the scope and proportionality of permissible U.S. national security surveillance activities; and (2) the availability of redress mechanisms for Europeans whose personal data is improperly collected and used by U.S. intelligence agencies. The new framework rightfully makes clear that U.S. surveillance practices must be both necessary and proportionate. And critically, it creates an independent data protection review court to provide effective review and redress for Europeans impacted by improper surveillance.
Microsoft’s solutions provide greater customer protection
As a company, we will continue to advance solutions that further strengthen customer trust in our services, particularly for those customers who want more control over their data.
We will offer enhanced residency capabilities for processing and storing our public sector and commercial cloud customers’ personal data through our EU Data Boundary program. We will also continue to offer state-of-the-art encryption for data at rest and in transit for our Microsoft Cloud products in Azure, Microsoft 365, and Dynamics 365. In addition, we will continue to protect customer data through Microsoft’s unparalleled public cloud cybersecurity protections and solutions. By analyzing more than 24 trillion signals daily, Microsoft provides our government and commercial customers with global visibility into cybersecurity threats that cannot be matched by other cloud providers.
Microsoft supports global solutions
Microsoft will continue to support additional efforts to establish consensus around the globe on the appropriate balance between privacy and security, including through engagement at the OECD and in other global forums. We are committed to helping develop durable global solutions.
The new framework agreed to by the EU and the U.S. sets a very high standard for how governments should seek to access Europeans’ personal data and contains important rights for individuals to obtain redress if their data is accessed inappropriately. It is a welcome development and an important achievement for the data protection rights of Europeans.