EU-U.S. data agreement an important milestone for data protection, Microsoft is committed to doing our part

EU US Flag

Today, the European Commission and the U.S. government announced an important agreement governing the transfer of data between the EU and the U.S. This new Trans-Atlantic Data Privacy Framework is designed to rebuild and strengthen the data protection bridge between the EU and the U.S. by addressing the concerns of the Court of Justice of the European Union when it invalidated the original Privacy Shield framework in 2020. Microsoft applauds the European Commission and the U.S. government for achieving this important milestone. We greatly appreciate the enormous effort required for this important step, and we look forward to doing our full part to support these new measures and ensure that the new framework’s fundamental privacy protections are fully realized.

Microsoft is committed to embracing the new framework and will go beyond it by meeting or exceeding all the requirements this framework outlines for companies. We will do this through enhancements to how we handle legal requests for customer data and providing further support for individuals concerned about their rights.

This is how it will work:

First, Microsoft will confirm that any demand for personal data from the U.S. government complies with the newly announced Trans-Atlantic Data Privacy and Security Framework. If we believe the demand is not compliant, we will use all lawful means to challenge it.

Second, Microsoft will support the redress process under the new agreement by putting our full legal resources to work and seeking to actively participate in the judicial review of an individual’s claim of harm related to Microsoft’s public sector and commercial cloud services.

Our new commitments build upon our existing Defending Your Data protections, through which we will challenge – on all legal bases – any government demand for personal data we hold on behalf of our public sector and commercial customers, and we will provide monetary compensation if such data is disclosed unlawfully in response to a government request.

What’s new in the EU-U.S. framework for trusted data transfers

This framework addresses two concerns of the Court of Justice in the EU related to U.S. surveillance laws: (1) the scope and proportionality of permissible U.S. national security surveillance activities; and (2) the availability of redress mechanisms for Europeans whose personal data is improperly collected and used by U.S. intelligence agencies. The new framework rightfully makes clear that U.S. surveillance practices must be both necessary and proportionate. And critically, it creates an independent data protection review court to provide effective review and redress for Europeans impacted by improper surveillance.

Microsoft’s solutions provide greater customer protection

As a company, we will continue to advance solutions that further strengthen customer trust in our services, particularly for those customers who want more control over their data.

We will offer enhanced residency capabilities for processing and storing our public sector and commercial cloud customers’ personal data through our EU Data Boundary program. We will also continue to offer state-of-the-art encryption for data at rest and in transit for our Microsoft Cloud products in Azure, Microsoft 365, and Dynamics 365. In addition, we will continue to protect customer data through Microsoft’s unparalleled public cloud cybersecurity protections and solutions. By analyzing more than 24 trillion signals daily, Microsoft provides our government and commercial customers with global visibility into cybersecurity threats that cannot be matched by other cloud providers.

Microsoft supports global solutions

Microsoft will continue to support additional efforts to establish consensus around the globe on the appropriate balance between privacy and security, including through engagement at the OECD and in other global forums. We are committed to helping develop durable global solutions.

The new framework agreed to by the EU and the U.S. sets a very high standard for how governments should seek to access Europeans’ personal data and contains important rights for individuals to obtain redress if their data is accessed inappropriately. It is a welcome development and an important achievement for the data protection rights of Europeans.

Tags: , , , , ,

Julie Brill
Chief Privacy Officer and Corporate Vice President, Global Privacy and Regulatory Affairs at Microsoft

As Microsoft’s global authority on the responsible use of data, Julie leads Microsoft’s work at the forefront of the tech policy, regulatory and legal issues that underpin the world’s digital transformation. Julie oversees Microsoft’s privacy, digital safety, responsible AI, standards, accessibility, and governance operations and solutions. She also directs the company’s advocacy for responsible data use and policy around the globe. Prior to her role at Microsoft, Julie was nominated by President Obama and confirmed unanimously by the US Senate and served as a Commissioner of the US Federal Trade Commission (FTC). Julie is active in civil society, serving as a board member of the International Association of Privacy Professionals, a board member of the Center for Democracy and Technology, Governor for The Ditchley Foundation and co-chair of Business at the Organization of Economic Cooperation and Development’s Committee for Digital Economic Policy. She has received numerous accolades for her work, including the Privacy Leadership Award from the International Association of Privacy Professionals, a Top Data Privacy Influencer recognition, the New York University School of Law Alumna of the Year Award and was elected to the American Law Institute. Brill graduated magna cum laude from Princeton University, and from New York University School of Law, where she held a Root-Tilden Scholarship for her commitment to public service.