News

Microsoft Azure, Office 365 Get EU Privacy Approval

• By Kurt Mackie
• April 14, 2014

Some of Microsoft's cloud-based services have been endorsed by the European Union's Data Protection Authorities (DPAs) as meeting EU privacy law standards.

According to an announcement on Thursday by Microsoft, the 28 DPAs issued a joint letter on April 2 (PDF) signifying approval. The DPAs represent local authorities within the European Union that oversee privacy protections for data services.

Products such as "Microsoft Azure, Office 365, Microsoft Dynamics CRM and Windows Intune" have met privacy standards for transferring data outside the European Union, according to Brad Smith, Microsoft's general counsel and executive vice president of Legal and Corporate Affairs. Microsoft plans to ensure compliance by issuing standard agreements with its EU enterprise customers, starting on July 1.

Smith didn't mention some of Microsoft's consumer services, such as Office.com. Microsoft's biannually released Law Enforcement Requests reports typically show consumer services as being the most subject to government legal investigatory processes.

The endorsement of some of Microsoft's commercial cloud-based services by the DPAs no doubt puts some wind into Microsoft's sails with regard to its European cloud computing markets. As a U.S.-based company, Microsoft has to comply with U.S. laws, which include nontransparent processes such as the U.S.A. PATRIOT Act and the secret nonpublic proceedings of the U.S. Foreign Intelligence Surveillance Court. Microsoft has also faced unsettling allegations that it participated in covert U.S. National Security Agency spying programs, such as the PRISM program, in the wake of public disclosures by former NSA contractor and whistleblower Edward Snowden.

Smith claimed that Microsoft would next work to ensure EU privacy protections for all of Microsoft's enterprise customers.

"Building on this approval, we will now take proactive steps to expand these legal protections to benefit all of our enterprise customers."

He no doubt meant all EU enterprise customers, since the United States offers few privacy protections with regard to commercial data services.

In March, members of the European Parliament suggested suspending a "Safe Harbor Agreement" with the United States, which allows data to be legally transferred to the United States, in reaction to reports of widespread NSA spying. Smith suggested that Microsoft's enterprise customers would not have to worry that their services would be interrupted should that agreement get suspended.

Microsoft, which has invested billions in its cloud-computing infrastructure around the globe, has been looking to assure its customers abroad. Smith previously suggested that Microsoft would allow its customers choice on where their data were located, but that's also been a past requirement in EU countries. Smith has also promised that Microsoft would add encryption to its datacenters sometime this year.

Data privacy laws in EU countries specifically limit what service providers can do with customer data. The lack of U.S. legal protections is quite striking in contrast.

For instance, per the European Union's General Data Protection Regulation, the business controlling the user's data has the burden to prove that users of the service consented to the processing of their personal data. Service providers can't process data to pull out information on race, sex, ethnicity, political opinions or suspected offenses. Users of services also have the power to erase their data.

Service providers that violate these EU regulations get a warning on the first instance. However, afterward, the service provider would be subject to periodic audits, a €1 million fine or a 5-percent annual income penalty.

Smith noted that "this is an important week for the protection of our customers' privacy." However, early on in the process, Microsoft was opposed to many of the specific protections that got included in the European Union's General Data Protection Regulation. For instance, in 2012, Microsoft argued against letting users opt out from information sharing. It also opposed the "right to be forgotten," where users can ask that their information be wiped from the service, among other such requests.