Microsoft, AWS Move To Comply with Revamped EU Privacy Law

As they each expand their cloud footprints in Europe, Microsoft and Amazon Web Services (AWS) are touting their support for the European Union's newly revamped data privacy regulations.

This week, both cloud providers issued announcements related to their compliance with the General Data Protection Regulation (GDPR), which represents the first major overhaul of the EU's aging data privacy laws in two decades. The GDPR aims to "harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy."

Approved by EU lawmakers last spring, the GDPR will begin to be enforced on May 25, 2018.

Microsoft on Wednesday said that it is taking steps to ensure that its entire cloud services portfolio is fully compliant with the GDPR in time for its enforcement. Companies will be able to "leverage our broad portfolio of enterprise cloud services to meet your GDPR obligations for areas including deletion, rectification, transfer of, access to and objection to processing of personal data," wrote Brendon Lynch, Microsoft's chief privacy officer, in a blog post.

Microsoft also plans to update its licensing agreements and security notification processes to comply with the new GDPR requirements.

"As the fast-approaching GDPR deadline draws closer, we look forward to working in close partnership with you on GDPR compliance. We will continue to share the resources, tools and solutions you need to help develop your own compliance plan. In March, we will announce the details of our contractual commitments in accordance with GDPR rules. In the coming months, we will hold workshops, and host webinars for all customers and partners," Lynch wrote.

For its part, AWS on Monday announced that it has joined the Cloud Infrastructure Services Providers in Europe (CISPE), a group of roughly 20 cloud infrastructure providers whose goals include establishing industrywide compliance with the GDPR through its Code of Conduct.

"One of CISPE's key priorities is to ensure customers get what they need from their cloud infrastructure service providers in order to comply with the new EU General Data Protection Regulation (GDPR)," wrote Stephen Schmidt, AWS vice president and chief information security officer, in a blog post. "With the publication of its Data Protection Code of Conduct for Cloud Infrastructure Services Providers, CISPE has already made significant progress in this space."

On the service level, six of AWS' cloud products -- Amazon EC2, Amazon S3, Amazon RDS, AWS Identity and Access Management, CloudTrail and Amazon EBS -- are certified to be compliant with the CISPE Code of Conduct.

"This provides our customers with additional assurances that they fully control their data in a safe, secure, and compliant environment when they use AWS," Schmidt said.

AWS is the arguably the largest cloud provider in the CISPE's roster by market share. Neither Microsoft nor Google -- AWS' two closest competitors in the public cloud market -- is a member.

These announcements by AWS and Microsoft come as the two companies rapidly expand their cloud footprints in Europe, where laws related to data sovereignty can be especially stringent. A recent report by Canalys concluded that "[s]trict data sovereignty laws and customer demand are pushing cloud service providers to build data centers in key markets, such as Germany, Canada, Japan, the UK, China and the Middle East; where personal data is increasingly required to be stored in facilities that are physically located within the country."

AWS currently has datacenter regions in Ireland, Frankfurt and, as of late 2016, London, with plans to open a region in Paris later this year. Microsoft also has regions located throughout Europe, including the Netherlands, the United Kingdom and, most recently, Germany. Like AWS, Microsoft also plans to launch a Paris region in 2017.

About the Author

Gladys Rama is the senior site producer for, and


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.