Microsoft is no stranger to the chilling effects of European regulation, facing fines for some of its own practices and seeing rivals like Google get off the hook more lightly. But today comes a piece of good news for Redmond: the data protection authorities (DPAs) of all 28 European member states have decided that Microsoft’s enterprise cloud services meet its standards for privacy. This makes Microsoft Azure, Office 365, Microsoft Dynamics CRM and Windows Intune the first services to get such approval.
The privacy decision was made by the “Article 29 Data Protection Working Party,” which notes that this will mean that Microsoft will not have to seek approval of individual DPAs on enterprise cloud contracts.
In its letter to Microsoft (embedded below), chair Isabelle Falque-Pierrotin writes, “The MS Agreement, as it will be modified by Microsoft, will be in line with Standard Contractual Clause 2010/87/EU… In practice, this will reduce the number of national authorizations required to allow the international transfer of data (depending on the national legislation).”
Data privacy has been a long-standing issue in Europe, with the model clauses for best practice very much predating the Age of Snowden. But more recent events have certainly heightened awareness among consumers, businesses and governments of how data is used (and abused). That in turn has led to a number of proposals about how to handle it in the future.
The flip side, however, has been a potential minefield for the world of tech: so many networked services and data sit on the same cloud infrastructure that is now under more intense scrutiny for data protection and privacy violations than ever before. The trick for companies like Microsoft is to meet standards set by regulators (and their own customers, and their own code of ethics, if we’re honest) while continuing to provide a smooth service without lots of hiccups. This is as much a business imperative as anything else. “Ultimately, customers will entrust their information to the cloud only if they have confidence that it will remain secure there,” writes Brad Smith, Microsoft general counsel and EVP for legal and corporate affairs, in a blog post announcing the news.
As a result of the recent decision, Microsoft says it will send out notices, starting July 1, to current customers with addendums to their existing agreements, for them to become party to the new recognition.
“The EU approval requires that customers execute a short, standardized addendum to their current agreements in order to take advantage of this new recognition, and we will create a very simple process to facilitate this,” writes Smith.
Smith notes that this will effectively mean that customers of Microsoft’s enterprise cloud services can use those services “to move data freely through our cloud from Europe to the rest of the world.”
“By acknowledging that Microsoft’s contractual commitments meet the requirements of the EU’s ‘model clauses,’ Europe’s privacy regulators have said, in effect, that personal data stored in Microsoft’s enterprise cloud is subject to Europe’s rigorous privacy standards no matter where that data is located. This is especially significant given that Europe’s Data Protection Directive sets such a high bar for privacy protection.”
Among proposals in the works that Microsoft is hoping to address with this latest development is a Safe Harbor Agreement covering data transferred from Europe to the U.S., and then processed by U.S. organizations. The European Parliament has voted to suspend that Safe Harbor Agreement, although that has yet to be implemented.
Smith notes in his post that one of the effects of this recent privacy approval will be that, regardless of whether it does, its customers’ use of Microsoft’s cloud services will not be curtailed. That’s not to say that Microsoft has gotten approval to process the data, but that it has proven to the authorities that it would not.
Smith notes also that Microsoft’s agreements go one step further now. “Even if the Safe Harbor Agreement remains in place, it covers only transfers from Europe to the U.S. Our approved contractual commitments, by contrast, enable transfers globally,” he notes.
He says that this is just the beginning of what Microsoft is putting in place. “We have had and will continue to do the hard work to ensure that we can comply both technically and operationally with the stringent obligations imposed by these contractual commitments,” Smith writes. “All of our customers, whether they have operations in Europe or elsewhere, benefit from the strong engineering protections we have put in place as a result.”
The developments today come in the wake of Microsoft making other efforts to demonstrate that it’s making an effort to protect customer data. Other initiatives include the group that also includes Aol, Apple, Dropbox, Facebook, Google, LinkedIn, Twitter and Yahoo called Reform Government Surveillance. And it has also, like others, implemented encryption capabilities for enterprise users.