Microsoft vows an EU "data boundary" for customer, telemetry data
The move comes under huge pressure on sovereignty from EU policy makers
Microsoft will build an EU data boundary that keeps both customer and telemetry data within Europe in a move that will apply to cloud offerings Azure, Microsoft 365, Dynamics 365 and Power BI.
The news was first reported by Reuters. Julie Brill, Microsoft’s Chief Privacy Officer, told the agency: “The first phase will be customer data. And then as we move into the next phases, we will be moving logging data, service data and other kind of data into the boundary” (by end-2023 and end-2024 respectively.)
The decision comes as European policy makers have warned that Microsoft services which store data in the US are non-compliant with European data regulations like GDPR and 2020’s "Schrems II" ruling and broader pressure has mounted on European institutions to consider "sovereign" digital alternatives.
(Europe's data watchdog earlier this year slapped one of its own agencies, border control force Frontex, on the wrist for planning a move to Microsoft 365 without "a thorough process whereby the existence of data protection compliant, alternative products and services meeting Frontex’s specific needs were assessed.")
Schrems II refers to a July 16 2020 verdict by the Court of Justice of the European Union that ruled that the EU-US Data Protection Shield, on which many companies relied on to transfer their data between the US and the EU, was invalidated due to concerns around surveillance by US state and law enforcement agencies.
Microsoft data boundary: EU data watchdog continues investigation
"As we dived deeper into this project, we learned that we needed to take a more phased approach," Brill told Reuters of the planned Microsoft data boundary.
“We are creating this solution to make our customers feel more confident and to be able to have clear conversations with their regulators on where their data is being processed as well as stored," she added in a report published December 15 by the wire agency.
Microsoft's move comes amid two ongoing EDPS investigations on the use of cloud services following the Schrems II judgment, one regarding the use of cloud services provided by AWS and Microsoft under so-called "Cloud II" procurement contracts by European Union institutions, bodies and agencies (EUIs), and one regarding the use of Microsoft Office 365 by the European Commission.
Previous pressure by European regulators on Microsoft resulted in it updating its Online Services Terms (OST) for commercial cloud contracts in 2019, to acknowledge that Microsoft is a data controller under GDPR when providing the services.
Get The Stack's weekly newsletter on LinkedIn with a single click
Brill had said of that change at the time that “We will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune.”
That shift had followed a report by the European Data Protection Supervisor (EDPS) on October 21, 2019, that raised “serious concerns over compliance” and “the role of Microsoft as a processor for EU institutions” – that report had also noted “there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers.”
It had come amid debate over who is the data controller when certain Microsoft products serve European organisations, then “phone home” with extensive telemetry data.
Given liberal permission to phone home (this can be adjusted by end-users), a computer running Windows 10 will fire information about up to 1,200 “events” on the computer, the software, and its user’s behaviour back to Microsoft’s US-based database. At any point, approximately 10 teams of engineers will have access to the data harvested, and this collection of telemetry data is dynamic: Microsoft engineers can add new types of events to the telemetry stream without prior notice to the users. (Microsoft Office 365 telemetry alone spans between 23 and 25 thousand events, in the hands of 20-30 engineering teams, Dutch analysis shows.) Such OS telemetry does not appear to be in the scope of the new Microsoft data boundary although The Stack will seek to clarify this.
Microsoft has a European data centre presence in Ireland, France, Germany, the Netherlands, Norway, Sweden, and Switzerland, with plans for regions in Austria, Belgium, Denmark, Finland, and Italy.