EU data protection regulator says Microsoft enterprise cloud contracts are in line with EU privacy requirements

Out-Law News | 14 Apr 2014 | 4:43 pm | 3 min. read

Microsoft’s revised enterprise cloud contracts have won the approval of European Union data protection authorities, the technology company has confirmed.

In a decision which one legal expert said will put other enterprise cloud providers' compliance with EU privacy requirements under scrutiny, EU regulators have indicated that changes which Microsoft has made to its enterprise cloud contracts bring the contracts in line with EU privacy requirements.

According to Microsoft, the company is the first enterprise cloud provider to receive such approval from EU data protection authorities. The decision applies in particular to Microsoft Azure, Office 365, Microsoft Dynamics CRM and Windows Intune, the company said.

Microsoft was informed of the ruling in a letter from the Article 29 Data Protection Working Party, the independent advisory body established by the European Parliament to focus on data protection. The body is made up of privacy regulators from each EU member state, the European Data Protection Supervisor and the EU Commission.

In a joint letter to Microsoft the Working Party said that the new version of Microsoft's Enterprise Enrollment Addendum Microsoft Online Services Data Protection Agreement (MS Agreement) and its Annex Standard Contractual Clauses (processors) "will be in line with" model standard contractual clauses set out by the European Commission in 2010.

"In practice, this will reduce the number of national authorisations required to allow the international transfer of data (depending on the national legislation)", the Working Party's letter said. "The Working Party thanks Microsoft for the constructive collaboration that leads to these positive conclusions."

Dervish Tayyip, Assistant General Counsel at Microsoft said: "This is an important development for our customers at a number of different levels. Firstly, it builds upon Microsoft’s recent announcements concerning the implementation of encryption for our enterprise services and enabling our enterprise customers to store their content in existing data centres in their region.

"Secondly, the legal protections that Microsoft has offered customers through the EU model clauses for a number of years have now received public and explicit confirmation from European regulators to the effect that Microsoft is indeed offering the ‘gold standard’, meaning that data can be safely transferred globally," Tayyip said.

"Microsoft is the first and only enterprise cloud provider to have received such confirmation," added Tayyip. "It’s important for Microsoft’s customers that their cloud provider has had this active engagement with the regulators to address compliance issues. It also demonstrates how Microsoft is enabling customers to achieve compliance. As a result of the confirmation, customers can have more confidence that what they are buying is compliant. No other enterprise cloud provider has the same degree of validation that has now been received by Microsoft."

Current EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 28 EU member states, Iceland, Norway and Liechtenstein.

When a company wants to send personal data to non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one company within a group to another.

Issues surrounding cloud storage system security have been a matter of public debate in Europe for some time, amid concerns about whether businesses based within the EU can comply with EU data protection rules if they use US-based cloud providers to store personal data.

The debate has been heightened by concerns about the extent to which data held by European businesses can be accessed by US authorities when those businesses contract with US-based cloud providers to store that information.

These concerns led Microsoft to allow non-US customers to have their personal data stored on regional servers outside the US, in contrast with other large technology groups which have expressed their resistance to such a model.

The EU’s data protection authorities have found that Microsoft’s enterprise cloud contracts meet the high standards of EU privacy law,” Brad Smith, Microsoft’s General Counsel and Executive Vice President of Legal and Corporate Affairs at Microsoft on the official Microsoft blog. "Other companies talk about their commitment to comply with EU privacy law – but we’ve enshrined that commitment in our contracts.”

Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: “This is a very welcome development for Microsoft and a milestone in their long term strategy to ensure that their cloud services take EU data protection requirements fully into account. The detail behind the approval will be important to scrutinise, but in simple terms this puts a spotlight on other major vendors as to how far they are going in ensuring that their cloud offerings measure up against EU data protection requirements. 

“This ought to give comfort to EU organisations thinking of adopting any of Microsoft’s cloud services; clearly they will need to ensure that the contractual terms they enter into with Microsoft match the headlines.”