Microsoft’s enterprise cloud contracts have been given the data security seal of approval by the Article 29 Working Party (which represents the national data protection agencies across the EU). The statement from Brussels confirmed that the contracts comply with the EU’s data protection laws and meet the high standards of its model clauses. Subject to national legislation, this means that there will be fewer national authorisations required to allow the international transfer of data via Microsoft’s cloud.
In the Official Microsoft Blog, Microsoft’s General Counsel, Brad Smith wrote that the decision “ensures that our customers can use Microsoft services to move data freely through our cloud from Europe to the rest of the world.” Microsoft is the first and so far the only company to receive this approval, which applies to Microsoft’s enterprise cloud services, including Microsoft Azure, Office 365, Microsoft Dynamics CRM and Windows Intune. This could force rival global corporate cloud providers such as Amazon, Verizon and Salesforce to follow suit as pressure for higher data protection standards in the market continues to grow, particularly following the Edward Snowden revelations last year.
Ever since the former US National Security Agency contractor began releasing US surveillance secrets, European business leaders have threatened to stop using US data centres to store their information, which led to the European Parliament and EU Commissioners threatening to suspend the US Safe Harbour. However, according to Smith, this decision means that even if the EU does suspend the US Safe Harbor, Microsoft enterprise customers’ use of global cloud services will not be interrupted or curtailed as Microsoft’s approved contractual commitments go beyond US-EU transfers; global data transfers are also safe in Microsoft’s hands.
However, all is not quiet on Microsoft’s consumer services front. EU data protection watchdogs remain concerned about the changes it made in 2012 to the privacy settings for its Hotmail, Windows Live instant messaging and Bing search products. Last year the Article 29 Working Party launched a similar investigation into Google and subsequently demanded that it substantially change its privacy policies or face fines.
The fact that market leaders like Microsoft have implemented these changes to their cloud contracts should be seen as a positive step to enforcing necessary change in the market. However, there is still a long road ahead to securing a uniform approach to international data transfers.