Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
EU Data Boundary for the Microsoft Cloud | Frequently Asked Questions
Published May 06 2021 01:00 AM 67.8K Views
Microsoft

**Updated December 2023**

 

Today, we are announcing that on January 1, 2023, Microsoft will begin a phased rollout of our EU Data Boundary solution to public sector and commercial customers in the European Union (EU) and the European Free Trade Association (EFTA).  

 

Beginning on January 1, 2023, Microsoft will offer customers the ability to store and process their customer data within the EU Data Boundary for Microsoft 365, Azure, Power Platform, and Dynamics 365 services. With this release, Microsoft expands on existing local storage and processing commitments, greatly reducing data flows out of Europe and building on our industry-leading data residency solutions.  

 

Microsoft’s cloud services already comply with or exceed EU requirements, and the EU Data Boundary will further enable public sector and commercial customers in the EU and the EFTA to have their data processed and stored within the region. In addition, with the rollout of the EU Data Boundary, Microsoft will publish new data flow documentation available on the new EU Data Boundary Trust Center webpage to provide transparent data insights for customers whose services will be included in the boundary.  

 

With Microsoft, commercial and public sector customers have the choice and flexibility they need to enjoy hyperscale products at the cutting edge of innovation while also meeting regulatory requirements and industry-specific standards. 

 

Q: What will be available as part of the EU Data Boundary on January 1st, 2023?

Microsoft phased a rollout of the EU Data Boundary on January 1, 2023. As part of this first phase, we worked to increase the local storage and processing of Customer Data (as defined in our DPA) for the majority of Azure, Dynamics 365, Power Platform, and M365 services in the EU Data Boundary. There will be some limited continuing transfers of Customer Data after this time to ensure that our customers that use EU Data Boundary services continue to receive the full benefits of hyperscale cloud computing. As part of this first phase of the EU Data Boundary rollout, Microsoft published detailed documentation on these commitments as well as details around services or scenarios that may continue to require limited transfers of Customer Data outside of the EU. In an ongoing commitment to transparency for our customers, Microsoft also documented the EU Data Boundary commitment in both the DPA and Product Terms. Continuing Customer Data transfers will be described in transparency documentation and this documentation will include data flow descriptions. This content will be available on the new EU Data Boundary Trust Center Page.

 

Q: Why do I need the EU Data Boundary if I am already in compliance with EU regulations using Microsoft Online Services Today?

Microsoft Online Services have long conducted transfers in compliance with EU regulations. For customers who need to comply with local regulations, documentation of transfers, including the data and purpose for use are critical. The EU Data Boundary significantly reduces the number of transfer scenarios in cloud computing, massively reducing the work involved in conducting transfer impact assessments and documenting compliance. The EU Data Boundary builds on preexisting compliance and helps our customers make assessing and demonstrating compliance simpler. Additionally, while some functionally necessary transfers of Customer Data will still occur, our new transparency documentation helps you with your impact assessment work relating to these transfers.

 

Q: How can customers get the EU Data Boundary version of Online Services?   

Each Online Service from Microsoft is different in the technical details of how it is deployed and used. Accordingly, each Online Service will have service specific configuration requirements for the service instances you use to adopt the EU Data Boundary. The product terms will include a high-level description of how you obtain EU Data Boundary conforming services. New product documentation will provide the service specific details on how to configure your services.   

 

Q: Will this result in a loss of functionality within the EU Data Boundary?    

The EU Data Boundary is a data residency enhancement of our standard public hyperscale cloud computing services.  There will be no difference in functionality between the EU Data Boundary and our services operating outside the EU Data Boundary.  

 

Q: Will there be an additional cost to customers (price increase) as a result of this work?    

There is no extra charge or price increase as a result of the work we are doing on the EU Data Boundary.  

 

Q: Where can I find the documentation on the continuing data transfers outside of the EU?  

Please refer to the “transparency documentation” available on the EU Data Boundary Trust Center Page. You will find these details in under section 3, “Documented data flows outside of the EU Data Boundary”.  

 

Q: How will the implementation of the EU Data Boundary impact Microsoft’s list of subprocessors? 

Our online services subprocessors may still require access to Customer Data that is stored and processed in the EU Data Boundary.  Subprocessors that access Customer Data in the EU Data Boundary are screened, background checked, and required to meet the highest standards, per the commitments in our Data Protection Addendum.  Remote access to systems that process Customer Data in the EU Data Boundary will be completed through secure machines that ensure access is restricted to approved staff and approved scenarios and is limited in time and scope.  Remote access systems used for these purposes are designed to control and minimize data egress.  

 

Q: What will be coming for Support Data?

We are working to set up the infrastructure, processes, and training to implement localized Support operations in the EU Data Boundary, including by putting into place the following:  

  • Storage of Professional Services Data in the EU Data Boundary.  
  • Provide access to Professional Services Data only via secure remote workstations  
  • Provide an optional paid offering that will provide increased assurance that the first technical support contact will be located in the EU.  

 

Q: What is the connection between the Microsoft EU Data Boundary, the Microsoft Cloud for Sovereignty and Advanced Data Residency?  

These solutions are all designed to help our customers address regulatory requirements, meet industry-specific standards, and maintain compliance with their own unique organizational policies.

 

EU Data Boundary: Helps customers meet data residency preferences in the EU, by delivering public cloud services that store and process Customer Data in the EU for Azure, Microsoft 365, Dynamics 365, and Power Platform. (See the EU Data Boundary Trust Center page for more details)  

 

M365 Advanced Data Residency: M365 Advanced Data Residency is designed for customers who want more granular controls over the location of their Microsoft 365 Customer Data. With Microsoft 365 ADR we have extended our worldwide commitments for Customer Data storage at rest beginning Nov 2022. (See the Advanced Data Residency page for more details) 

 

NOTE: Our other enterprise services have also made a long-standing commitment to store Customer Data at rest in Geographies across the world.  For more information about our standard data residency capabilities available for Azure, Dynamics365, and Power Platform, see data residency capabilities in Azure, Dynamics, and Power Platform. 

 

Microsoft Cloud for Sovereignty: a new solution that will enable public sector customers to build and digitally transform workloads in the Microsoft Cloud while meeting their compliance, security and policy requirements. Today, public sector customers can harness the full power of the Microsoft Cloud, including broad platform capabilities, resiliency, agility and security. With the addition of Microsoft Cloud for Sovereignty, they will have greater control over their data and increased transparency to the operational and governance processes of the cloud. (See the Microsoft Cloud for Sovereignty page for more details) 

 

Q: Will Microsoft continue to invest in the EU Data Boundary once the EU-U.S. Data Privacy Framework is fully adopted?  

Yes. Microsoft welcomes and is certified under the EU-U.S. Data Privacy Framework.

 

Q: How will the U.S. and other government requirements be treated under the new EU Data Boundary?   

Through clearly defined and well-established response policies and processes, strong contractual commitments, and if need be, the courts, Microsoft defends your Customer Data. We believe that all government requests for your Customer Data should be directed to you. As we commit to customers in our Data Protection Addendum, we do not give any government direct or unfettered access to Customer Data or our customers’ personal data. If Microsoft receives a demand for Customer Data, we will direct the requesting party to seek the data directly from the customer. If compelled to disclose or give access to any customer’s data, Microsoft will, if possible, promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so. We will challenge every government request for an EU public sector or commercial customer’s personal data—from any government—where there is a lawful basis for doing so. And we will provide monetary compensation to our customers’ users if we disclose data in violation of the GDPR and that results in harm to the customer.

 

Data Security:

Q: How will the EU Data Boundary ensure the security of my data? Are there any specific security measures in place for the EU Data Boundary compared to the existing setup?

The EU Data Boundary initiative underscores heightened data protection by confining data to the EU and EFTA regions, mitigating risks associated with broader international transfers. Beyond our standard encryption and monitoring protocols, the initiative adds robust access controls and employs pseudonymization techniques. This approach blends our global security protocols with European-specific enhancements, optimizing data protection.

 

Data Residency and Control:

Q: What assurances does Microsoft provide that my data will remain solely within the EU Data Boundary? How does Microsoft differentiate between "customer data" and "pseudonymized personal data"?

Microsoft's EU Data Boundary initiative increases the amount of data that stays within the EU and EFTA regions. We use strict controls to monitor and enforce this. "Customer Data" encompasses user-provided content like apps, emails, and files (varies depending on the service being used). "Pseudonymized personal data" is processed so it can't directly link to an individual, adding an extra layer of privacy. The EUDB focus on Customer Data began in Phase 1 and continues. Pseudonymized personal data is the additional focus for Phase 2.

 

Compliance and Regulations:

Q: Will the EU Data Boundary help in GDPR compliance? How will Microsoft address potential conflicts between EU regulations and regulations from other countries?

Absolutely, the EU Data Boundary initiative is designed to align closely with GDPR requirements by limiting data transfers outside of the EU. This enhancement streamlines compliance efforts for customers within the European landscape. Regarding potential regulatory conflicts, Microsoft remains committed to adhering to EU regulations while operating within its boundaries.

 

Roadmap and Future Developments:

Q: What is the expected completion date for all three phases? Are there plans for further phases after Phase 3?

The completion for all three phases is projected for December 31, 2024. As for post Phase 3 developments, while the primary objectives are covered in the first three phases, we are continually evaluating the needs and feedback of our customers. There may be additional enhancements or expansions based on evolving requirements and technological advancements. We remain committed to keeping our users updated on any subsequent phases or modifications to our roadmap.

 

Global Security Operations:

Q: How does Microsoft ensure data transferred outside the EU is secure?

Microsoft employs stringent measures to protect all transferred data. Access is exclusively granted to authorized security personnel and utilized for the purpose of enhancing customer protection and supporting Microsoft infrastructure. The data is safeguarded with robust encryption, access controls, and, in certain cases, pseudonymization. Additionally, our contractual commitments further secure our customers’ data.

 

Q: What benefits does consolidated global data analysis provide in terms of cybersecurity?

Analyzing threat data across borders is crucial for countering sophisticated, globally coordinated cyber threats. It enables rapid and efficient detection, protection, and response to potential security incidents, significantly bolstering the security of customer environments and resources.

 

Q: How does cross-boundary data analysis comply with data protection regulations?

Microsoft is committed to upholding privacy, data protection, and security. Our practices are in line with the General Data Protection Regulation (GDPR Art. 32) and the EU Charter of Fundamental Rights (Art. 6). The data transferred outside the EU is utilized to strengthen security measures, ultimately supporting regulatory interests in protecting personal data and critical infrastructure. Additionally, we are certified under the Data Protection Framework, which further demonstrates our unwavering commitment to protecting personal data and adhering to stringent data protection standards.

 

Q: Can customers opt-out of having their data transferred outside the EU for security analysis?

Security is a paramount concern, and the transfer of limited and necessary data outside the EU is integral to maintaining a robust defense against global threats. Customers entrusting their data to Microsoft are protected by our advanced security measures and contractual commitments.

 

Q: How does Microsoft Security Operations utilize cross-geo boundary data?

Data collected across geo boundaries is pivotal for Microsoft Security Operations, helping block malicious activities and ensuring the security of our platforms and services. The data is transferred to secure Azure data centers, allowing our security teams to provide uninterrupted, efficient, and effective security services 24/7/365.

6 Comments
Version history
Last update:
‎Jan 08 2024 10:54 AM
Updated by: