Microsoft says it has completed a multi-year project to enable cloud services to store and process data in the EU.
The project, the EU data boundary for Microsoft Cloud, began in January 2023, lasted for two more years, and ultimately concluded this February, Microsoft said. European customers can store and process Microsoft Core Cloud Services data, including Microsoft 365, Dynamics 365, Power Platform, and most Azure services, within the EU and the European Free Trade Association Region (EFTA).
More and more tech giants and cloud providers are offering European data residency programs in line with the EU data boundary policy. These will help customers comply with local European privacy and data protection laws, such as GDPR, German federal data protection laws and UK data protection laws. Data residency refers to the physical location of an organization’s data and the local laws and policy requirements imposed on that data.
According to Microsoft, for cloud services supported by the EU data boundary, customer data and “pseudonymized” personal data are stored and processed in data centers located in the EU or countries within the EFTA. Like certain log data, Professional Services data, including data provided to Microsoft, is stored at rest.
Microsoft points out that for certain Azure services, customers may need to obtain a commitment to professional services data storage. This page provides an overview of the requirements.
EU regulators have spent years worrying about how Microsoft handles data from users of cloud services. This relates to the lack of clarity in the language of the Microsoft data processing billing and cloud service contracts. To be fair, Microsoft is not the only target. In May 2023, Meta was fined $1.3 billion to the US for Irish data transfer over Irish data transfer.
In July 2023, the EU and the US agreed to a new “Data Privacy Framework” that allows data transfers as long as certain privacy guarantees and protections are in place. Despite this, Microsoft announced last year it plans to maintain personal data for all European cloud customers in the EU.