Blog

Privacy in the Cloud: Microsoft’s Service Contracts are the First to Satisfy European Privacy Law

As Microsoft continues to nudge clients toward cloud-based enterprise solutions, it can now celebrate a key stamp of approval from Europe.

Brad Smith, Microsoft’s General Counsel, announced recently that the European Union’s Article 29 Working Party — which includes data protection authorities from the EU member states and the European Commission — found that Microsoft’s enterprise cloud contracts meet the high standards of EU privacy law. According to Smith, “this ensures that our customers can use Microsoft services to move data freely through our cloud from Europe to the rest of the world.”

Microsoft appears to be the first corporation to receive such an endorsement from European regulators. But what exactly does it mean? The Article 29 Working Party concluded that Microsoft’s enterprise cloud services contracts comply with the standards of EU privacy law set forth in the EU “Model Clauses.” The Model Clauses are a set of contract provisions developed by the Article 29 Working Party and adopted by the European Commission in 2010. These provisions are intended for use in contracts between service providers and their customers to ensure that adequate safeguards are in place to protect personal data transferred out of the EU. Essentially, the Working Party found that the provisions in Microsoft’s cloud service contracts are consistent with the Model Clauses.

Microsoft touts this recognition from the Working Party as a significant benefit for its customers, assuring them that “personal data stored in Microsoft’s enterprise cloud is subject to Europe’s rigorous privacy standards no matter where that data is located.” One important advantage for Microsoft’s enterprise customers is that they will need fewer approvals from individual data protection authorities to transfer personal data outside of the EU, because most EU member states do not require an authorization from the local data protection authority if the transfer is based on an agreement that complies with the Model Clauses, as Microsoft’s contracts now do.

Kudos to Microsoft for following through on its commitment to comply with privacy laws by rolling out contracts that meet the high bar set by EU regulations. But this is just the first step towards greater privacy and security protections for personal information traveling around the world in the cloud. Other cloud service providers must follow suit with cloud privacy. And the commitments on paper must be backed up by compliance in practice — both the service providers and their customers need operational and technological processes that effectively secure personal information.

At DiscoverReady, we recognize and honor the strict privacy laws that govern our clients’ data coming from the EU. DiscoverReady fully complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework. DiscoverReady has certified, and continues to adhere to, the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. And all of our clients’ data, regardless of where it originates, benefit from our industry-leading privacy and security protections. While many aspects of international data privacy remain cloudy, companies like Microsoft and DiscoverReady are working hard to ensure clear skies for the security of our customers’ information.

Maureen O'Neill