Enlarge image
Microsoft President Brad Smith: Promises to protect customer data
Photo: Tobias Hase / dpa
From the point of view of the European Court of Justice (ECJ), the United States is on a par with Russia and China when it comes to data protection.
For companies and public administrations in Europe, working with cloud services from US companies such as Amazon, Google and Microsoft is particularly tricky because the US secret services may have access to the data stored there.
Microsoft has now launched a far-reaching product offensive to address these data protection concerns in Europe.
Microsoft customers in the European Union should in future be able to process and store their data exclusively in the EU.
"We will not have to transfer any data from these customers out of the EU," announced Microsoft President Brad Smith in a blog entry on Thursday.
Microsoft is reacting to two judgments of the ECJ on data exchange between the USA and Europe.
At the instigation of data protection activist Max Schrems, the court initially overturned the "Safe Harbor" agreement in October 2015.
Last June, Schrems also brought down the successor regulation “Privacy Shield” before the ECJ.
US intelligence agencies have wide-ranging options
With the two judgments, the commercial transfer of data to the USA was partially deprived of the legal basis. According to the ECJ, the USA does not have a level of data protection comparable to that of the EU. The US “Cloud Act”, which enables the US secret services to confiscate data with the help of secret courts - also outside the US, is viewed as critical. The new US administration under President Joe Biden had recently shown openly to sign a new comprehensive data protection agreement with the EU.
After the first ECJ ruling on the “Safe Harbor”, cloud providers such as Amazon (AWS), Google and Microsoft switched to so-called standard contractual clauses in which they promised compliance with data protection regulations. In addition, the cloud companies offered server locations in Germany and other European countries. With the second ECJ ruling on the successor regulation “Privacy Shield” it was clear that the server location and contractual clause alone are not sufficient to meet the requirements of the General Data Protection Regulation (GDPR).
Many responsible persons in European companies and public administrations, who had opted for a solution from a US provider, ignored the shaky legal basis and just got started.
Others put the investment decision on the back burner.
According to a survey by the digital association Bitkom in November 2010, more than every second company (56 percent) new, innovative projects failed due to the GDPR.
The difficult data exchange with the USA also played a major role.
For business customers only
The new Microsoft offer of an »EU data border« is aimed at companies and the public sector, not at private users. The obligation will apply to all central Microsoft cloud services - Azure, Microsoft 365 (including Microsoft Office and Teams) and Dynamics 365. »We have already started the technical preparations so that our central cloud services can provide all personal information as quickly as possible The data of our corporate customers and customers of the public sector can only be stored and processed in the EU if they so wish, «says the blog entry by Smith.
However, it remains unclear whether the data border can actually eliminate the legal uncertainties when transferring data between Europe and the USA.
According to reports, Microsoft is still legally responsible for the data in its cloud.
The company from the US state of Washington is subject to US law.
The Austrian data protection activist Max Schrems is therefore critical of Microsoft's offer: "After Microsoft USA apparently continues to have access to the data, they must continue to publish the data under US law," Schrems told the German press agency.
»Unfortunately, the storage location does not help as long as access from the USA is possible.
A legally stable solution would need a unit in the EU that is completely free of instructions and with which the data remains. "
Microsoft believes it has found a way out: The US intelligence services' right of access could be technically undermined if customers effectively protect their data in the cloud themselves. "With many of our services, the control over the encryption of the data through the use of customer-managed keys lies in the hands of the customers themselves," said Microsoft President Smith. This would use cryptographic keys that are not managed by Microsoft, but by the customers themselves. "We also protect our customers' data from unauthorized access by government agencies," explained Smith.
Experts also point out that the long arm of the US judiciary can also strike providers that are not from the USA.
Any company with an office in the United States could be involved in legal proceedings in the United States.
mak / dpa
