An announcement by Microsoft that it has completed the EU Data Boundary for the Microsoft cloud is a step towards improved data residency in Europe, but it does not tell the whole story, an industry analyst said Monday.
Last week, the company announced via a blog post the completion of the third and final phase of an initiative that allows its European commercial and public sector users to “store and process their customer pseudonymized personal data for Microsoft core cloud services — including Microsoft 365, Dynamics 365, Power Platform, and most Azure services — within the EU and EFTA (European Free Trade Association) regions. In addition, Microsoft will store professional services data from technical support interactions for the core cloud services within the EU and EFTA regions.”
According to a company fact sheet, the first phase of the initiative, which was launched in January 2023, focused on “increasing the local storage and processing of customer data within the EU and EFTA. That was followed by Phase 2 last January [2024] which involved pseudonymized personal data, which Microsoft defines as data altered to remove direct identifiers processed and stored in the EU/EFTA regions.”
Phil Brunkard, executive counselor at Info-Tech Research Group UK, said of the announcement, “Microsoft says that customer data will remain stored and processed in the EU and EFTA, but doesn’t guarantee true data sovereignty.”
US laws like the CLOUD Act, he said, “still grant the US government the authority to access this data. So, the question is, can European governments actually restrict this kind of access? Could a single US executive order override these commitments? Residency, in this case, does not necessarily mean control.”
Brunkard added, “the UK’s status is outside the EU, and Microsoft’s announcement doesn’t clarify how UK-based organizations fit into this framework. We can only assume that the same principles apply, and Microsoft will continue to align with the UK’s specific data protection requirements irrespective of the EU position.”
Brunkard had this advice for EU organizations: “They should not take Microsoft’s headlines at face value; instead, they should read between the lines and scrutinize any inevitable exceptions, exclusions, and conditions. If these organizations really want to prioritize true data sovereignty, they should rely on local provider partners that are hosting Microsoft services, which can offer stronger assurances that data remains under European jurisdiction without any external interference.”
Microsoft, meanwhile, said that while the EU Data Boundary keeps the majority of personal data with the EU/EFTA, “certain limited data transfer may be necessary for global security operations. This data is used to enhance threat detection, investigation, remediation, and prevention across all regions.”
It went on to state that it uses protections such as “encryption, pseudonymization, and strict access controls, ensuring that only authorized security personnel access it. The global threat intelligence gained from these transfers is crucial for detecting and mitigating cyberattacks.”
Robert Kramer, VP and principal analyst at Moor Insights & Strategy, said of the announcement by Microsoft that it was not unexpected, “but I think it was necessary. Data is the overall most important component of enterprises, specifically for AI and for cloud. The one thing that people always talk about is AI and data, but it’s super important to understand compliance and security. This [the EU Data Boundary] helps because it gives transparency ,and it gives customers more control over their data.”
In a situation such as this, he said, you have to “work your way backwards instead of forwards, because if you work your way backwards, you understand that compliance is a big deal, and that customer trust and transparency is a big deal.”
Source:: Network World