A new update from Microsoft should reassure European cloud users. From now on, all personal data will be within the “EU Data Boundary for the Microsoft Cloud”, consisting of all EU and EFTA countries. Is that enough to keep data secure?
Microsoft makes a number of concrete promises to all European cloud users. It previously presented Cloud for Sovereignty, which promises Europeans to ensure data sovereignty. From now on, all Azure users can choose to keep their personal data within Europe. There will be no additional price tag and the functionality will otherwise remain unchanged, Microsoft promises.
Data storage now within the EU, but will it help protect it?
The tech giant cites a number of improvements to all cloud services. These include Microsoft 365, Azure, Power Platform and Dynamics 365 services. From now on, all users’ data will be within the EU Data Boundary. This includes all EU and EFTA countries, as the company lists here.
From now on, even anonymized personal data will not end up outside these boundaries. This data resides in automatically generated logs, which ordinarily cloud be stored in North America. For additional transparency, there is the EU Data Boundary Trust Center, which answers further questions about securing data within EU/EFTA borders.
Now, we were already skeptical of Microsoft’s promises for Cloud for Sovereignty: data retrieval by U.S. authorities when demanded still seems to be mandatory for Microsoft. It can’t develop its way out of that issue. Let it be clear that this innovation to the general Microsoft Cloud offering doesn’t change that. It is still a legal gray area whether the U.S. company should always share EU-based data with the United States. Still, Microsoft asserts it will inform customers (when possible) that their data has been requested.
Deep investment, yet additional costs
Despite these doubts, Microsoft is certainly tackling the European cloud project ambitiously. “Deep investments to deploy EU-based technology” should also block personnel that are monitoring system health from (the already anonymized) personal data. In short, Microsoft wants to block all sorts of data access paths to reassure its users.
An optional variant, though, would be a paid service. This should give “extra assurance” to customers that technical support is indeed in the EU. It’s a somewhat curious promise Microsoft already made a year ago, but shows how the company views data sovereignty and residency. Certain guarantees should apply to all users, while customers in privacy- and compliance-sensitive sectors will have to pay up. This can be done despite the aforementioned doubts about U.S. control of data through Cloud for Sovereignty. In any case, it is a product that various privacy-sensitive sectors have already adopted.
No sovereign cloud
Microsoft is not finished with the initiative around the EU Data Boundary. Its announcements show that our continent will never operate completely independently of North America. Specifically, Microsoft talks about “limiting and securing” temporary data to provide assistance via VDI, for example. A future paid option would keep “initial” technical support within the EU, something that does not offer too much certainty.
Promises of compliance with the EU-US Data Privacy Framework are also debatable. Clearly Microsoft’s plans are ambitious and are well thought-out, but we are talking about compliance with what are essentially guidelines, not regulations. Although Microsoft states that it aims to operate “beyond European compliance requirements,” the reality is that data protection is about more than that. After all, anyone who entrusts data to an American company cannot guarantee that the U.S. won’t take a look. That’s not Microsoft’s fault, but it is the Achilles’ heel for the promises it makes.
Also read: Google Cloud cuts egress fees, something competitors charge a premium for
20 hours ago
