Microsoft has claimed it is the first cloud provider to receive approval from the European Union's data protection authorities for meeting the high standards of EU privacy law. However, questions still remain over how this protects European firms against privacy threats such as the US Patriot Act.
The software giant announced in a blog post that the EU Article 29 Working Party has approved Microsoft's enterprise cloud service contracts as being in compliance with the high standards of EU privacy law, as set out in the EU Model Clauses.
This applies to Microsoft's enterprise cloud services, including Microsoft Azure, Office 365, Microsoft Dynamics CRM and Windows Intune.
Microsoft's general counsel Brad Smith said: "By acknowledging that Microsoft's contractual commitments meet the requirements of the EU's Model Clauses, Europe's privacy regulators have said, in effect, that personal data stored in Microsoft's enterprise cloud is subject to Europe's rigorous privacy standards no matter where that data is located.
"This is especially significant given that Europe's Data Protection Directive sets such a high bar for privacy protection."
The Model Clauses are a set of provisions developed by the Article 29 Working Party, which comprises representatives from each of the 28 European Union data protection authorities (DPAs) plus the European Commission, to ensure safeguards are in place to protect personal data that leaves the European Union.
Microsoft said it is the first and only cloud provider to receive this type of recognition. In addition, it claimed that Europe's privacy regulators are endorsing that personal data stored in Microsoft's enterprise cloud is subject to European privacy standards, no matter where that data is located.
However, the software giant has previously admitted that the US government's Patriot Act legislation compels it as a US-based company to provide access to any data that it holds, regardless of where it is stored and who owns that data.
Microsoft told V3 in a previous query regarding customer data: "The Patriot Act mandates that any company with a presence in the US is legally required to respond to a valid demand from the US government for information if the company retains custody or control over the data.
"This is the case regardless of where the data is stored or the existence of any conflicting obligations under the laws where the data is located."
At the time of writing, the firm had not responded to a further request for clarification on whether this is still the case.
Daniel Robinson is technology editor at V3, and has been working as a technology journalist for over two decades. Dan has served on a number of publications including PC Direct and enterprise news publication IT Week. Areas of coverage include desktops, laptops, smartphones, enterprise mobility, storage, networks, servers, microprocessors, virtualisation and cloud computing.