Microsoft’s approaches to protecting (personal) data in the cloud

PAC had the opportunity to attend the Microsoft EMEA Analyst Strategy Days 2022. This blog post provides a brief analysis of three general approaches to protecting (personal) data in the cloud in the context of (managed) cyber security services, and of how Microsoft is handling this.

As cloud computing becomes more widespread, cyber security and privacy concerns are on the rise. In particular, flexible cloud storage, where hardware can be located anywhere in the world, may make it difficult to comply with national regulations. For example, cloud computing providers such as AWS, Google, and Microsoft are often prevented from storing data anywhere in the world. At the same time, their customers have to comply with certain regional security standards. Often, companies such as Microsoft have to consult with experts that are located outside the EU to keep this bar up high.

Three different specifications are relevant here: data residency, data localization, and data adequacy (see From data ownership to sovereignty, how CIOs must consider the impact on cloud service usage).

For regulatory, tax, or policy reasons, data residency refers to the place where data or information is physically stored and contrasts with data localization, which requires by law that data be stored in the geographic region where it was created.

In the EU (and the UK), data protection, i.e., the General Data Protection Regulation (GDPR), generally only requires data adequacy, i.e., a sufficient level of (data) protection. Data adequacy is intended to encourage data controllers to store and process data within the EU (and the UK) rather than moving it to areas considered less 'adequate'. However, this also means that it is generally possible to transfer data across EU borders - if that location is 'adequate'.

For example, accessing personal data for cyber security reasons may be a “transfer”, meaning that data residency and localization cannot be invoked as this is consistent with the legal means of transfer possibilities. Only local laws can impose restrictions on where data is stored (e.g., the German Localization Act for health and telecommunications data). Therefore, data residency and localization often do not provide better security for personal data but tolerability for the cyber security domain.

At the Microsoft EMEA Analyst Strategy Days 2022, Microsoft gave some insights into how the company supports data residency in Europe. Generally, data resides within the boundaries of the EU. This so-called EU DATA Boundary applies to M365, D365, and Power Platform users. However, data which is global in nature and needed for critical cyber security functions in response to security needs is only transferred outside of Europe for customer service and support.

With the help of a virtual desktop infrastructure where computers/machines are based in the EU, an expert located outside the EU is able to identify cyber security issues by looking at a static image of data (often log data) which is physically stored in the EU. Under EU law, this is considered as a transfer (see above). Therefore, the data adequacy approach applies, and this is in line with GDPR. In contrast, data generated outside the EU might be processed outside as well.

Therefore, CIOs need to consider these differences and related compliance aspects when implementing cloud solutions, and Microsoft software in particular.