In a blog post, Microsoft announced new protections for their public sector and enterprise customers who need to move their data from the European Union, including a contractual commitment to challenge government requests for data and a monetary commitment to show their conviction.
The issuance is in response to new guidance from data protection regulators in the European Union.
Cross-border data transfers have been the subject of recent litigation and regulatory action including a ruling earlier this year from the Court of Justice for the European Union and draft recommendations issued last week by the European Data Protection Board (EDPB) about how companies can comply with this ruling.
With today’s announcement, Microsoft is moving to be the first company to respond to the EDPB’s guidance with new commitments that demonstrate the strength of their conviction to defend their customers’ data.
- First, Microsoft is committing that they will challenge every government request for public sector or enterprise customer data – from any government – where there is a lawful basis for doing so. This strong commitment goes beyond the proposed recommendations of the EDPB.
- Second, Microsoft will provide monetary compensation to these customers’ users if they disclose their data in response to a government request in violation of the EU’s General Data Protection Regulation (GDPR). This commitment also exceeds the EDPB’s recommendations. Microsoft says this shows they are confident that Microsoft will protect public sector and enterprise customers’ data and not expose it to inappropriate disclosure.
Microsoft says these protections, called Defending Your Data, will be added to their contracts with public sector and enterprise customers immediately.
Microsoft says this adds to their foundational privacy promises regarding data privacy, which includes:.
- Strong encryption: Microsoft encrypts customer data with a high standard of encryption both when it is in transit and at rest. Encryption is a critical point in the draft EDPB recommendations. Microsoft does not provide any government with their encryption keys or any other way to break the encryption.
- Standing up for customer rights: Microsoft does not provide any government with direct, unfettered access to customer data. If a government demands customer data from them, it must follow the applicable legal process. Microsoft will only comply with demands when Microsoft is clearly compelled to do so. Their first step is always to attempt to re-direct such orders to customers or to inform them, and Microsoft routinely denies or challenge orders when they believe they are not legal.
- Transparency: Microsoft has, for many years, published information about government demands for customer data. Microsoft sued the U.S. government over the ability to disclose more data about the national security orders Microsoft receive seeking customer data and reached a settlement enabling them to do so. As a result, twice a year, Microsoft disclose more detailed information about these national security orders across all their businesses (consumer, enterprise, and public sector), in addition to their regular Law Enforcement Request Report.
- A track record of legal success. Microsoft has more experience than any other company going to court to establish the limits of government surveillance orders, and Microsoft has even taken one case to the U.S. Supreme Court. their efforts have provided customers with greater transparency and stronger protections. No commitment to challenge access orders can assure victory, but Microsoft feels good about their record of success to date.
Microsoft says privacy is a core value for them because they believe people will only use their technology if they can trust it.
They hope the steps they have announced today demonstrates to their enterprise and public sector customers that Microsoft will go above and beyond the law to defend their data, and the data of their users. You can read more about their commitment to privacy here.