Microsoft signs EU accords on data privacy

Microsoft has signed European Union data protection clauses in an effort to quell concerns for European organisations running its Office 365 application suite.

The computing giant signed the European Union's Model Clauses agreement, a component of the Data Protection Directive that allows EU member nations to transfer personal data for processing to countries that cannot ensure an adequate level of protection [pdf].  

"European regulators have the option to request that customers halt the use of a service that hasn’t taken appropriate steps to safeguard personal data until they have evaluated the service and deemed it compliant with EU data protection and security standards," Microsoft explains in a statement. 

The agreement builds upon the US-EU Safe Harbour accord signed in 2000, designed to help US companies engage in trans-Atlantic business.

For European customers, the accords are intended to quell concerns around protection of Office 365 data hosted in Microsoft's data centres in the US, Ireland and the Netherlands.

Redmond built in 20 privacy controls to make Office 365 fit with European data privacy and protection regulations, according to Microsoft's chief privacy officer, Brendan Lynch.

"Our support for EU Model Clauses is another effort to accommodate the privacy demands of European markets," he said.

The company will also offer European customers additional "data processing agreements" for nations with more "exacting requirements" than the European directive.

Trust us, it's safe

Microsoft also opened a new "trust centre", allowing users to see the "geographic boundary" for their data when hosted in Office 365.

US customers, for example, will be hosted solely within the country while Australian and Asia Pacific customers will be served Office 365 instances out of the US, Singapore or Hong Kong.

Microsoft said it would not notify customers when data is transferred to a new country but will advise if it changes the geographic boundaries for customers who opt in to notifications. 

Though designed to promote visibility of its data centre locations, the trust centre indicates the computing giant's continuing unwillingness to share exact details of its data centres, choosing only to provide basic location information on data centres it has "elected to disclose to the general public".

The company also fails to disclose the number of data centres it uses to host Office 365, only stating that the number is "between 10 and 100", including "other United States-based Data Centers" it has not previously mentioned.

Concerns over data privacy and sovereignty in cloud computing were a key issue for Australian regulators, Lynch said. 

In "virtually every conversation" he had with customers and regulators while on tour in Australia and New Zealand, he was asked about its approach to data protection in its cloud services, he said.

The company has ruled out local facilities for Australian customers, however, and instead lobbied Government in an attempt to change a perceived stigma around data sovereignty in cloud applications and infrastructure.