Microsoft to keep all European cloud customers’ personal data within EU

Microsoft will store all cloud customers’ personal data within the European Union rather than allowing transfers abroad, the company said on Thursday — the latest step in ongoing efforts by cloud providers to navigate varying privacy regulations across jurisdictions.

Under the new policy, Microsoft will keep within what it calls the “EU data boundary” all customer data across the company’s cloud services, like Azure, Microsoft 365, Power Platform and Dynamics 365.

This includes “pseudonymized personal data,” which is found in system-generated logs and has been altered so as not to be directly linked to an individual — “making Microsoft the first large-scale cloud provider to deliver this level of data residency to European customers,” the company said in a release.

In December 2022, Microsoft announced it would soon begin the rollout of localized data storage. The first phase, implemented last year, involved storage within the EU of some personal data, but not information held in system-generated logs.

In recent years, Microsoft and other tech giants have found themselves in regulators’ crosshairs over data transfers from the bloc, whose General Data Protection Regulation (GDPR) privacy law is the world’s most stringent. In May 2023, Meta was fined $1.3 billion by the Irish Data Protection Commission over transfers to the United States, where protections are limited and there are concerns about sensitive information ending up in the hands of law enforcement.

In July 2023, a new “Data Privacy Framework” between the EU and U.S. was agreed upon, allowing data transfers as long as protections are made. Nonetheless, Microsoft appears to be moving forward with its EU Boundary plan, and in October Amazon announced it would roll out a separate “European Sovereign Cloud” service, which would keep customers’ metadata within the bloc.