Think Your Microsoft Data Stays in the EU? Not So Fast!


Read in other languages:
The exchange of digital data between the EU and the USA is not without controversy. Microsoft is now relying on its own EU data border to lull local customers into a sense of security. However, there are certainly holes in the border.
The processing of data is subject to separate laws in Europe and the USA. An exchange is regulated within the framework of the EU-US Data Privacy Framework, which was adopted in 2023. However, the agreement does not mean that the sending of European user data to the USA is not still viewed critically.
A major flaw in Brussels is that the US intelligence services can gain access at any time. The statement that the data is only processed in Europe is therefore still seen by many users as a sign of the quality of the provider. This also applies to Microsoft. The group earns a large part of its turnover from companies in Europe. However, the associated data centers are operated worldwide. With its own EU data borders, it now appears that further trust is to be created.
User Data Stays in the EU—Unless It’s Used Professionally
Accordingly, a separate border will be drawn around the countries of the European Union (EU) and the European Free Trade Association (EFTA). Data that is made available by users within this data border will also remain within it. However, this first applies to customer data, which also includes text, audio, video, or image files and software that were transferred to the Group's servers while using an online service.
If the data is collected as part of a so-called professional service, it can be accessed worldwide. These services include traditional IT tasks such as consulting, guidance, data migration, software development and technical support. However, it remains unclear when data is actually transferred from the EU. Microsoft only refers to "scenarios" in the context of the "operational requirements of the cloud service".
Microsoft employees outside the EU can apparently access user data remotely, particularly when clarifying support issues. A global network of developer teams, known as DevOps, is available around the clock to intervene in the event of critical problems. In addition to a careful selection of employees, "technologies" are supposed to ensure data security. However, the extent to which these measures protect against unauthorized access remains to be seen.
Is Microsoft Just Trying to Smooth Things Over?
The tightening of the EU data border at Microsoft can also be seen as a reassurance pill for local (corporate) customers. The current US government has recently expressed doubts about the agreement. President Donald Trump sees tech companies at a disadvantage due to European legislation.
However, this threatens the free exchange of data between the EU and the U.S. The European Court of Justice (ECJ) had raised objections to the existing agreement, which were only addressed through Executive Order 14086, signed by former U.S. President Joe Biden. If this order is revoked, a critical question arises—not just for Microsoft—about how services, particularly in the cloud sector, can continue to be offered to businesses and public administrations.