Microsoft EU Data Boundary is a term used to describe Microsoft’s commitment to ensure that personal data of its customers and users in the European Union (EU) remains within the boundaries of the EU. As Azure customers, we can currently choose the location where our services are run and where our data of that is stored. However, in some cases, metadata may be transferred to a different geographical region, and support for that specific service may be provided outside of the EU.
The aim with the EU Data Boundary is to provide us with an option to have the metadata and support in addition to the data within the EU.
Under the General Data Protection Regulation (GDPR), which is the EU’s data protection law, personal data can only be transferred outside the EU if adequate protection is provided to the data. The Microsoft EU Data Boundary ensures that personal data of its customers in the EU is stored and processed within the EU, so that it remains protected by the GDPR. Currently, Microsoft is gradually implementing this capability as it involves significant changes both in the technical backend and in the organization of Microsoft, as well as in the collection of data.
Much of the work to provide the complete set of capability yet remains throughout 2023. It should be noted that having all the mechanisms including support within the EU will have an additional cost for customers, as stated in the FAQ for EU Data Boundary
We are working to set up the infrastructure, processes, and training to implement localized Support operations in the EU Data Boundary, including by putting into place the following:
Microsoft EU Data Boundary
- Storage of Professional Services Data in the EU Data Boundary.
- Provide access to Professional Services Data only via secure remote workstations
- Provide an optional paid offering that will provide increased assurance that the first technical support contact will be located in the EU.
So, will this mechanism protect us from the US government if they are given orders under the FISA act? If we look at this page that Microsoft provides which shows the amount of FISA orders seeking disclosure of content (US National Security Orders Reports | Microsoft CSR) – NOTE: This page has not been updated for the last 2 years.
Well, the answer for that is also within the same blog post, where Microsoft states the following.
Q: How will the U.S. and other government requirements be treated under the new EU Data Boundary?
“If compelled to disclose or give access to any customer’s data, Microsoft will, if possible, promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so.” Microsoft will, if possible, promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so. We will challenge every government request for an EU public sector or commercial customer’s personal data—from any government—where there is a lawful basis for doing so. And we will provide monetary compensation to our customers’ users if we disclose data in violation of the GDPR and that results in harm to the customer.
It is reasonable to assume that Microsoft would be able to provide the requested information, even if the data is stored within the EU Data Boundary mechanism and they are compelled to disclose it.
Since this work is done gradually it means that Microsoft needs to make changes for all their services. It should also be noted that there are some features and services which will not be able to provide within the EU. Services that are permanently excluded from EU Data boundary are listed here –> Services permanently excluded from the EU Data Boundary – Microsoft Privacy | Microsoft Learn, this includes services such as Azure Active Directory.
Currently, several services are available that comply with the EU data boundary. However, to utilize them, you may need to reconfigure or redeploy certain services accordingly. For example, Azure Sphere features a flag called “regional-data-boundary,” which enables users to specify whether they want to use the EU data boundary or not.
This most likely means that for customers that have been using Azure for a while and want to take benefit of EU Data boundary will most likely need to reconfigure or redeploy their services to take benefit of the new mechanisms. Right now, there is no good indication how this will impact all services since much of the engineering work remains.