Microsoft, Google and UK make moves on sovereign data storage
EU and Big Tech have been negotiating over the handling of European data
In a move to align with the EU's GDPR, Microsoft has unveiled plans to exclusively store and process all personal data from its European users within the EU.
Julie Brill, corporate VP & chief privacy officer at Microsoft, confirmed the decision, saying that the company is updating the 'EU Data Boundary for the Microsoft Cloud.'
The initiative, which began in 2023, initially covered a selection of Microsoft's cloud services, including Microsoft 365, Azure, Power Platform and Dynamics 365.
This week the company expanded the commitment to encompass all personal data, including automated system logs, residing in the Microsoft EU Data Boundary.
EU officials and American tech giants have been in extended negotiations over the handling of European data. There have been particular concerns about how EU citizens' data would be managed in the US, which has more relaxed privacy legislation than the EU.
The EU-US data deal, known as the "Data Privacy Framework," was adopted in July 2023, providing a new legal basis for data transfers.
However, the history of previous agreements, like Privacy Shield and Safe Harbour, facing legal challenges prompted cloud giants to continue reinforcing data localisation measures.
Microsoft's expansion of the EU Data Boundary includes additional transparency measures and documentation to help customers better understand data flows.
The company's EU Data Boundary Trust Centre serves as a portal for customers to access these resources.
An element introduced in the latest phase is the deployment of virtual desktop infrastructure within the EU Data Boundary. This allows for remote access to system logs without the need for physical data transfers or storage outside the EU.
While Microsoft's data localisation efforts are comprehensive, the design currently remains porous, allowing some data to leave the EU. The planned third phase, scheduled for 31st December 2024, will continue the gradual localisation process for customer data flows.
The announcement comes against the backdrop of increasing tensions between tech companies and the EU over data privacy regulations.
Notably, in May 2023, Meta was fined $1.3 billion for allegedly transferring EU users' personal data from Facebook to servers in the US without adequate safeguards. Meta is appealing the fine as the industry grapples with evolving standards for data protection and privacy in the digital age.
Google's new policy
To comply with the EU's Digital Markets Act (DMA), set to take effect on 6th March, Google has also announced a new policy giving EU users greater control over their data-sharing preferences.
Under the new policy, EU users can now choose to opt out of data sharing across all, some, or none of a select number of Google's services.
The list includes prominent offerings such as YouTube, Google Play, Chrome, Search, ad services, Google Shopping and Google Maps.
While users have the flexibility to tailor their data-sharing preferences, the policy acknowledges certain scenarios where Google will continue to share data. Completing a purchase on Google Shopping with Google Pay, complying with legal requirements, preventing fraud, or protecting against abuse fall within the exceptions.
CMA to impose stricter rules on Big Tech
The UK's Competition and Markets Authority (CMA) has also announced plans to grant Big Tech rivals greater access to each others' data.
This initiative is part of the new digital markets competition regime proposed by the Digital Markets, Competition, and Consumers (DMCC) Bill.
Under the proposed regime, firms designated with Strategic Market Status (SMS) in relation to digital activities will be subjected to 11 principles outlined by the CMA.
They include preventing firms from favouring their own products and services; ensuring greater access to data and functionality for competitors; and promoting fairer terms of trade.
CMA boss Sarah Cardell, speaking at a conference in Silicon Valley, highlighted the move's significance.
She said, "Today's overview document not only provides clarity for UK parliamentarians but also for digital firms and wider stakeholders about the approach the CMA intends to take."
Cardell emphasised the importance of engaging with various stakeholders, including major tech players, challengers, and users, to ensure the effectiveness of the new regime.
The CMA will release more detailed draft guidance once the DMCC is passed into law by Parliament.