On Thursday, Microsoft announced that it would allow all of its European commercial and public customers to store their Azure and 365 data in the EU. That's kind of a big deal, as it (1) signals an industry-led move towards data localisation in Europe, and (2) contrasts with the government-led approach to localisation in China, Russia and other countries with data residency laws.
The irony here is that free data flows and the rejection of localisation requirements have for decades been central to European data protection law, whose principles are now being copied by legislators across the world (including in countries that impose localisation obligations).
So why this — and why now? Well, it's been nearly a year since the ECJ's Schrems 2 judgment, and six months since the EDPB released its draft guidance on the supplementary measures that it said would, in some cases, meet the Schrems 2 threshold. Notably, the EDPB took the position that transfers to U.S. cloud providers which require access to unencrypted data do not meet this threshold (Use Case 6 in the EDPB document).
Cloud businesses and their customers are now walking a razor-thin line between complying with US surveillance law requests and respecting the court’s restrictions on ex-European transfers to providers that are subject to those laws. But that's not the end of the story.
The CLOUD Act gives US law enforcement the power to compel its technology firms to provide data held on foreign servers — and the Foreign Intelligence Surveillance Act also potentially has long-arm jurisdiction (such as to the European subsidiaries of a US parent company). By contrast, the recent decision by the French Conseil d'Etat in Doctolib suggests that certain supplementary measures may be sufficient to meet the Schrems 2 threshold — although in this case the data were held in the EU by a US cloud firm.
The difficulty of balancing these interests means it’s unlikely to be long before other cloud providers offer dedicated localisation services in the EU. If that’s the case, European business will need to adopt a mind-set that’s new for most of them: data nationalism.
If you are a commercial or public sector customer in the EU, we will go beyond our existing data storage commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU.