Our public sector and enterprise customers regularly need to move their data between countries, regions and continents. Today, we’re announcing new protections for our public sector and enterprise customers who need to move their data from the European Union, including a contractual commitment to challenge government requests for data and a monetary commitment to show our conviction. Microsoft is the first company to provide these commitments in response to last week’s clear guidance from data protection regulators in the European Union.
Every day, our customers move data through their global networks to serve their clients, work with suppliers or partners, and manage payroll for their global workforce. These cross-border data transfers have been the subject of recent litigation and regulatory action including a ruling earlier this year from the Court of Justice for the European Union and draft recommendations issued last week by the European Data Protection Board (EDPB) about how companies can comply with this ruling.
With today’s announcement, we are moving to be the first company to respond to the EDPB’s guidance with new commitments that demonstrate the strength of our conviction to defend our customers’ data. Microsoft has already demonstrated that we provide strong protections for our customers’ data, we are transparent about our practices and we defend our customers’ data. We believe the new steps we’re announcing today go beyond the law and the EDPB draft recommendations, and we hope these additional steps will give our customers added confidence about their data.
- First, we are committing that we will challenge every government request for public sector or enterprise customer data – from any government – where there is a lawful basis for doing so. This strong commitment goes beyond the proposed recommendations of the EDPB.
- Second, we will provide monetary compensation to these customers’ users if we disclose their data in response to a government request in violation of the EU’s General Data Protection Regulation (GDPR). This commitment also exceeds the EDPB’s recommendations. It shows Microsoft is confident that we will protect our public sector and enterprise customers’ data and not expose it to inappropriate disclosure.
We call these protections Defending Your Data, and we will begin adding them to our contracts with public sector and enterprise customers immediately.
Defending Your Data makes a substantial addition to our foundational privacy promises, and builds on the strong protections we already offer customers.
- We use strong encryption: We encrypt customer data with a high standard of encryption both when it is in transit and at rest. Encryption is a critical point in the draft EDPB recommendations. We do not provide any government with our encryption keys or any other way to break our encryption.
- We stand up for customer rights: We do not provide any government with direct, unfettered access to customer data. If a government demands customer data from us, it must follow applicable legal process. We will only comply with demands when we are clearly compelled to do so. Our first step is always to attempt to re-direct such orders to customers or to inform them, and we routinely deny or challenge orders when we believe they are not legal.
- We are transparent: We have, for many years, published information about government demands for customer data. We sued the U.S. government over the ability to disclose more data about the national security orders we receive seeking customer data and reached a settlement enabling us to do so. As a result, twice a year, we disclose more detailed information about these national security orders across all our businesses (consumer, enterprise, and public sector), in addition to our regular Law Enforcement Request Report.
- We have a track record of legal success. We have more experience than any other company going to court to establish the limits of government surveillance orders, and we have even taken one case to the U.S. Supreme Court. Our efforts have provided customers with greater transparency and stronger protections. No commitment to challenge access orders can assure victory, but we feel good about our record of success to date.
Some of the public discussion about the impact of U.S. government data demands focuses on U.S.-headquartered companies. But it is clear that U.S. laws regarding government access to data apply to companies that do business in the U.S., even if they are headquartered in Europe or elsewhere.
Privacy is a core value for us at Microsoft because we believe people will only use technology if they can trust it. That’s why we were the first cloud provider to work with European data protection authorities for approval of Europe’s model clauses, the first to adopt new technical standards for cloud privacy, and enthusiastic supporters of the GDPR since it was first proposed in 2012. We have extended core rights under the GDPR to consumers around the world, and we have honored core rights of the California Consumer Privacy Act for all our consumers in the United States. In addition, we have launched the Tech Fit for Europe initiative to develop digital solutions based on European values and rules.