On May 6, Brad Smith, President of Microsoft, posted a pledge to support European Union commercial and public sector customers by enabling them to “process and store all your data in the EU.” The effort is called the EU Data Boundary and spans Microsoft cloud services like Microsoft 365, Azure, and Dynamics 365 running in EU datacenters in 13 countries (Austria, Denmark, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, Spain, Sweden, and Switzerland). Norway and Switzerland are in the European Economic Area (EEA) rather than the European Union, but EEA countries have tight alignment with EU regulations, which is probably why they are included.
Microsoft says they have already started the engineering work to store and process personal data for EU customers in their core workloads, including diagnostic and service-generated data (aka telemetry), and personal data used for support. Some agencies have criticized Microsoft heavily in the past for the telemetry and other data transmitted by products like Office back to Microsoft without user oversight. The Dutch Government Data Protection Impact Assessment of November 2018 was particularly critical.
Microsoft says they’ll provide more detail about how they will extend this work at an EU Customer Cloud Summit later in 2021. The plan is to complete all engineering effort to build the EU Data Boundary by the end of 2022, but Microsoft’s FAQ for the plan contains the caveat that “by the end of 2022, we will be taking additional steps to minimize transfers of both Customer Data and Personal Data outside of the EU.” Like with many Microsoft announcements, we need to see the real detail to understand exactly what will happen and when. Microsoft also announced the creation of a Privacy Engineering Center of Excellence at their Dublin, Ireland campus.
An Insight into Cloud Services
Although core Microsoft 365 services like Exchange Online, SharePoint Online, OneDrive for Business, and Teams (the services which support multi-geo capability) run in all datacenter regions, the challenge facing Microsoft to implement their plan lies in other workloads and supporting services. This is easily seen by looking at the current set of services consumed by an Office 365 tenant in the EMEA datacenter region. By running the Get-MsolCompanyInformation PowerShell cmdlet, Office 365 returned details of 46 individual service instances, 27 of which are in the U.S.
$Locations = (Get-MsolCompanyInformation).AuthorizedServiceInstances
Among the prominent services in the 27 are:
- Microsoft Information Protection.
- Communications Compliance.
- Microsoft Theat Protection.
- Yammer (this is historic because Yammer does run in the EU. The tenant was created when Yammer ran exclusively in the U.S. However, it does underline the fact that Microsoft will need to move tenant workloads across regions to achieve their goal).
- Microsoft Stream.
- Access Control and Multi-factor authentication.
- Azure Active Directory Premium.
- Power Apps.
- Advanced Threat Analytics.
Time will tell if Microsoft can get all the engineering done to achieve its EU Data Boundary by the end of 2022. Time to sit back with some popcorn and watch the story unfold.