Microsoft says it is the first company in the world to respond to recommendations by Europe’s privacy watchdogs following a decision by Europe’s top court over data being shipped to the US.
The Court of Justice of the European Union (CJEU) in July struck down the EU-US Data Privacy Shield, throwing into question how companies – in particular US tech giants, but also thousands of European businesses – would send data across to the US without contravening Europe’s General Data Protection Regulation (GDPR).
Julie Brill, Microsoft’s chief privacy officer, boasts that the maker of Windows 10, Office, and Azure is the first entity in the world to meet recommendations outlined by Europe’s data-protection heads last week.
“Today, we’re announcing new protections for our public sector and enterprise customers who need to move their data from the European Union, including a contractual commitment to challenge government requests for data and a monetary commitment to show our conviction,” said Brill.
“Microsoft is the first company to provide these commitments in response to last week’s clear guidance from data protection regulators in the European Union.”
European privacy authorities, under the European Data Protection Board (EDPB), last week adopted several recommendations to reflect the so-called ‘Schrems II’ ruling.
“As a result of the ruling on July 16, controllers relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA),” the EDPB said.
“The CJEU allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.”
US tech companies were forced to make significant adjustments to their terms with users and customers after Austrian lawyer and activist Max Schrems won a privacy lawsuit that he had filed against Facebook in 2013. He argued that information about Europeans sent to US servers could be used by US law enforcement.
He lodged the case after former National Security Agency (NSA) contractor Edward Snowden in 2013 showed that the agency was conducting mass surveillance on US citizens and foreigners through Google, Microsoft, Facebook and other tech giants.
Schrems’ lawsuit resulted in the CJEU in 2015 invalidating the EU-US Safe Harbor principle, which for 15 years permitted organizations to send data from Europe to the US.
The demise of Safe Harbor gave birth to the EU-US Privacy Shield, which came into effect in August 2016. But Schrems filed another lawsuit and in July the ECJ ruled that the new agreement too violated GDPR rules in what is referred to as the ‘Schrems II’ ruling.
Brill says Microsoft promises to contest all government requests for public-sector or enterprise customer data where it has a lawful reason to.
“This strong commitment goes beyond the proposed recommendations of the EDPB,” said Brill.
Microsoft also promises to “provide monetary compensation to these customers’ users if we disclose their data in response to a government request in violation of” GDPR.
“It shows Microsoft is confident that we will protect our public-sector and enterprise customers’ data and not expose it to inappropriate disclosure.”