April 24 — Microsoft Corp.'s contracts for cloud computing services offered in the European Union broadly meet one of the bloc's approved processes for international transfer of personal data, the Article 29 Working Party announced April 24.
Microsoft presented documentation of its privacy practices and procedures in contracts for cloud computing services to data protection authorities in various EU member states, the Working Party said in a statement.
Under the EU Data Protection Directive (95/46/EC), personal data may be lawfully transmitted out of the European Economic Area only under limited circumstances, including where the European Commission finds a non-EU country's law adequate to protect privacy. The U.S. hasn't been found by the commission to have adequate privacy protections; therefore U.S. companies such as Seattle-based Microsoft must utilize alternatives, such as the U.S.-EU Safe Harbor Program or binding corporate rules to move data out of the EEA.
The alternative at play in this instance was the use of standard contractual clauses to require the contract parties to protect privacy consistent with the Data Protection Directive.
In particular, the Art. 29 Party evaluated whether Microsoft's contract provisions “strictly meet the requirements on international data transfers contained in the Standard Contractual Clauses 2010/87/EU,” which are referred to as the data controller-to-processor clauses.
The DPA officials from the 28 member states that make up the Working Party “take the view that the documents meet the EU requirements laid out in these clauses,” the group said.
The Working Party transmitted its findings on the Microsoft contract provisions in a letter dated April 2.
In an April 10 Official Microsoft Blog post, Brad Smith, Microsoft general counsel and executive vice president of legal and corporate affairs, said “Microsoft is the first—and so far the only—company to receive this approval.”
He said “Europe's privacy regulators have said, in effect, that personal data stored in Microsoft's enterprise cloud is subject to Europe's rigorous privacy standards no matter where that data is located.”
The Working Party, however, qualified its conclusion, saying in the April 24 statement:
The positive outcome of this limited analysis does not entail that the WP29 regards Microsoft's contractual arrangements as complying overall with all EU data protection requirements, nor should it be construed as an endorsement that, in practice, Microsoft complies with EU data protection rules. It merely acknowledges that Microsoft has made sufficient contractual commitments to provide a legal framework to its international data flows, in accordance with Article 26 of Directive 95/46/EC.
The Art. 29 Party also didn't specifically review the appendices to the documentation provided by Microsoft that detailed the specific data transfers at issue for each of the contracts, the group said.
The Working Party took the opportunity of the Microsoft announcement, to “remind all cloud computing providers” that they have an obligation to ensure that their contracts comply with EU privacy law. It pointed companies to the group's cloud computing guidance released in July 2012.
The Article 29 Working Party's letter to Microsoft is available at http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140402_microsoft.pdf.
Microsoft's blog post is available at http://blogs.technet.com/b/microsoft_blog/archive/2014/04/10/privacy-authorities-across-europe-approve-microsoft-s-cloud-commitments.aspx.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).