April 24 — Microsoft Corp.'s contracts for cloud computing services offered in the European Union broadly meet one of the bloc's approved processes for international transfer of personal data, the Article 29 Working Party announced April 24.
Microsoft presented documentation of its privacy practices and procedures in contracts for cloud computing services to data protection authorities in various EU member states, the Working Party said in a statement.
Under the EU Data Protection Directive (95/46/EC), personal data may be lawfully transmitted out of the European Economic Area only under limited circumstances, including where the European Commission finds a non-EU country's law adequate to protect privacy. The U.S. hasn't been found by the commission to have adequate privacy protections; therefore U.S. companies such as Seattle-based Microsoft must utilize alternatives, such as the U.S.-EU Safe Harbor Program or binding corporate rules to move data out of the EEA.
The alternative at play in this instance was the use of standard contractual clauses to require the contract parties to protect privacy consistent with the Data Protection Directive.
In particular, the Art. 29 Party evaluated whether Microsoft's contract provisions “strictly meet the requirements on international data transfers contained in the Standard Contractual Clauses 2010/87/EU,” which are referred to as the data controller-to-processor clauses.
The DPA officials from the 28 member states that make up the Working Party “take the view that the documents meet the EU requirements laid out in these clauses,” the group said.
The Working Party transmitted its findings on the Microsoft contract provisions in a letter dated April 2.
In an April 10 Official Microsoft Blog post, Brad Smith, Microsoft general counsel and executive vice president of legal and corporate affairs, said “Microsoft is the first—and so far the only—company to receive this approval.”
He said “Europe's privacy regulators have said, in effect, that personal data stored in Microsoft's enterprise cloud is subject to Europe's rigorous privacy standards no matter where that data is located.”
The Working Party, however, qualified its conclusion, saying in the April 24 statement:
The positive outcome of this limited analysis does not entail that the WP29 regards Microsoft's contractual arrangements as complying overall with all EU data protection requirements, nor should it be construed as an endorsement that, in practice, Microsoft complies with EU data protection rules. It merely acknowledges that Microsoft has made sufficient contractual commitments to provide a legal framework to its international data flows, in accordance with Article 26 of Directive 95/46/EC.
The Art. 29 Party also didn't specifically review the appendices to the documentation provided by Microsoft that detailed the specific data transfers at issue for each of the contracts, the group said.
The Working Party took the opportunity of the Microsoft announcement, to “remind all cloud computing providers” that they have an obligation to ensure that their contracts comply with EU privacy law. It pointed companies to the group's cloud computing guidance released in July 2012.
The Article 29 Working Party's letter to Microsoft is available at http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140402_microsoft.pdf.
Microsoft's blog post is available at http://blogs.technet.com/b/microsoft_blog/archive/2014/04/10/privacy-authorities-across-europe-approve-microsoft-s-cloud-commitments.aspx .
To view additional stories from Privacy & Security Law Report® register for a free trial now