European Union (EU) data protection law regulates the transfer of EU customer personal data to countries outside the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein, and Norway. The EU Model Clauses are standardized contractual clauses used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data- protection law and meet the requirements of the EU Data Protection Directive 95/46/EC.
Microsoft has invested in the operational processes necessary to meet the exacting requirements of the Model Clauses for the transfer of personal data to processors. Microsoft offers customers Model Clauses, referred to as Standard Contractual Clauses, that make specific guarantees around transfers of personal data for in-scope Microsoft services. This ensures that Microsoft customers can freely move data through Microsoft’s cloud from the EEA to the rest of the world.
However, Microsoft enterprise customers, who are the controllers of the personal data, carry the primary obligation to protect that data. This means that EEA enterprise customers have a strong interest in ensuring that their service provider abides by EU data protection laws, or the customer can face liability—and even blockage of its ability to use a service.
On a practical level, compliance with EU data protection laws also means that customers need fewer approvals from individual authorities to transfer personal data outside of the EU, since most EU member states do not require additional authorization if the transfer is based on an agreement that complies with the Model Clauses.
Microsoft provided its Standard Contractual Clauses to the EU's Article 29 Working Party for review and approval. The Article 29 Working Party includes representatives from the European Data Protection Supervisor, the European Commission, and each of the 28 EU data protection authorities (DPAs).
The group determined that implementation of the provisions in Microsoft agreements was in line with their stringent requirements. (Microsoft was the first cloud service provider to receive a letter of endorsement and approval from the group.) Approval covered the engagements reflected in Model Clauses 2010/87/EU but not in the appendices, which describe the transfers of data and the security measures implemented by the data importer. The appendices need to be completed by Microsoft and its clients when signing the contract and may be analyzed separately by the DPA.
What is the EU Data Protection Directive 95/46/EC?
This directive sets the baseline for handling personal data in the EU. It provides the regulatory framework under which Microsoft transfers personal data out of the EU. Under this directive and our contractual agreements, Microsoft acts as the data processor of customer data. The customer acts as the data controller, with final ownership and responsibility for ensuring that the data can be legally provided to Microsoft for processing outside of the EEA.
Why is compliance with the Model Clauses important?
A service provider that commits contractually to the Model Clauses gives its customers assurance that personal data will be transferred and processed in compliance with EU data protection law. Use of the Model Clauses also means that customers need to get fewer approvals from individual data-protection authorities to transfer personal data outside the EU.
Which Microsoft services are in scope for EU Model Clauses?
Covered services include:
Where can I see compliance information for Microsoft services?
Compliance is a contractual commitment. Microsoft Standard Contractual Clauses are available to all cloud customers in the Online Services Terms; for other services, see your existing agreement with Microsoft.
What is a "sub-processor"?
A "sub-processor" is someone who processes personal data following the data controller’s instructions, as well as the terms of the EU Model Clauses and the subcontract. Microsoft customers—independent software vendors (ISVs), in particular—are sometimes themselves data processors; in those instances, Microsoft is the sub-processor.
Where do I start with my own organization’s compliance efforts?
Enter into an agreement such as the Online Services Terms, or explore amending your existing agreement to incorporate the Standard Contractual Clauses.
Microsoft continually assesses the EU standards, and updates its services as needed.