What are the European Union (EU) Standard Contractual Clauses (also known as the "Model Clauses")?
The EU Model Clauses allow customers to comply with the EU’s Data Protection Directive relating to cross-border transfers of personal data.
The EU’s data protection laws restrict exporting personal data from the European Economic Area. The Model Clauses, standard contractual clauses approved by the European Commission, are a preferred way to legitimize the transfer of personal data outside the European Economic Area.
Global cloud service providers offering enterprise-level service, availability, and performance, along with ancillary services such as 24/7 customer and technical support, need flexibility to move personal data of an EU customer outside of the EU in the course of providing the cloud service.
While Microsoft and our customers may rely on the "Safe Harbor" framework to legitimize the transfer of personal data from the EU, some European data protection regulators have said the Safe Harbor framework may not be sufficient for an enterprise cloud services environment.
What is the Microsoft position on the EU Model Clauses?
Microsoft is willing to sign data processing agreements containing EU standard contractual clauses with all our Office 365 and Microsoft Dynamics CRM Online customers regardless of the customer’s size or the value of the customer’s Office 365 or Microsoft Dynamics CRM Online service contract.
How do I compare Office 365 or Microsoft Dynamics CRM Online with competitors who do not offer the EU Model Clauses? What benefits or additional controls does Office 365 or Microsoft Dynamics CRM Online offer by virtue of offering to sign the EU Model Clauses?
Offering the EU Model Clauses involves investing and building the operational controls and processes required to meet the exacting requirements of the EU Model Clauses. To comply with the EU Model Clauses, Microsoft has invested in the development of controls and processes over and above those required in order to achieve ISO 27001 certification, and we are audited against these controls in our annual audit. In addition, we provide full disclosure of sub-processors, third-party-beneficiary status applied to data subjects, and full disclosure of technical and organizational security measures. It is possible that competitors who do not offer the EU Model Clauses either have not implemented these controls and processes or have existing business practices that prevent their compliance with these clauses.
Can an EU customer trust a cloud service provider who does not offer the EU Model Clauses?
Unless a cloud service provider is willing to agree to the EU Model Clauses, it may be difficult for a customer to have confidence that it can comply with the EU Data Protection Directive’s requirements for the transfer of personal data from the EU to jurisdictions that do not provide "adequate protection" for personal data. Indeed, the Article 29 Working Party has emphasized the importance of establishing contractual safeguards in the data controller–data processor (that is, the customer–cloud service provider) relationship and has underscored the importance of the EU Model Clauses.
If a cloud service provider claims to encrypt data, does that eliminate the need to have that service provider sign the EU Model Clauses?
No. EU data protection authorities do not generally view encryption as an alternative to adequacy measures for cross-border transfers of personal data.
How does a customer differentiate between cloud service providers when they both offer the EU Model Clauses?
Customers should consider the service provider’s overall commitment to data privacy and security in addition to the EU Model Clauses. The service provider’s proactively working with national data protection authorities and the Article 29 Working Party is evidence of such commitment and helps ensure that the service provider’s offering meets the expectations of both customers and regulators.
How have EU data protection authorities responded to the Microsoft approach to the EU Model Clauses?
Microsoft has received many favorable reviews from European data protection authorities in support of Office 365's and Microsoft Dynamics CRM Online's strong privacy compliance features, clearly demonstrating again that Microsoft is engineering its cloud services with privacy by design.
To date, we have written validation from data protection authorities in France, Germany (Bavaria), Denmark, Ireland, Luxembourg, Malta, and Spain on our approach to the EU Model Clauses. These validations confirm that we help our customers meet their regulatory requirements regarding the transfer of personal data from the EU to jurisdictions that do not provide "adequate protection" for personal data.
An EU customer can move to Office 365 or Microsoft Dynamics CRM Online and comply with EU data protection requirements.
Do the privacy features, controls, and processes that Microsoft has implemented to offer the EU Model Clauses apply to all Office 365 customers, or do they apply only to customers that sign the EU Model Clauses?
Office 365 is a multi-tenant service, and Microsoft runs the service with the same privacy features, controls, and processes for all customers, even those customers that elect not to sign the EU Model Clauses.