EU Data Protection Authorities Endorse Microsoft’s Cloud Computing Agreement

April 13, 2014

For all the European Commission’s talk of unleashing the potential of cloud computing, concern about the attitude of data protection authorities remains a major obstacle to the adoption of cloud computing in Europe.  Companies looking to migrate services to the cloud must navigate a labyrinth of domestic legislation, data protection authorities’ guidance and Article 29 Working Party (A29WP) opinions, as well as trying to divine the authorities’ intentions from the enforcement action they have taken against others. 

So, the announcement from the A29WP that the EU data protection authorities have endorsed Microsoft’s agreement for cloud services is a big step in the right direction.  The data protection authorities have confirmed that Microsoft’s agreement conforms to the European Commission’s standard contractual clauses for transfers to processors in third countries.  That might seem like an odd pronouncement to those familiar with Microsoft’s cloud services, given that Microsoft has for some time been prepared to incorporate the standard contractual clauses into its agreements.  Nevertheless, it is helpful to have confirmation from the data protection authorities that the whole agreement, including the standard contractual clauses, complies with the Commission’s decision (2010/87/EU).  The endorsement is also likely to improve the prospects of obtaining a speedy approval from the authorities in those jurisdictions where this is still a requirement (approval is required in some EU member states even in cases where the Commission’s standard contractual clauses are used). 

The A29WP has stopped short of expressing a view on whether Microsoft’s agreement complies with EU data protection law as a whole, no doubt sensitive about poaching on the preserves of the national data protection authorities.  Since the Commission’s standard contractual clauses address only the restrictions on transfers to third countries (that is, the provisions of national law implementing Chapter IV of the Data Protection Directive), it remains open to data protection authorities to raise objections on other grounds to the appointment of a data processor.  The A29WP has also made clear that the analysis carried out by the national data protection authorities concerns only the clauses themselves, leaving individual authorities free to raise issues on the content of the Annexes (which describe the data transfers and the security measures implemented by Microsoft).

However, two changes that Microsoft is making to its agreement in areas that often raise the authorities’ hackles are likely to go some considerable way towards addressing any remaining concerns. 

The first is an obligation on Microsoft to provide prior notice before appointing any new sub-processors, together with a right for the customer to terminate the agreement early if it objects to a proposed appointment.  The supplier’s use of sub-processors is often a sticking point in negotiations, particularly with customers who are more used to traditional outsourcing contracts (in which the customer can typically veto the appointment of a sub-processor).  The A29WP confirmed in its Opinion 05/2012 (WP 196) that, whilst the use of sub-processors requires the customer’s consent, this can generally be given up-front as long as the supplier is required to notify the customer of any new sub-processors and the customer can terminate the agreement if it objects.  Microsoft’s new agreement appears consistent with the approach suggested by the A29WP, which is bound to be helpful when dealing with national data protection authorities.  

The second change is a commitment to delete data within a certain period after termination of the agreement.  This is a point often raised by customers, and also by those data protection authorities that insist on the right to approve any transfer of data outside the EEA.  Many cloud suppliers’ standard terms simply provide that the supplier has no obligation to retain the customer’s data after a certain period following termination.  When pushed, suppliers will usually commit to deleting data within a reasonable time, but without specifying how long that is likely to be in practice.  Microsoft’s agreement to delete data within a specific period is a significant improvement in this respect.  Data controllers will of course need to consider whether the deletion period that Microsoft has proposed is acceptable in view of their own processing activities (having regard in particular to the nature of the data and any undertakings given to data subjects).

It is also worth noting that the standard contractual clauses apply only to transfers to processors in third countries, and don’t have any formal legal status in relation to transfers to processors within the EEA.  This means that, strictly speaking, the view expressed by the A29WP has limited impact on customers whose data is stored only in Microsoft’s European data centres (‘limited’ because, even in this model, support services will often be provided from outside the EEA).  Even here, though, data controllers can draw a good deal of comfort from the fact that the EU data protection authorities have approved Microsoft’s agreement for transfers to processors outside the EEA; if the terms are satisfactory for transfers outside the EEA, there is no obvious reason why the same should not also be true for transfers within the EEA.  And in the post-Snowden world we now inhabit, authorities have little incentive to make it more difficult for data controllers to keep data within the EEA than to export it to third countries.

Overall, the A29WP’s announcement is a positive development, not just for Microsoft and its customers but for the whole cloud computing industry.  Data protection authorities have traditionally shied away from endorsing individual suppliers’ agreements, leaving customers to argue with suppliers (often at great length) about whether their standard terms comply with data protection law.  This has led to uncertainty and impeded the adoption of cloud computing, particularly in jurisdictions with more rigorous data protection regimes.  The data protection authorities’ willingness to endorse individual suppliers’ terms brings some much-needed clarity and will be welcomed by suppliers and customers alike. 

Credit, too, to Microsoft for the way it’s gone about this.  Rather than waiting for data protection authorities to engage with them, Microsoft actively sought the authorities’ opinion, and demonstrated a willingness to take on board the authorities’ comments and adapt its terms accordingly.  Some may have thought that inviting this kind of criticism was a major gamble.  It probably was.  For Microsoft, it’s definitely paid off.

Joel Harrison is a senior associate in the London office of Milbank, Tweed, Hadley & McCloy LLP. 

For the Article 29 Working Party letter, see http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140402_microsoft.pdf

For Microsoft’s reaction to this endorsement, see http://blogs.technet.com/b/microsoft_blog/archive/2014/04/10/privacy-authorities-across-europe-approve-microsoft-s-cloud-commitments.aspx