Out-Law News 2 min. read

Microsoft to adopt EU-US Privacy Shield


Microsoft has announced its intention to sign up to the EU-US Privacy Shield as a means of transferring personal data between the EU and US in line with the requirements of EU data protection laws.

The US technology giant confirmed its plans in a statement issued in response to a formal notice served on the business by the France's data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL).

In the notice CNIL said Microsoft is "transferring its account holders’ personal data to the United States on a 'Safe Harbour' basis", despite the Safe Harbour framework for EU-US data transfers being invalidated by the Court of Justice of the EU last year.

In response Microsoft defended its data transfer arrangements and revealed plans to adopt the Privacy Shield, which has been established by EU and US officials as a replacement framework to Safe Harbour for facilitating trans-Atlantic data flows.

David Heiner, Microsoft vice president and deputy general counsel, said: "We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week’s adoption of the Privacy Shield."

"Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and US representatives worked toward the new Privacy Shield… In addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States," he said.

"Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield," Heiner said.

US businesses will be able to self-certify their compliance with the EU-US Privacy Shield's privacy principles from 1 August.  A system of annual re-certification will apply. The European Commission last week adopted a finalised 'adequacy decision' (44-page / 486KB PDF) which contains its view that businesses transferring personal data from the EU to the US in line with the Privacy Shield principles will accord with EU data protection law standards.

In its statement CNIL also called on Microsoft to take steps to reduce the amount of personal data it collects via its new Windows 10 operating system, limit the times incorrect log-in credentials can be typed in by users of Microsoft accounts and address issues of customer consent to online tracking and targeted advertising. Microsoft also needs to better explain its use of "advertising cookies" and allow internet users to stop them from being stored on their devices, CNIL said.

Microsoft has been given three months to make changes that align with French data protection laws.

Heiner said: "We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.