After the Schrems II ruling in July of this year, Microsoft has probably had some thoughts. With immediate effect, the company wants to defend itself against or contest inquiries by the US authorities and, in case of doubt, pay damages to those affected.
Not for private customers
However, the improved measures of Microsoft concerning only corporate customers and customers from the public sector, private customers are excluded from the changes. Basically Microsoft is changing the access to the data. Whenever the US authorities want to access data of Microsoft customers, the company wants to contest this. If the authorities do attempt to access the data, the customers will be compensated. Microsoft sees this as a protective measure for customers who have to transfer their data from the EU. The changes will be implemented with immediate effect and included in the contracts. The Group is convinced that its measures are in line with data protection requirements. However, this does not mean that the data transfer will be stopped.
With these protective measures, the Group intends to challenge any attempt by a government agency to access data. This means not only access attempts by the U.S. government, but by any government agency. If the data is then accessed, Microsoft wants to pay damages if the GDPR is violated. According to Microsoft, this would go beyond the legal obligations. However, the GDPR also provides for damages in the event of such a violation.
How does it go on and recommendations of EDSA
Since the Schrems II ruling, companies have done little to address the abolition of the Privacy Shield Agreement. With Microsoft’s insight, a large corporation is taking steps in the right direction, at least for once. This is also the view of the data protection commissioner of Baden-Württemberg. Dr. Stefan Brink continues: “It is good and necessary for the company to comply with European data protection legislation and amend its contractual clauses accordingly. Standard contract clauses should always be concluded for the transfer of data to the USA or other third countries. The EU Commission is currently working on new ones to address this problem. When personal data is transferred to the USA or third countries, the European Data Protection Committee (EDSA) therefore recommends “additional measures”. These measures should correspond to the level of protection in the EU. Microsoft’s concessions do not yet provide a clean solution to the problem of data transfer, but it is a start. As the saying goes: “The way is the goal”.