Microsoft’s initi­al respon­se to Schrems II and the EDSA recommendations.

As is known, the ECJ has ruled in the Schrems II judgment the Pri­va­cy Shield – the Euro­pean, but in effect, the also the swiss – and last week the EDSA issued draft (quite que­stionable) gui­de­lines on it published. Now that the EU Com­mis­si­on has also new stan­dard con­trac­tu­al clau­ses has pre­sen­ted, also as a draft, the com­ple­xi­ty of the issue of for­eign trans­fers has rea­ched a level that com­pa­nies (and aut­ho­ri­ties!) can hard­ly cope with. Com­pa­nies will the­r­e­fo­re incre­a­sing­ly request sup­port from the major US providers.

Micro­soft is now, as far as can be seen, the first of the­se pro­vi­ders to have expli­ci­t­ly and publicly com­men­ted on Schrems II. On Novem­ber 19, 2020, Micro­soft released a state­ment through Julie Brill, the high­ly respec­ted head of pri­va­cy at Micro­soft (“New Steps to Defend Your Data.”). Micro­soft assu­res therein,

• Chall­enge all access to cus­to­mer data at Micro­soft by all govern­ment agen­ci­es (whe­ther govern­ment or pri­va­te)., to the ext­ent per­mit­ted by appli­ca­ble law, and
• in the event of dis­clo­sure of cus­to­mer data, the cus­to­mers con­cer­ned finan­ci­al­ly com­pen­sa­te.

Micro­soft holds out the pro­s­pect of inclu­ding cor­re­spon­ding com­mit­ments in their con­tracts with imme­dia­te effect – whe­ther also in exi­sting con­tracts or only in new­ly con­clu­ded con­tracts remains open, which rather points to the former.

In doing so, Micro­soft is hel­ping to redu­ce the Schrems II risks of its cus­to­mers, who must con­ti­n­ue to assess the­se risks.