Microsoft has issued a missive congratulating itself as the first global cloud service provider to get with the new EU Privacy Shield Framework agreed with the US, which must mean your data is safe in its hands, right?
Sadly, the Privacy Shield Framework, like the Safe Harbor agreement that preceded it, relies on US companies self-certifying that they comply with the regulations. In other words, it doesn’t mean that Microsoft’s cloud has passed through a rigorous test procedure and declared to be compliant with the privacy rules: it simply means that Microsoft says it is.
Microsoft announced on its Azure blog that it is “proud to become the first global cloud service provider to appear on the Department of Commerce’s list of Privacy Shield certified entities.” This happened on August 12, which anyone can check by going to the US Department of Commerce’s site.
Safe Harbor fell by the wayside following the Edward Snowden revelations regarding the US security services' relentless hoovering up of any and all data. In light of this, the EU brought in a revised agreement, Privacy Shield, which was officially adopted on July 12.
US companies previously operating under Safe Harbor were required to update their compliance activities before certifying with the Department of Commerce that they now complied with Privacy Shield.
Of course, we aren’t suggesting that Microsoft is failing to comply with Privacy Shield, just that the certification is largely meaningless because companies are allowed to judge for themselves whether they meet the criteria.
"Adherence to this framework underscores the importance and priority we at Microsoft put on privacy, compliance, security, and protection of customer data around the globe," the firm said in its announcement. ®