Blog

An Engineer’s Take on Microsoft Azure and GDPR

Written by Marlon Alagoda | 22. Mai 2023

Photo by ev on Unsplash

In 2018, the European General Data Protection Regulation (GDPR) was introduced to give citizens more control over their data and to increase the transparency and accountability of companies that process data. It also aims to foster trust between citizens and companies.

Since then, the cloud market has more than tripled in size, with no end of growth in sight. But how can cloud technologies and the GDPR be reconciled? As a software engineer, you can sometimes feel torn between modern cloud technologies and corporate compliance, data protection, or legal departments. On the one hand, you’re inundated with new capabilities that help you meet ever-crazier timelines, but on the other hand, some need to make sure everything is legally compliant.

Large cloud providers like Microsoft Azure have recognized the need for legal and data security and offer a broad set of measures to meet that need. But is this just advertising, or do these measures really make a difference?

GDPR principles

The GDPR is a law designed to protect individuals’ privacy and personal data in the European Union (EU). Its principles include:

  1. Lawfulness, fairness, and transparency: Personal data must be collected and processed legally, fairly, and transparently.
  2. Purpose limitation: Personal data must only be collected for specific, explicit, and legitimate purposes.
  3. Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  4. Accuracy: Personal data must be accurate and kept up to date.
  5. Storage limitation: Personal data must be kept for no longer than is necessary for the purposes for which it is processed.
  6. Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
  7. Accountability: Controllers must be able to demonstrate compliance with GDPR principles and be accountable for their processing activities.

If you violate one of the principles of GDPR, you may face fines and other sanctions. The severity of the fine will depend on the specific violation, the level of negligence, and the size of your organization.

The maximum fine for a GDPR violation is up to 4% of a company’s global annual revenue or €20 million, whichever is higher. This means that even small businesses can face significant penalties for non-compliance. Less severe violations may result in fines of up to 2% of annual revenue or €10 million, whichever is higher. However, in some cases, regulators may choose to issue warnings, reprimands, or other corrective measures instead of fines.

It’s important to note that fines are not the only consequence of GDPR violations. Companies that violate GDPR may also face damage to their reputation, loss of customer trust, and legal action from affected individuals.

GDPR and the USA

US data protection laws differ significantly from those in the EU, which can create challenges for companies operating across borders. For example, US law enforcement and national security agencies have broad access to personal data, and private companies have fewer restrictions on collecting, using, and sharing personal data in the US.

The Safe Harbor and EU-US Privacy Shield frameworks were created to bridge this gap by providing a mechanism for US companies to demonstrate that they offer adequate protection for personal data transferred from the EU to the US. By complying with the principles of these frameworks, US companies could receive personal data from the EU without violating EU data protection laws.

However, the European Court of Justice ruled that the Safe Harbor and EU-US Privacy Shield frameworks did not adequately protect personal data transferred to the US, which led to their invalidation.

The fact that there is no GDPR-compliant regulation between the EU and the US puts much more risk on the companies who want to use US Hyperscalers like Azure, GCP, or AWS.

Am I allowed to use Microsoft Azure in the EU?

Be aware that the following only applies to Microsoft Azure, and there might be other problems and solutions to products like Office365, Power Platform, etc.

Let’s assume you are developing an e-commerce solution and want to run it in Microsoft Azure because it saves you a lot of time and your customer many operations hustles. The most important thing to consider is the location of your services and your data. When your customer’s data touches US soil, you technically can’t guarantee GDPR compliance.

You probably know that you can deploy compute resources like Functions, App Services, VMs, or databases to certain regions. Plenty of Azure regions are located in Europe, and even building a data center in Austria. The question remains if Microsoft guarantees that your customer’s data doesn’t leave that region.

 

 

Microsoft is committed to complying with European law. They recently announced the rollout of the EU Data Boundary and met the second level of compliance with the EU Cloud Code of Conduct. So what’s the fuzz about?

While Microsoft ensures that your compute resources remain within your designated region, it is important to consider the usage of SaaS or PaaS products such as “Azure Active Directory (AAD)” and “Cosmos DB.”

With Azure’s globally distributed Cosmos DB, you can manually select the database replication locations. Conversely, AAD is a critical and central component for numerous applications. Thus, it is crucial to comprehend its impact on GDPR compliance.

Some AAD functionalities are permanently excluded from the EU Data Residency and Boundary, and some are only temporary. That means if you use these features of the AAD, your customer’s data might leave the EU, and the solution you built is not GDPR-compliant anymore. These AAD features include Multi-Factor Authentication, Directory Connect, Self-Service Group Management, Enterprise App Management, and the Sign-In and Account page.

You can find a list of services that might send data across EU borders at Microsoft Azure’s “Customer data storage and processing for European customers in Azure Active Directory page.”

As an engineer, this can be easily considered by following one of the following three options:

  1. Your application might not offer login functionality
  2. You use one of many open-source identity management solutions like Keycloak
  3. You don’t use the affected features, like Multi-Factor Authentication of AAD

As an engineer, I think that’s fairly easy to consider and still leaves a lot of space for improved development speed and decreased operation costs using Azure.

There might be other, smaller, limitations to other SaaS or PaaS products, which can be read about in the compliance section of the respective Microsoft documentation.

Remaining challenges

Employees

Your employees need a Microsoft Active Directory account if they want to use the Azure Cloud or other Microsoft products. You’ll need to ensure they are okay with the consequences of their account data leaving the EU. You can do that in a privacy agreement.

Regulators

On top of all of that, be aware that other regulatory requirements might apply. As an example, the Austrian Finanzmark Aufsicht (FMA, banking regulation) published a paper, “Leitlinien zum Outsourcing an Cloud-Anbieter” (“Guidelines for outsourcing to cloud providers”). The FMA allows you to use cloud providers if you follow some rules like having an exit strategy, doing due diligence, and proper risk management. If you don’t follow their guidelines, you might be compliant with GDPR but still get warnings and eventually lose your banking license. Such regulations likely extend beyond the banking sector.

CLOUD Act

The Clarifying Lawful Overseas Use of Data (CLOUD) Act is a US law that was signed in 2018. It requires that US-based service providers disclose data that is in their “possession, custody, or control” regardless of where the data is located. However, previous legal and privacy protections still apply and prevent companies from sharing any data with law enforcement. According to Microsoft, your data won’t be shared with anyone without a search warrant or court order against you. You can read detailed FAQs on Microsoft’s Data Law page, including numbers and statistics.

However, critics say that this law allows the US government to bypass US courts, and affected users would not have to be notified when such warrants were issued (see: cnn.com, theverge.com, boxcryptor.com).

GDPR checklist for building on Microsoft Azure

  • If you use Power Platform, Dynamics 365, Office 365, or other Microsoft products, do your own research and check for current data boundary possibilities, as this article does not cover this.
  • Make sure your Microsoft tenant is created in Europe.
  • Only use compute resources that can be located in Europe.
  • Check if any product-specific GDPR guidelines are provided by Microsoft at their Trust Service Portal or the compliance section of the product documentation.
  • If you use the Azure Active Directory to manage your application’s users, be aware of the listed limitations.
  • If you use the Azure Active Directory to manage your employees, ask them if that’s okay for them.
  • If there are industry-specific regulations on cloud computing, make sure to follow them.
  • Be aware that the CLOUD Act is considered a risk, and the European Union might tighten its regulations if the US law doesn’t change.
  • Take care of other GDPR requirements not connected to the location of your application’s data.
  • You should be fine 🙂