Analysis of Microsoft’s new “European digital commitments”

Published: 5 May 2025 / Updated: 5 May 2025

Category: Perspectives

Microsoft's “European digital commitments" - the appearance of meaningful action while not solving the real problems at hand

On 30 April 2024, Microsoft announced “new European digital commitments” apparently intended to calm the company’s European customers, as well as European policymakers.

Jutta Horstmann has written a succinct analysis while Computerworld has an article on the subject.

Here I provide my analysis. What do Microsoft’s new “European digital commitments“ actually mean in practice?

Some of Microsoft’s claims are old news repackaged as new.

The announcement is clearly similar to certain other announcements I have seen from US cloud providers. These announcements sometimes give the appearance of action, and indeed sometimes actual action is taken, but without clarity on what actual problems those actions are intended to solve. An example of this is Microsoft’s so-called “EU Data Boundary“.

EU Data Boundary

Microsoft has apparently been working for years on its “EU Data Boundary“. Naturally, it also gets a mention in this most recent announcement. In fact, it isn’t so much a boundary. That word is likely to evoke the image of protection against outside forces. The EU Data Boundary is simply a Microsoft-controlled, localised mode of service delivery.

The EU Data Boundary reduces, or perhaps in some situations actually removes, Microsoft’s intentional transfers of personal data to third countries as part of its service delivery. What use does this have?

US surveillance laws like FISA 702 are by all accounts extraterritorial. Under those laws, US authorities can compel a US cloud provider to give access to data even when the US cloud provider processes those data in its EU cloud regions. It is therefore difficult to understand what problem, if any, the EU Data Boundary even intends to solve for European customers.

A more likely explanation would seem to be that the EU Data Boundary gives the appearance of effective protection. It certainly signals some kind of action – even expensive action, because why take such action if it wasn’t highly useful? However, it does not actually appear to deliver effective protection against US surveillance, and as far as I can tell, Microsoft has never claimed that it does.

Now, let’s look at some other relevant parts of Microsoft’s new announcement, piece by piece.

Investments in Europe

Microsoft says:

Microsoft is investing tens of billions of dollars annually in expanding its datacenters across Europe. These investments aren’t on wheels. They are permanent structures and subject to local laws, regulations, and governments.

Microsoft implies that they are as dependent on Europe as we are on them. This is of course plainly not true. Microsoft’s customers tend to be locked in to the company’s cloud technology and ecosystem, something more and more customers are loudly complaining about.

This dependency is one-sided, in Microsoft’s favour, and to Europe’s detriment.

European laws and agreements

Microsoft says:

We understand that European laws apply to our business practices in Europe, just as local laws apply to local practices in the United States and similar laws apply elsewhere in the world. This includes European competition law and the Digital Markets Act, among others. We’re committed not only to building digital infrastructure for Europe, but to respecting the role that laws across Europe play in regulating our products and services.

This claim rings hollow, not least because Microsoft has time and again violated European laws, including in the areas of competition and privacy.

To get a deeper understanding of Microsoft’s approach to complying with the law, we can look at Microsoft’s operations in China. In 2017, China enacted a law requiring all organisations and citizens to cooperate with China’s intelligence agencies in matters of national security. In a 2024 congressional hearing, Microsoft’s President Brad Smith said Microsoft did not comply with this law, and even implied he had defied certain requests. This was despite the fact that the Chinese government hadn’t given Microsoft an exemption from complying with the law.

Microsoft’s President explained:

There are two types of countries in the world, those that apply every law they enact and those that enact certain laws, but don’t always apply them.

According to Microsoft’s President, for this particular law, China was in the second category—when push came to shove, the country had not enforced its own law against Microsoft. Furthermore, Microsoft’s President justified the company’s presence in China by saying that it serves the interests of the United States.

The message to us Europeans should be clear: Microsoft will gladly operate in a country and willingly disobey that country’s laws, at least as long as the country has not enforced those laws against Microsoft.

We should keep this in mind when EU supervisory authorities have refrained from enforcing the GDPR, for example after the Schrems II judgment when standard contractual clauses were used without effective protection against US surveillance. Such lack of enforcement can be seen as a signal to US cloud providers that they and their customers can violate EU law, in this case the GDPR, without consequence. In one sense we thus have a law, but in another, more real sense, since that law is not enforced it may as well not exist, at least not in the eyes of US cloud providers.

We could even do a thought experiment and apply Microsoft’s attitude more broadly, to potential and current customers. If Microsoft allows itself to violate laws which aren’t enforced, why wouldn’t Microsoft in principle allow itself to violate agreements with its customers, as long as the customers do not enforce those agreements?

Here it is relevant to point out that Microsoft’s agreements, in my experience, are notoriously difficult to even get a grip on. I don’t seem to be alone in this view. In fact, researchers determined that out of 140 examined Swedish public sector organisations, not a single one even had access to all the applicable contractual terms for those organisations’ use of a popular Microsoft SaaS solution.

Now, let’s imagine your organisation is bound by Microsoft’s terms. Next, an unlikely event happens: you actually achieve an excellent understanding of all the applicable terms, including cross-references, links to websites whose content could change at any moment, and so on. Not only that, you keep up with every single change to those terms over time.

Even so, Microsoft’s standard agreement says:

This agreement is governed by Washington law, without regard to its conflict of laws principles … Any action to enforce this agreement must be brought in the State of Washington.

What are the chances your organisation would ever actually enforce such an agreement? That you would bring a case in a foreign jurisdiction, under a foreign interpretative framework with US case law at its foundation? Not to mention it would be against Microsoft, which drafted the agreement and has an army of lawyers who would be defending the company on its own turf?

Be honest now.

We could, perhaps, even phrase things this way:

There are two types of customers in the world, those that enforce every agreement they agree to and those that enter into certain agreements, but don’t always enforce them.

What type of customer do you think Microsoft expects you are?

By the way, according to Microsoft’s Online Services Subprocessors List, the Microsoft relies on contract staff from a company headquartered in China. Microsoft explicitly says staff in China may process customer data.

A European oversight board

Microsoft says:

Microsoft is headquartered in the United States, but we provide cloud services to Europe through corporate entities headquartered in Europe. To further cement the nexus between Microsoft and Europe, going forward our European datacenter operations and their boards will be overseen by a European board of directors that consists exclusively of European nationals and operates under European law.

Microsoft isn’t even saying this oversight board will make any practical or legal difference. The company doesn’t claim it will protect European customers’ data from being accessed by US authorities, nor protect its customers from losing access to the company’s cloud services.

Microsoft just says this will “further cement the nexus“ between Microsoft and Europe, whatever that means.

This is another example where the company can demonstrate some kind of action which might look good at a surface level. However, we don’t get any clarity on what problem, if any, that action is even intended to solve.

Contesting orders to suspend services

Microsoft says:

In the unlikely event we are ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court … We are confident of our legal rights to ensure continuous operation of our datacenters in Europe. And we are prepared to back this confidence with our contractual commitments to European governments.

First, we should expect nothing less than Microsoft putting up a legal fight against an order which pulls the plug on the company’s service delivery. But even if Microsoft did not challenge such an order, how would you even enforce that against the company? It seems futile to try to make Microsoft wage a legal battle it does not want to fight. And does anyone care to guess what the limitation of liability and damage cap look like if Microsoft doesn’t follow through? At the end of the day, if Microsoft is pressured and faces a choice between doing what’s best for their shareholders and what’s best for their European customers, the company is obliged to protect its shareholders, even if that means reneging on its commitments to its customers.

Second, even if Microsoft does vigorously challenge such an order, it doesn’t mean Microsoft would win.

If the US administration is within its authority to issue such an order, Microsoft would be obliged to comply with it. Microsoft’s commitment doesn’t say otherwise – it basically just means that Microsoft will not do more than the company has to under law.

As for Microsoft’s confidence in its legal rights, one wonders if the company has taken in legal developments in the United States. The rule of law in the US is under attack in more ways than can be counted. It is sufficient to note that Trump has used national security as a pretext for numerous decisions. He has also appointed judges to both the Supreme Court and lower courts who have deferred to the president’s authority or otherwise protected him in cases before the courts. If Microsoft is truly confident in its legal rights, that confidence does not appear to be anchored in reality.

Continuity partnerships, code storage

Microsoft says:

Finally, we will designate and rely upon European partners with contingency arrangements for operational continuity in the unlikely event Microsoft were ever required by a court to suspend services. We are already enabling our partners in France and Germany to do this for the Bleu and Delos datacenters, and we will pursue arrangements for our public cloud datacenters in Europe. We will store back-up copies of our code in a secure repository in Switzerland, and we will provide our European partners with the legal rights needed to access and use this code if needed for this purpose.

Microsoft has partnered with a couple of European companies to provide Microsoft Azure and M365 services from European-controlled and managed data centres. However, this offering only reaches a limited number of customers, and the code repository will apparently only be available to certain Microsoft partners. Regarding the code, there is the question of whether functioning and up-to-date build environments are included. Without those, it won’t be possible to compile the code into usable form. And how would Microsoft update the code, especially after it has been forced to suspend services? It is not realistic to expect European partners to maintain a massive set of proprietary Microsoft code over time.

Now let’s consider the situation for customers if the Microsoft plug is pulled. Are all of Microsoft’s European customers expected to move into a few selected partners’ infrastructure? It took more than three and a half years from when Bleu was announced to the expected time deliveries would start.

If Microsoft suspends its services, will there be enough capacity in Europe for everyone who needs it? Will prices be anywhere near reasonable as customers scramble for space? I don’t know (and who does?), but my guess is that the answer to these questions is no.

Besides, this option presupposes that European organisations have ongoing backups, which are entirely separated from US cloud providers’ infrastructure. That seems like an expensive, cumbersome prospect, affecting customers regardless of whether Microsoft’s services end up suspended.

Finally, this path does not solve the problem of vendor lock-in, where Microsoft can charge ever-increasing prices, thus eroding European value creation.

It is simply a fundamentally flawed setup from start to finish.

Security and encryption

Microsoft further mentions its security work, and encryption options supposedly preventing even Microsoft from being able to access data in plain text. First, it seems those encryption options are only available for certain narrow scenarios. We have already written about these types of measures, and why we haven’t seen them as a viable way to use US clouds despite US surveillance.

Second, it is relevant to mention that Microsoft’s security work, in particular related to encryption, was harshly criticised in a 2024 report published by the US Department of Homeland Security. Among other things, the report highlighted “a cascade of security failures at Microsoft“, said Microsoft had suffered a “preventable“ intrusion and that the company’s security culture was inadequate, in part due to “Microsoft’s failure to detect the compromise of its cryptographic crown jewels“.

We have also written about a situation where BSI, the German Federal Office for Information Security, asked Microsoft security and encryption related questions without receiving clear answers back. The issue concerned Microsoft’s use of so-called double-key encryption (DKE). By using two keys, one of which always remains with the customer, DKE is meant to prevent data leaks in specially secured environments.

However, after Microsoft suffered a particularly bad incident, it gave BSI information so unclear that BSI couldn’t assess if the attackers were able to access data in plain text anyway. ”Even after repeated requests and threats of legal action, Microsoft did not provide the requested information. Therefore, BSI is now using the legal instruments at its disposal, explains a BSI spokesperson,” heise Security reported.

In summary, we argue that this doesn’t inspire confidence in Microsoft’s ability to protect customer data using encryption.

Conclusions

I agree with Jutta Horstmann’s analysis that Microsoft’s announcement is a sign of desperation. It seems designed to give the appearance of meaningful action while not solving the real problems at hand.

My conclusion is that those who are still mentally locked in to Microsoft’s cloud might happily sing this announcement’s praises, primarily fooling themselves in the process.

Those who understand that Europe needs real digital sovereignty, or who are even just open to trying alternatives to US cloud providers, won’t be fooled.