Microsoft Faces GDPR Challenges in Europe over Off-Prem Data Storage

An image of the skyline of Frankfurt, Germany.
The German state of Hesse enacted a partial ban on Microsoft 365 in schools.
Source: Sinan Erg on Unsplash

The General Data Protection Regulation (GDPR) has created a conflict between Germany and Microsoft because the latter allegedly violates GDPR rules. Microsoft was storing personal data in cloud servers (off-premise) rather than in on-premise local data centers.

This has caused Germany to outright ban Microsoft 365 in some regions. This topic has been an ongoing issue for several companies. Many American multinational companies have been out of compliance with the GDPR since the introduction of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018. The CLOUD Act states that the US Government can freely sift through anyone’s data, including non-US citizens. You can see why this might be a potential issue for many people.

In this article, I’ll cover how the GDPR, the 2018 CLOUD Act, and Microsoft all relate. I’ll also go through some potential workarounds for the Microsoft 365 ban. Let’s get started.

The Uneasy Relation between the GDPR and Microsoft

The GDPR is one of the world’s most stringent data privacy and security laws. Even though it was mostly designed for the European Union (EU) and its citizens, this law still affects software companies globally. In other words, if your company collects any data on EU citizens, you must comply with the GDPR. Otherwise, you risk facing similar issues like those between Germany and Microsoft.

So what exactly is the main issue between Germany and Microsoft? Let me explain. In Germany, personal data was always stored in on-prem data centers. In a sense, this data never leaves the country. 

However, after the introduction of the CLOUD Act, Microsoft began to take this data and store it in off-premise cloud storage. Microsoft did this with many other countries in Europe, and not just Germany. 

This caused big problems, as the GDPR states that each citizen’s data must remain within their respective country. So, a German citizen’s data should remain in Germany, and so on. This issue reached a point where Hesse, a German state, enacted a partial ban on Microsoft 365 in local schools.

Another main violation to consider is that Microsoft fails to ensure minors’ data protection. According to the GDPR, individuals under eighteen can’t consent to any form of data storage.

You can see the issues now. So, how does the US CLOUD Act factor into Microsoft’s decisions to abandon its previous GDPR-compliant policy of on-prem data storage? Let’s find out.

The US CLOUD Act of 2018 and Open Access to US Agencies 

The US Cloud Act of 2018 is extremely controversial in the US and the EU due to its violations of the Fourth Amendment, which protects citizens from unlawful searches and seizures. Under this act, US agencies, such as the FBI and CIA, can request access to a user’s data without their knowledge.

Many civil rights groups, such as Amnesty International, have criticized the CLOUD Act. The CLOUD Act ultimately opens up access for the US Government to data on any non-US citizen. This provides them unlimited and unrestricted access to this data without any other party knowing about it.

So far, I’ve covered the GDPR and the CLOUD Act. Let’s see how they relate to each other in the next section.

The Impact of the GDPR and the CLOUD Act On Multinational Tech Companies

While the GDPR seeks to protect users, the CLOUD Act seeks to provide unrestricted data access without any required permission. Both have made it difficult for multinational tech companies like Amazon and Google to conduct business in the EU. This is because these companies must comply with the GDPR and CLOUD Act. However, since they’re American companies, they must comply with the latter over the former.

This conflict of interest on how these companies store and use the data of EU citizens has become a sore spot. It’s been five years since the introduction of the CLOUD Act, and we still don’t have any form of resolution. US agencies continue to sniff through the data of non-US citizens to this day. Data protection is a big issue, and companies want to avoid non-compliance due to the resulting violations and monetary fines.

The gray area of this dispute between the GDPR and the CLOUD Act has led some local governments to take action.

An image of the Reichstag in Berlin, Germany.
Will we witness more bans on Microsoft products in the near future?
Source: Moritz Lüdtke

Microsoft’s European Woes

Microsoft is facing a darkening road in Europe regarding its products because of the looming nature of the CLOUD Act. The EU wants Microsoft to resolve these key issues:

  • Microsoft should only use local on-prem servers to store personal data
  • The CLOUD Act shouldn’t have an impact on non-US citizen data; in other words, US agencies should have no right to access non-US citizen data
  • Microsoft should address the issue of failing to protect the data of minors

While Microsoft needs to resolve these issues, French and German schools are opting for Linux operating systems. This is because Windows and Apple systems collect telemetry data, which violates the GDPR (again, minors have no say over data collection consent here). As time passes, Microsoft risks having its customers back away from its products due to data privacy concerns.

Even if Microsoft doesn’t act on resolving these issues, companies who still want to continue using Microsoft products can opt to implement GDPR-compliant workarounds. Let’s have a look at one of these effective workarounds.

The On-Prem Workaround

Everyone is now flying their data up to the cloud. However, if a European company wants to continue using products from American companies, they’ll need to find a way that’s GDPR-compliant. Using an on-prem server is one solution.

An on-prem server is a physical and local server that your company has full control over. Regarding the CLOUD Act, your data will remain out of reach from US agencies. This hybrid data-storage model solution satisfies the GDPR’s strict rules!

You now have a solution, but wait! Don’t just blindly implement it. In the next section, I’ll cover some best practices that you should consider when storing private data on an on-prem server.

On-Prem Server Data Storage Best Practices

As it goes with storing any data, you should take the necessary precautions and preventive actions to ensure the safety of this data.

Below, you’ll find 5 best practices for storing private data on any on-prem server:

1. Scan in Real Time for New and Modified Files

Cyberattackers can sometimes install files with embedded threats and keep a session open to return and conduct an attack. Due to this, you should continuously monitor your files. If anything stands out, such as a strange file or a user having an open session with no activity, take action immediately.

2. Remove Possible Threats 

If you encounter any files that don’t look legit or break a pattern, get them out of there as soon as possible. If you don’t, it could cause a security breach snowball effect.

3. Schedule Automatic Scans for Your Data

Manually scanning your data is very time-consuming. Because of this, consider scheduling automatic scan sessions. You should have one or two of these sessions every day to check for data breaches and malicious files.

4. Mask Your Customers’ Personal Data

You should always mask or encrypt valuable private data, such as Social Security Numbers, upon storage. This makes them harder to steal if a cyberattacker infiltrates your system.

5. Encrypt Your Backup Files

It goes without saying, but always back up your data. Furthermore, always make sure you encrypt those backups. You should also use sanitized data wherever you can for your general day-to-day business functions.

By following these best practices, you’re ensuring your data and your customers’ safety. I think it’s now time for a quick recap.

Final Words

The GDPR and the CLOUD Act have conflicting interests. Due to this, companies like Microsoft have started to seek alternative ways to continue working in Europe. 

If you’re a company working in Europe, using an on-prem server for data storage is a viable and effective solution. You can use this server to store your customers’ data in a GDPR-compliant way. 

Furthermore, you don’t have to worry about this data leaving Europe, so the CLOUD Act won’t have a role to play in this case. Until the resolution of the GDPR-CLOUD Act issue finalizes, this is your best bet.

Do you have more questions about the GDPR, CLOUD Act, or the Microsoft ban? Check out the FAQ and Resources sections below!


What is the GDPR?

The General Data Protection Regulation (GDPR) is a law on data protection and privacy in the EU. This law protects the data of EU citizens at home and abroad. It forces multinational companies to comply with the data protection of citizens or risk receiving a fine for non-compliance.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a California State Statute that enhances privacy rights and consumer protection for California residents. You can find more information on it and its protection here.

What is the US CLOUD Act?

The Clarifying Lawful Overseas Use of Data (CLOUD) Act is a US federal law introduced in 2018. It allowed federal agencies to access data stored on any server, even outside the United States.

What is the partial German ban on Microsoft 365?

The Federal State of Hesse, located in central Germany, enacted a ban on Microsoft 365 products in its state schools. This is because Microsoft was storing personal data in European cloud servers, which grant open access to the US Government. Also, under GDPR rules, minors can’t consent to this data collection.

What is data privacy?

Data privacy is the ability to have the ability to control what happens to your data once a company collects it. Policies such as GDPR and CCPA enforce data protection. These policies give consumers more power over how companies use and store their data. The sale of personal data has always been a big source of income for many internet-based companies and services.


TechGenix: Article on Types of Data Centers

Discover the different types of data centers out there.

TechGenix: Article on Data Center Security

Educate yourself on data center security for your business.

TechGenix: Article on Backups and Ransomware Attacks

Read more about how to protect your backups against ransomware attacks.

TechGenix: Article on Cloud Data Storage 

Find the right cloud storage for your business.

TechGenix: Article on CCPA and GDPR

Learn more about the similarities and differences between the CCPA and the GDPR. 

About The Author

2 thoughts on “Microsoft Faces GDPR Challenges in Europe over Off-Prem Data Storage”

  1. “This caused big problems, as the GDPR states that each citizen’s data must remain within their respective country. So, a German citizen’s data should remain in Germany, and so on. ”

    No, the GDPR states that the data must remain within the European Union. A German citizen’s data can reside in a datacenter in Ireland or France without any problem.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top