EU-US and Swiss-US Privacy Shield Frameworks

About the EU-U.S. and Swiss-U.S. Privacy Shield frameworks

According to the Privacy Shield Program, “the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the US Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.” The International Trade Administration within the Department of Commerce administers the Privacy Shield Program in the United States.

The transfer of personal data outside of the EU and Switzerland is governed by EU and Swiss law, which generally prohibit personal data from being transferred to countries outside the EEA unless “adequate” levels of protection are ensured. The Privacy Shield Frameworks and the Standard Contractual Clauses (or EU Model Clauses) are two mechanisms designed to provide this level of data protection.

The 23 Privacy Shield Principles define a set of requirements that govern the use and handling of personal data transferred from the EU as well as access and dispute resolution mechanisms that participating companies must provide to EU citizens. Companies must let individuals know how their data is processed, limit the purposes for which it is used, protect data for as long as it is held, and ensure accountability for data transferred to third parties. Requirements also include providing free and accessible dispute resolution and transparency related to government requests for personal data.

Microsoft and the EU-U.S. and Swiss-U.S. Privacy Shield frameworks

To join the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks — an action that is voluntary — US-based companies must publicly commit to complying with framework requirements and self-certify their compliance to the US Department of Commerce. Once they publicly commit and self-certify, that commitment becomes enforceable under US law.

Microsoft has publicly committed to the Privacy Shield Principles and has self-certified its compliance with its requirements. Our participation applies to all personal data processed by Microsoft that is transferred to the United States from the European Union, European Economic Area (EEA), and Switzerland. In addition, customers of Microsoft business cloud services benefit from compliance with the Standard Contractual Clauses (also known as EU Model Clauses) under the Microsoft Online Services Terms, unless the customer has opted out of those clauses.

Microsoft cooperates with EU and Swiss national data protection authorities (DPAs) and complies with their advice for resolving any disputes that arise under the Privacy Shield. We will also meet Privacy Shield obligations for transparency about government requests for access to personal information. Our Law Enforcement Requests Report and U.S. National Security Orders Report make this information publicly available twice a year.

Microsoft in-scope cloud services

Audits, reports, and certificates

Microsoft has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles and submitted its self-certification to the EU-U.S. and Swiss-U.S. Privacy Shield. It is listed by the Privacy Shield Framework as an Active Participant.

How to implement

Privacy in the Microsoft Cloud — Get details on Microsoft privacy principles and standards and our approach to regulatory compliance.
- Learn more

Data protection in Azure — Azure provides customers with strong data security, both by default and as customer options.
- Learn more

Frequently asked questions

What data is transferred from the EU or Switzerland to the United States under the Microsoft Privacy Shield agreement?

As specified in our Online Services Terms, personal data that Microsoft processes on the customer's behalf may be transferred to, stored, and processed in the United States or any other country in which Microsoft or its affiliates or subcontractors maintain facilities. Any such transfers from the EU, however, must meet the requirements of EU law.

When personal data is transferred from the EU to the United States by:

  • Online services other than the core online services (as defined in the Online Services Terms), the transfer is subject to Microsoft commitments under the Microsoft Privacy Shield Agreement.
  • The core online services, the transfer is subject to Microsoft commitments under the Standard Contractual Clauses.

How is Microsoft accountable for EU personal data transferred to a third party?

Microsoft accountability for personal data that it receives under the Privacy Shield and later transfers to a third party is described in the Privacy Shield Principles. In particular, Microsoft remains responsible and liable if third-party agents that it engages to process the personal data do so in a manner inconsistent with the Principles. Microsoft is, however, not liable if it proves that it is not responsible for the event giving rise to the damage.

Is the transfer of data under the EU-U.S. and Swiss-U.S. Privacy Shield compliant with the GDPR?

Privacy Shield is not a GDPR compliance mechanism, but rather a framework that enables participating companies to meet the EU requirements for transferring personal data outside of the EU.

How does Microsoft handle complaints under the EU-U.S. and Swiss-U.S. Privacy Shield?

If you have a complaint that is Privacy Shield-related, please let us know using the How to Contact Us section of the Microsoft Privacy Statement. For any complaints that you cannot resolve with Microsoft directly, we cooperate with EU DPAs and will comply with the advice they provide. Contact us to be directed to the relevant DPA contacts. As further explained in the Privacy Shield Principles, you can take advantage of a binding arbitration option to address complaints unresolved by other means.

Resources