Introduction

At Microsoft, we believe that privacy is a fundamental human right that requires a commitment to provide robust data protection for every individual and organization. We live up to this commitment by providing products, information, and controls that allow you to choose how your personal data is collected and used. The biannual Privacy Report summarizes important new developments in privacy at Microsoft, and the latest information about what data we collect from our products, how it may be used, and how customers can manage and control their personal data.

Answering Europe’s call

On May 6, 2021, Microsoft announced a new pledge for the European Union. We will go beyond our existing data storage commitments and enable our commercial and public sector customers in the EU to process and store the personal data they entrust to Azure, Microsoft 365, and Dynamics 365 in Europe. We are calling this plan the EU Data Boundary for the Microsoft Cloud. We are working with customers and regulators as we build out this plan, including adjustments that are needed in unique circumstances like cybersecurity.

This summer we also welcomed the additional clarity and final recommendation from the European Data Protection Board (EDPB) that confirmed how companies can continue to use standard contractual clauses (SCCs) to lawfully transfer personal data outside of the EU. Microsoft implemented the new SCCs in September 2021, allowing Microsoft customers to continue to rely on our services for compliant data transfers from the EU.

These updates build on our previously announced Defending your Data commitment to challenge every government request for public sector or enterprise customer data – from any government – where there is a lawful basis for doing so, a commitment that fully aligns with the EDPB’s recommendations.

Responding to regulation

Privacy and data protection regulations are increasing rapidly around the world. There are now more than 120 jurisdictions with data protection laws and that number is only expected to grow. With this new wave of regulation, compliance is more important and complex than ever. At Microsoft, we know customers will need to comply with new privacy obligations today and in the future. We believe privacy is a basic human right and that innovation can co-exist with meaningful privacy regulation. That is why we have long supported comprehensive privacy legislation in the US and globally.

In preparation for this new wave of regulation, we will continue to build the capabilities, solutions and tools our customers need for sustained privacy compliance and will work constructively with regulators and lawmakers around the globe to advance meaningful data protection and privacy regulation.

Scaling and operationalizing privacy compliance involves significant investment, and Microsoft will continue to build the tools and solutions to help customers meet their compliance needs.

Preserving privacy while addressing COVID-19

Microsoft has joined the challenge of helping our customers develop solutions to the problems caused by the COVID-19 pandemic. For example, we’ve partnered with the US CDC on a coronavirus self-checker tool, and we’ve joined the Vaccine Credential Initiative, an effort to build tools that allow individuals to share their COVID-19 vaccination status. We’ve also worked with our customers to create their own solutions to address the pandemic such as providing AI to a biotechnology company to decode immune system response to COVID-19, and helping hospitals make data-driven decisions about COVID-19 care.

Our efforts have been governed by our belief that, for technology to succeed, people need to be in control of their data and clearly understand how their data will be collected and used.

To that end, we developed seven privacy principles that we offer for governments, public health authorities, academics, employers and industries to consider for use in deploying tracking, tracing, testing, and similar technologies developed to address the COVID-19 pandemic. These principles, designed to apply to any COVID-19 technological solution that involves the collection and use of personal data such as location or health status, include the following elements:

  • Obtain meaningful consent by being transparent about the reason for collecting data, what data is collected and how long it is kept.
  • Collect data only for public health purposes.
  • Collect the minimal amount of data.
  • Provide choices to individuals about where their data is stored.
  • Provide appropriate safeguards to secure the data.
  • Do not share data or health status without consent, and minimize the data shared.
  • Delete data as soon as it is no longer needed for the emergency.

Privacy for children and young people

At Microsoft, we believe technology can empower individuals and create opportunities, and we are also deeply aware of our responsibility to protect the privacy and safety of young people online.

We demonstrate our commitment to the privacy of youth around the world by refusing to engage in behavioral advertising to users under 18 globally. Additionally, we will not share precise geolocation information about youth unless they make a specific choice to share their location or to use a service, such as mapping, that requires precise location to operate.

As part of our ongoing commitment to provide transparent information about our privacy practices, we have published new online resources for youth in age-appropriate language, which can be found at Privacy for Young People. Microsoft created this resource for kids and parents through partnerships with educators and students, as well as teens who serve on the Council for Digital Good. We have also published a new resource for Xbox that provides information and an informative video aimed at helping kids understand their data and how it is used: Xbox Data Collection for Kids.

Our products and services offer additional controls and features that parents and guardians can enable, for example:

  • With Microsoft's Family Safety App, family organizers have access to digital and physical safety features. Organizers can help young people develop healthy digital habits by setting screen time limits and can create a safe place online by setting content filters.
  • Xbox strives to create a place where everyone can play responsibly, within the boundaries they set, free from fear and intimidation. To learn how Xbox is making gaming that is safe for all, including how to keep your family safe online with privacy tools, please visit Responsible Gaming for All | Xbox.
  • Microsoft’s Edge Kids Mode creates a safer web experience for kids by offering parents more robust and meaningful choice about age-appropriate content and pre-selected kid-friendly security and privacy settings.

Transparency and choice for Required and Optional data

Microsoft is dedicated to giving our customers greater control over their data. As part of this work, we have classified the data we collect from customers in our major products and services as either Required or Optional. Required data—like security patches to keep customer data secure and diagnostic data that helps us detect significant feature failures—is necessary to keep our products up to date, secure, and working as expected. Customers can decide whether to allow us to collect Optional data to help us make product improvements and detect, diagnose, and remediate issues.

This transparency helps customers gain greater control over the collection of their data. To put this transparency into action, Microsoft publishes (and regularly updates) data collection summaries for each of our major online services. These summaries make it easier for our customers to find information about the data we collect and how we use it, and to make informed choices about their privacy. At the end of each data collection summary, we explain how our customers can change their privacy settings to customize the data they share with Microsoft.

Transparency

We continue to strive toward building and maintaining trust in technology, and we know that transparency is a key component of that trust. Our Corporate Social Responsibility Reports Hub provides a comprehensive overview of our efforts to support digital trust by respecting human rights, promoting diversity and inclusiveness, contributing to sustainable development, and more.

Our Digital Trust Reports are intended to help provide transparency into how Microsoft responds to government and law enforcement requests for user data and for content moderation, and the steps we take to protect our customers and their data:


Tell us how we are doing! Contact the Microsoft privacy team with your feedback about the Microsoft Privacy Report.