Microsoft · Microsoft Privacy Statement (Legacy)

Cross-Border Data Transfers and International Processing

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Your personal data may be stored and processed in the United States or other countries outside where you live, with Microsoft using Standard Contractual Clauses and UK transfer agreements as legal safeguards for international data transfers.

Consumer impact (what this means for users)

EU, UK, and other non-US users should be aware that their personal data is routinely transferred to and processed in the United States, where different surveillance and government access laws apply, with SCCs as the primary but imperfect legal safeguard.

Cross-platform context

See how other platforms handle Cross-Border Data Transfers and International Processing and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Data transferred outside the EU/EEA or UK may be subject to different legal protections and government access laws, and the adequacy of SCCs as a transfer mechanism continues to face legal scrutiny post-Schrems II.

View original clause language
Personal data collected by Microsoft may be stored and processed in your region, in the United States, and in any other country where Microsoft or its affiliates, subsidiaries, or service providers operate facilities. Microsoft uses a variety of legal mechanisms, including contracts, to help ensure your rights and protections travel with your data. For transfers from the EEA, we rely on the European Commission's Standard Contractual Clauses. For transfers from the UK, we rely on the UK's International Data Transfer Agreement.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision implicates GDPR Chapter V (Arts. 44–49) on transfers of personal data to third countries; CJEU Schrems II ruling (C-311/18) invalidating Privacy Shield and imposing supplementary measures requirement for SCCs; EU-U.S. Data Privacy Framework (adequacy decision, July 2023, subject to ongoing legal challenge); UK GDPR and International Data Transfer Agreement (IDTA); and Swiss Federal Act on Data Protection (nFADP) for Switzerland-origin data. Enforced by EU DPAs, ICO, and Swiss FDPIC.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    FTC enforces the EU-U.S. Data Privacy Framework and has authority over deceptive cross-border data transfer practices by U.S. companies.
    File a complaint →

Provision details

Document information
Document
Microsoft Privacy Statement (Legacy)
Entity
Microsoft
Document last updated
March 5, 2026
Tracking information
First tracked
April 28, 2026
Last verified
April 28, 2026
Record ID
CA-P-003854
Document ID
CA-D-00001
Evidence Provenance
Source URL
https://www.microsoft.com/en-us/privacy/privacystatement
Wayback Machine
View archived versions →
SHA-256
9e697464d17b7148c787f07099c60e30370abb2b13a7f2a910f607e31ec13158
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Microsoft | Document: Microsoft Privacy Statement (Legacy) | Record: CA-P-003854
Captured: 2026-04-28 08:11:57 UTC | SHA-256: 9e697464d17b7148…
URL: https://conductatlas.com/platform/microsoft/microsoft-privacy-statement-legacy/cross-border-data-transfers-and-international-processing/
Accessed: April 29, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document