New year, new EU (data boundary)

The lessons businesses should take from Microsoft’s GDPR transformation.

Anthony Woodward


Share on Social Media
January 13, 2023

Subscribe to FILED Newsletter

Get your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

Welcome to FILED Newsletter, our monthly round-up of relevant news, opinion, guidance, and other useful links in the world of data, records and information management.

This month:

  • New year, new data boundary: Microsoft is taking the GDPR seriously, are you?
  • CPRA, VCDPA, CDPA, UCPA, oh my! New data privacy regulations are on the way in 2023.
  • LastPass, Okta, Twitter, LJ Hooker: hackers target personal info from tech platforms great and small.

If you only read one thing

Microsoft transforms its EU cloud business to comply with the GDPR

January saw Microsoft beginning to roll out a “data boundary” for European Union cloud customers, allowing them to process and store parts of their data in the region. This is a novel solution to the angst some big platforms feel when attempting to comply with the GDPR.

The next phase will be to move logging data, service data, and other kinds of data into the boundary. The whole process won’t be completed until 2024.

While this may seem a heavy-handed solution to complying with the GDPR, the move highlights the need for all businesses to rethink all aspects of their business models to comply with privacy legislation.  

The key message for organizations from regulators: control of private data needs to be handed back to the individual. The individual should govern the data, not the organization who hosts it.

Ahead of Data Privacy Day on January 28, this is a reminder that organizations need to rethink how they approach collecting, storing, and processing customer and citizen data. Every organization needs to focus on strong data management, by reducing how much is collected, minimizing what is stored, and ensuring every decision is defensible.

Some level of transformation is inevitable when you start to build privacy into your business, just ask Microsoft.

🤫 Privacy and governance

Happy new year! Among the many reasons to celebrate: new data privacy regulations are coming into effect. On Jan 1, the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), and (2) the Virginia Consumer Data Protection Act (VCDPA) both came into effect. Later in the year, Colorado, Utah, and Connecticut will get their turn. Learn more about the year in data regulations.

Epic Games, maker of popular video game Fortnite, will pay US $520 million for violating a law protecting children’s privacy. In a first for these kinds of cases, the company will also be required to adopt strong privacy default settings for children and teens.

Not to be outdone, Meta will pay US $725 million to settle a class action lawsuit rising from the Cambridge Analytica scandal.

The IRS accidentally republished 112,000 taxpayer data records in November, after they were initially published due to a technical error in September. Really thorough stuff from the IRS here.

The review of Australia’s privacy laws has been completed and the report handed to Attorney General Mark Dreyfus, who will now consider it and release it publicly in the first half of 2023.

🔐 Security

In news you may have missed over the holidays, hackers stole (encrypted) LastPass vaults and then other hackers stole Okta’s source code. Change your (master) passwords, folks.

Personal data including email addresses of 209 million Twitter users was scraped and has been circulated on a hacking forum. Seriously, change your passwords, folks.

Twitter is facing an investigation from Irish regulators over a data breach that could have impacted five million users worldwide, suggesting one or more principles of the GDPR may have been breached.

More than 200 US local governments, schools and hospitals fell victim to ransomware last year, and only one institution paid up, similar number to the previous year.

Australia real estate company LJ Hooker was hit by a ransomware attack in December, with the perpetrators claiming they had taken employee and customer data including passport scans, credit card details, and loan data.

📣 The latest from RecordPoint

While business messaging platforms like Microsoft Teams bring definite collaboration and efficiency gains, they also raise the risk that sensitive information may be handled inappropriately.

If you’ve been running an on-premises electronic document and records management system for a while, it has likely been outdated for a while: unable to handle the volume of data in your organization, as well as accommodate the growing range of data sources you rely on. Learn how to move on to a fit-for-purpose solution.

A guide to getting more out of your data by improving data efficiency.


Get hooked on FILED

This can be a fast-paced, complex industry and it can get overwhelming. FILED is here to help you navigate it.