Why Microsoft is entering the legal battle over your transatlantic data

Every time a European office worker saves a document to a cloud drive, an invisible mechanism triggers a journey across the Atlantic. This process relies on a specific legal bridge known as the EU-US Data Privacy Framework. Long before the user sees a synchronization icon, lawyers in Brussels and Washington have argued over the safety of that bridge. If the bridge collapses, the data of millions of people remains stuck on one side of the ocean. This is the reality behind Case C-703/25 P, a legal challenge that seeks to dismantle the current agreement for data transfers between the European Union and the United States.

In a recent development, the Court of Justice of the European Union allowed Microsoft Corporation to join this case as an intervener. This status is not merely symbolic. An intervener is a party that has a direct and present interest in the outcome of a case. By granting this status, the court acknowledges that the ruling will affect Microsoft’s operations and its legal obligations toward its users. Microsoft now sits at the table where the future of transatlantic data flows is being decided.

The mechanism behind the intervention

To understand why a software giant is in a European courtroom, one must look at the mechanics of an adequacy decision. Under the General Data Protection Regulation, the European Commission has the power to decide that a country outside the EU offers a level of protection for personal data that is essentially equivalent to European standards. This decision is an adequacy decision. It functions like a green light for businesses. When an adequacy decision is in place, companies do not need to seek additional permissions or implement complex workarounds to move data to that country.

The EU-US Data Privacy Framework is the latest version of this green light. It replaces previous agreements that European courts struck down because of concerns over American surveillance practices. When a third party like Microsoft intervenes, they gain access to all procedural documents. They can submit their own written statements. They also have the right to participate in oral hearings. Microsoft is not the defendant in this case; the European Commission is. However, Microsoft is there to provide the court with the perspective of a company that actually uses the framework to serve millions of customers.

Why the adequacy decision is under fire

The challenge to the framework centers on the fundamental rights of European citizens. Critics of the agreement argue that United States law still allows for intrusive surveillance that is not proportionate to national security needs. They point to Section 702 of the Foreign Intelligence Surveillance Act as a primary concern. This law allows US intelligence agencies to collect communications of non-Americans located outside the US.

Privacy advocates argue that the redress mechanism in the new framework is insufficient. While the US established a Data Protection Review Court to handle complaints from Europeans, skeptics believe this court lacks the independence required by EU law. If the Court of Justice agrees with these critics, the adequacy decision will be declared invalid. This would create a regulatory void similar to the one that followed the Schrems II ruling in 2020. Companies would lose their primary legal basis for transferring data to the US overnight.

Microsoft as a data controller

Microsoft operates as a data controller for its own services and as a data processor for its business clients. A data controller is an entity that determines the purposes and means of processing personal data. When a company uses Microsoft 365, Microsoft acts as a processor, following the instructions of the client. In both roles, the company requires a stable legal environment. Without the Data Privacy Framework, Microsoft and its clients must rely on Standard Contractual Clauses. These are pre-approved sets of terms that require companies to perform their own transfer impact assessments.

Performing these assessments is a heavy administrative burden. A company must evaluate the laws of the destination country to ensure they do not undermine the protections in the clauses. By intervening in the case, Microsoft seeks to protect the validity of the Data Privacy Framework. The company has a vested interest in ensuring that the court views the new safeguards in US law as sufficient. These safeguards include Executive Order 14086, which limits the collection of data by US intelligence services to what is necessary and proportionate.

The history of collapsing data bridges

This courtroom drama is part of a decade-long cycle. The first major agreement was Safe Harbor, which the court struck down in 2015. Its successor, the Privacy Shield, met the same fate five years later. Each time an agreement fails, the regulatory landscape resembles a patchwork quilt. Businesses are forced to stitch together different legal tools to remain compliant. For many small and medium enterprises, this complexity is a barrier to trade.

Microsoft has been a vocal participant in these discussions for years. The company previously committed to the EU Data Boundary, an initiative to store and process all European customer data within the EU. While this helps with data residency, it does not solve every problem. In a globalized economy, some data must still cross borders for security monitoring, technical support, and global communication. The outcome of Case C-703/25 P will determine if the Data Privacy Framework is a sturdy foundation or just another temporary fix.

What the intervention means for privacy professionals

The admission of Microsoft as an intervener suggests that the court will hear a wide range of arguments. Privacy professionals should view this as a sign that the litigation is entering a sophisticated phase. The court will not only look at the text of the law but also at how it functions in the real world. For a Data Protection Officer, compliance acts as a compass in a storm. If the framework is the needle on that compass, the court’s decision determines whether the needle points north or spins in circles.

While the case proceeds, companies should not remain idle. The court will take months or even years to reach a final judgment. During this time, the Data Privacy Framework remains a valid legal basis for transfers. However, the history of this topic suggests that a backup plan is a necessity. Organizations should maintain their Standard Contractual Clauses as a secondary measure. This dual approach provides a safety net if the primary bridge fails again.

Practical steps for businesses

Monitoring the progress of Case C-703/25 P is a core duty for any organization with transatlantic operations. The presence of Microsoft in the proceedings will likely result in a more detailed technical record regarding how US surveillance actually interacts with commercial data. This information is useful for companies conducting their own transfer impact assessments.

Businesses should take the following actions to prepare for any outcome:

• Inventory all data flows that rely on the EU-US Data Privacy Framework.
• Verify that your US-based vendors have certified their compliance with the framework through the official Department of Commerce website.
• Update privacy policies to clearly state the legal basis for every transatlantic transfer.
• Maintain updated Standard Contractual Clauses with all non-EU processors as a contingency measure.
• Review the safeguards implemented by US partners to ensure they align with the requirements of Executive Order 14086.

Microsoft’s participation in this case highlights the high stakes for the technology sector. The final ruling will either cement the current framework as a permanent fixture or force a total redesign of how the Western world shares digital information. Transparency and preparation are the only tools that allow a business to navigate this uncertainty without compromising the rights of its users.

Sources

• General Data Protection Regulation (GDPR), Article 45.
• General Data Protection Regulation (GDPR), Article 46.
• Court of Justice of the European Union, Case C-703/25 P.
• European Commission Adequacy Decision on the EU-US Data Privacy Framework (July 2023).
• US Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities.

This article is for informational and journalistic purposes only and does not constitute formal legal advice.