Microsoft says it is now able to sign contracts for Office 365 that contain these model clauses - in other words, it complies with the Data Protection Directive. Microsoft also says that Office 365 complies with the US HIPAA rules that protect healthcare data.
Bottom Line for ICT Buyers:
1. If you operate in or across Europe, and you store personal data about staff or customers, you will already be aware of your responsibilities under the EU Data Protection Directive. Hosting and outsourcing service providers will almost certainly comply with its rules, but since cloud services providers are the 'new kids on the block', you will need to check that they fulfill its requirements by asking them specific questions -- in particular, if they are willing to sign contracts with the model clauses.
2. Some countries have data transfer requirements that are more stringent and the EU's transfer rules may not be enough. Microsoft says that it meets or exceeds the requirements of all EU member states. Again, you will have to ask specific questions of your cloud services vendors. It is not just U.S. vendors that should be aware of the directive: European suppliers may find themselves out of compliance if they have built their data transfer requirements for one country (e.g. the UK) and now offer them in another (e.g. Germany). Cloud services vendors from the UK in particular need to ensure that they are ready to meet the more stringent privacy requirements of other European countries.
3. A wide range of business applications (often cloud based) are becoming 'socialized' to improve collaboration and business effectiveness. This means that the personal data of employees and business partners will be captured and stored either deliberately or inadvertently by many types of applications that previously contained no personal information. You will have to be careful to ensure that this scope creep does not inadvertently affect your own compliance.