EU data watchdog claims Microsoft’s contract terms make it difficult to enforce GDPR

The EU’s data protection watchdog has recommended that public institutions hold back on purchasing any Microsoft software after identifying several major concerns with existing contractual terms.

Arrangements between Microsoft and EU institutions, spanning the work activities of around 45,000 officials, amounts to relinquishing their roles as data controllers over to the US software giant, the European Data Protection Supervisor (EDPS) has concluded.

This has been deemed “inappropriate”, according to a report, given the role of EU institutions as public service organisations. These institutions comprise bodies critical to the functioning of the EU, including the European Parliament, European Council, and the European Commission, as well as organisations like the European Central Bank, and the European Court of Justice.

Alarmingly, Microsoft can unilaterally define and change parameters of data processing carried out on behalf of the EU, with these terms risking undermining the rights of data subjects, the EDPS report found.

The EU, more significantly, has little capacity to ensure GDPR cannot be violated as there is little oversight over how the data is processed, where it’s processed, and by which sub-processors.

Once in an agreement with the company, EU bodies are unable to control a large portion of the data processed by Microsoft, and are unable to properly control what is transferred out of the EU.

There are no safeguards to ensure, for example, data protection standards are upheld if Microsoft transports EU officials’ data to a US-based server, with few guarantees to ensure Microsoft only discloses personal data as permitted by EU law.

EU institutions, as a result, should “carefully consider” any purchases of Microsoft products or services, or enrolling new users into already purchased software, until they have analysed and implemented the EDPS’ recommendations.

Bodies, furthermore, should properly embed data protection policies in each specific public information and communications technology procurement procedure, specifying the desired security and data protection measures.

“It is not appropriate that the data of people collected in the provision of services to public authorities is processed for their own purposes by these service providers,” said European Data Protection Supervisor Wojciech Wiewiórowski.

“By sharing technical expertise and by reinforcing regulatory cooperation through this Forum, we can also contribute to ensuring the same level of data protection safeguards and measures for all consumers and public authorities living and operating in the EEA”.

The EDPS has recommended that EU institutions act immediately to retain controllership over data processing activities. European organisations must also put in place a comprehensive controller-processer agreement, with more control over which sub-processors Microsoft use, as well as retaining a right to audit sub-processors.

Similar concerns, regarding a lack of oversight as to where Microsoft processes data, saw a ban on Office 365 products implemented across schools in a German region last year.