EU data protection authority to investigate EU institutions' Microsoft cloud deals for GDPR compliance

European Data Protection Supervisor to examine EU deals with Microsoft over claims diagnostic data transfers could reveal personal information

The European Data Protection Supervisor (EDPS) is to examine cloud and software deals between EU institutions and Microsoft to ensure that they are GDPR compliant.

The EDPS is responsible for overseeing EU institutions to ensure their compliance with data protection rules.

"New data protection rules for the EU institutions and bodies came into force on 11 December 2018," said Wojciech Wiewiórowski, assistant supervisor at the EDPS.

He continued: "Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsibilities when it comes to ensuring compliance.

"However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny."

Ultimately, claims the EDPS, the various institutions of the EU rely on Microsoft to conduct processing of large amounts of personal data. It wants to examine the nature of the contracts between the EU institutions and Microsoft to asses which Microsoft software and services are being used, and whether the contractual arrangements are fully compliant with data protection rules.

The investigation follows on from a Data Protection Impact Assessment Report in November 2018 by the Dutch Ministry of Justice and Security.

This examined the transmission of diagnostic data in Microsoft Office 365 ProPlus subscriptions, and found that 25,000 'events' in Office 365 were recorded, transmitted and shared among 30 engineering teams at Microsoft.

"Any EU institutions using the Microsoft applications investigated in this report are likely to face similar issues to those encountered by national public authorities, including increased risks to the rights and freedoms of individuals," claimed the EDPS.

In response to the news, a Microsoft spokesperson told Computing: "We are committed to helping our customers comply with GDPR, Regulation 2018/1725, and other applicable laws and are confident that our contractual arrangements allow customers to do so.

"We stand ready to help our customers answer any questions the European Data Protection Supervisor may have."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.