Microsoft's EU contracts non-compliant with GDPR, warns European Data Protection Supervisor

Result of ongoing investigation raises 'serious concerns' over Microsoft's compliance with data protection rules, EDPS indicates

Microsoft fails to comply with GDPR according to the European Data Protection Supervisor, (EDPS) putting into question the suitability of the company's software and services for EU institutions.

That is the preliminary opinion of the EDPS reached so far during its investigation into Microsoft's compliance with GDPR across the European Economic Area (EEA), launched in April 2019.

"Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services," the EDPS warned in a statement released today.

Preliminary results reveal serious concerns over the compliance of... Microsoft as a processor for EU institutions

It added that Microsoft had made a number of adjustments to its terms and conditions following a risk assessment carried out by the Dutch Ministry of Justice and Security and suggested that such changes ought to be adopted across the EEA.

In a bid to take on Microsoft, the EDPS organised a software and cloud suppliers customer council in The Hague in the Netherlands in August.

The purpose of this was to "discuss both how to take back control over the IT services and products offered by the big IT service providers and the need to collectively create standard contracts instead of accepting the terms and conditions as they are written by these providers".

The latest statement from EDPS is part of a campaign to put pressure on software suppliers - not just Microsoft - to be more flexible over their cloud services contractual terms and conditions.

The EDPS encourages all concerned parties to... help us set fair contractual terms for public administration

"The EDPS encourages all concerned parties to join the Forum and help us to set fair contractual terms for public administration, working in synergy and exchanging best practices in outsourcing services, especially in the demanding cloud environment," it added.

The authorities in the Netherlands have been particularly critical of Microsoft's data protection practices in the era of cloud computing, and operating systems like Windows 10 that exfiltrate telemetry data back to Microsoft servers.

In November 2018, the data protection authorities in the Netherlands claimed that up to 25,000 ‘events' were recorded by Office 365, including even subject lines from emails and lines run through the Office 365 spell-checker. These alleged infractions of GDPR could put Microsoft on the hook for hefty fines.

The early indication, at least in the UK, is that organisations will face radically higher fines for lapses in data protection under GDPR than they did under the old data protection regime. On top of that, there is also the risk of class-action lawsuits instigated by individuals affected by data breaches.