Microsoft updates privacy policy following intervention by EU data protection watchdog

Microsoft amends cloud privacy policy following investigation by European Data Protection Supervisor

Microsoft is to amend its privacy policies on its commercial cloud computing contracts in the EU following the opening of an investigation by the European Data Protection Supervisor (EDPS).

That investigation was announced in April, with concerns raised in October that Microsoft's EU contracts were not compliant with GDPR in a preliminary opinion from the EDPS.

Our updated OST will reflect contractual changes we have developed with one of our public sector customers

The company's changes to its ‘Online Services Terms' in the EU were announced by Microsoft's chief privacy officer Julie Brill, who claimed that it was a result of "additional feedback we've heard from our customers".

She continued: "Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ). The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud.

"Microsoft is currently the only major cloud provider to offer such terms in the European Economic Area (EEA) and beyond."

The company is also updating its privacy policies on a global basis, across both public and private sectors.

Microsoft designed most of its enterprise services as services where we are a data processor for our customers

"In anticipation of the General Data Protection Regulation (GDPR), Microsoft designed most of its enterprise services as services where we are a data processor for our customers, taking the necessary steps to comply with the new data protection laws in Europe," added Brill.

"At a basic level, this means Microsoft collects and uses personal data from its enterprise services to provide the online services requested by our customers and for the purposes instructed by our customers. As a processor, Microsoft ensures the integrity and safety of customer data, but that data itself is owned, managed and controlled by the customer."

Through the update announced today, Microsoft will be increasing its data protection responsibilities "for a subset of processing that Microsoft engages in when we provide enterprise services… we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes" relating to the provision of cloud services, Brill continued.

EU institutions rely on Microsoft services and products to carry out their daily activities

EDPS announced its investigation into software contractual agreements in April this year. This focused purely on deals between Microsoft and EU institutions and Regulation 2018/1725, which came into force on 11 December 2018.

"EU institutions rely on Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data," claimed the EDPS in a statement announcing the investigation.

It continued: "Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new Regulation.

"The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions, and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules."