Microsoft contracts with EU raises 'serious concerns' about data privacy - watchdog
EDPS says there is significant scope between vendor and EU to improve arrangements to protect individuals' data
Europe's top data watchdog has expressed "serious concerns" over contract arrangements between Microsoft and EU institutions that use its services and products.
The European Data Protection Supervisor's (EDPS) statement is the preliminary result of an ongoing inquiry launched in April to investigate whether the contracts between Microsoft and the EU institutions that its products and services were compliant with the bloc-wide GDPR.
"The preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services," stated the EDPS.
When contacted by CRN over the matter, a Microsoft spokesperson said: "We are committed to helping our customers comply with GDPR, Regulation 2018/1725, and other applicable laws.
"We are in discussions with our customers in the EU institutions, and will soon announce contractual changes that will address concerns such as those raised by the EDPS."
The watchdog's findings echoed those of the Dutch Ministry of Justice and Security earlier this year.
There was also "significant scope" to improve the contracts between IT providers and public administration to protect the data of individuals, according to the EDPS.
"Amended contractual terms, technical safeguards and settings agreed between the Dutch Ministry of Justice and Security and Microsoft to better protect the rights of individuals, shows that there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers," it stated.
"The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation but also to individuals."
Though EU organisations outsource the processing of large amounts of personal data when using the products and services of IT providers, they are ultimately responsible for the processing activities carried out on their behalf.
The institutions must assess the risks and have the appropriate contractual and technical safeguards in place to mitigate those risks.
The data protection authority also formed the Hague Forum in August - in conjunction with the Dutch Ministry of Justice and Security - to discuss how to "take back control" of the IT services and products offered by large IT service providers and the need to collectively set the standard contracts, instead of accepting the providers own terms and conditions.
Wojciech WiewiĆ³rowski, Assistant EDPS, said: " We expect that the creation of The Hague Forum and the results of our investigation will help improve the data protection compliance of all EU institutions, but we are also committed to driving positive change outside the EU institutions, in order to ensure maximum benefit for as many people as possible.
"The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to individuals is a positive step forward.
"Through The Hague Forum and by reinforcing regulatory cooperation, we aim to ensure that these safeguards and measures apply to all consumers and public authorities living and operating in the EEA."