Microsoft changes privacy terms after criticism from top EU data watchdog
Vendor will increase its data processing responsibilities for certain operations
Microsoft has updated the terms of its commercial cloud contracts for enterprise customers after Europe's top data watchdog criticised its arrangements with EU institutions.
The European Data Protection Supervisor (EDPS) last month expressed "serious concerns" about the compliance of the vendor's contracts with the institutions and Microsoft's role as processor of the data held by those organisations.
As a result of the probe, Microsoft has revealed its updated Online Services Terms (IOST), which it claims will increase its data protection responsibilities for a segment of its enterprise customers.
"We will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services," stated Julie Brill, corporate VP for global privacy and regulatory affairs, in a blog post.
"In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune."
These administrative and operational purposes include account management, financial reporting and countering cyberattacks on Microsoft products and services, she added.
The terms will be offered globally to all the vendor's commercial customers, including public and private sector organisations, SMBs and large companies, and will come into effect in early 2020.
The vendor stated that the move provides clarity to its customers about its compliance under GDPR and was formulated in conjunction with the Dutch Ministry of Justice and Security (MoJ), which also previously criticised Microsoft's data protection capabilities.
The Dutch authority found earlier this year that there was "significant scope" to improve the contracts between IT providers and public administration in order to protect an individual's data.
Microsoft claimed it is the only major cloud provider currently offering such terms in the EEA and further afield.
"The updated OST reflects the contractual changes we developed with the Dutch MOJ," said Brill.
"The only substantive differences in the updated terms relate to customer-specific changes requested by the Dutch MOJ, which had to be adapted for the broader global customer base.
"Microsoft has taken steps to ensure that we protect the privacy of all who use our products and services. We continue to work on behalf of customers to remain aligned with the evolving legal interpretations of GDPR."