Data Protection Regulator To Probe EU Institutions’ Contracts With Microsoft

The European Commission's headquarters in Brussels. Image credit: European Commission

The investigation follows a Dutch report that found privacy concerns with the way Microsoft held public authorities’ data in a US-based data centre

EU data protection authorities said they have launched an investigation into the compliance of EU institutions’ contracts with Microsoft under new rules that came into force last year.

The European Data Protection Supervisor (EDPS), a relatively new body formed in 2004 that oversees all EU bodies, said it would look into whether contracts held by the European Commission and the EU’s 69 other institutions comply with the strict GDPR regulations that became active last May.

Assistant EDPS Wojciech Wiewiorowski said that while contractors have responsibilities for ensuring GDPR compliance, “EU institutions remain accountable for any data processing carried out on their behalf”.

“They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks,” he said.


Cloud data

EU bodies process large amounts of personal data, making it “vitally important” that risk-mitigating measures are in place, the agency said.

It drew attention to an assessment carried out by the Dutch Ministry of Justice and Security last November that found concerns with data collected through Microsoft Office 365 ProPlus, a cloud-based version of Microsoft’s Office suite.

The Dutch report found concerns with the way data was stored in a US database, saying it posed a  risk to users’ privacy, following which Microsoft made changes to comply with EU rules.

EU institutions using similar Microsoft packages are likely to face data protection issues similar to those encountered by national public authorities, including “increased risks to the rights and freedoms of individuals”, the EDPS said.

Microsoft said it was “committed to helping our customers comply with GDPR, Regulation 2018/1725, and other applicable laws” and was “confident that our contractual arrangements allow customers to do so”.

The EDPS is able to impose fines of up to 50,000 euros (£43,125) for each infraction.